Everyone has their own reasons for wanting to use a secure messaging service. Perhaps the biggest is a basic desire for privacy. After all, why should your private messages be shared with a myriad of third parties, including various tech companies and their government partners?
Today we’re going to talk about Wickr Me, a version of Wickr that gives individuals free, secure, anonymous messaging capabilities. We’ll look at both desktop and mobile versions and see how it is similar to and different from other secure messengers we’ve tested. By the end of this article, I think you’ll agree with me that this is definitely a product to consider when you are looking for a good secure messaging app.
Wickr Me basics
Wickr Me offers pretty much everything you could ask for in a secure personal messenger. You can register anonymously, something that is rare in the space. The app provides client-side end-to-end (E2E) encryption using strong cryptography. No one, not even the engineers at Wickr can decrypt your messages. You get a full range of message types, from text chats through one-on-one video calls, group messaging, and file and location sharing.
Platforms: Wickr Me is available for the iOS, Android, Mac, Windows, and Linux operating systems.
This all sounds pretty standard for a top-end messaging app. But Wickr Me differs from most other apps in one very important way. Your messages are ephemeral. Ephemeral messages are messages that disappear (self-destruct) after a set amount of time.
We’ll go into the details of this a little later, but for now realize that Wickr’s ephemeral messaging design has both pros and cons. This article explains the pros and cons of this Wickr Me feature nicely.
Now that you’ve got the 30,000 foot view of Wickr Me, let’s talk a bit about the company behind the products.
The company behind Wickr Me
Wickr was founded in 2012 by the team of Dr. Robert Statica, Kara Coppa, Christopher Howell, Nico Sell, and York Sell. The company is based in San Francisco, California.
The company’s location puts it under the jurisdiction of the United States. This is not ideal for any organization that values security and privacy. The United States is a member of the Five Eyes intelligence alliance and the home of the NSA.
While this jurisdiction isn’t ideal, we believe that the design of the Wickr product line greatly reduces the security risks. This is particularly true of Wickr Me with its capacity for fully anonymous use.
Wickr Me vs Wickr Pro Basic
Interestingly, Wickr produces two products that could appeal to individual users. Besides Wickr Me, the company offers Wickr Pro Basic. They both are built on the same code base. Why two such similar products and how do you choose between them?
Wickr Me supports true anonymous use, but doesn’t have as many features as Wickr Pro Basic.
Wickr Pro Basic is designed for individuals and small teams. It includes some team-related features that Wickr Me doesn’t. But in Basic products, your user ID must be a valid email address.
Which of the two is right for you depends on your use case and threat model:
- Need anonymity? Go with Wickr Me.
- Want team-related features and don’t mind exposing an email address? Check out Wickr Pro Basic.
For the rest of this Wickr review, I will assume that you opted to go with Wickr Me. Even if Pro Basic is in your future, the vast majority of the information you read here will apply in either case.
Wickr Me security
As you can probably imagine for a product approved by the US DoD for secure communications, Wickr Me is loaded with strong security features. End-to-end encryption using AES-256, ECDH512, and HMAC-SHA256. Perfect Forward Secrecy (PFS), and ephemeral messages with digital shredding are some of the highlights.
While the Wickr code set is not open source, the crypto code is available for review on Github here.
The Wickr website stresses that the company puts a lot of effort into getting their code verified. They include glowing quotes from seven different organizations that have inspected Wickr’s code. Unfortunately, the quotes aren’t dated, and the full reports from these organizations don’t seem to be publicly available.
The situation is much better when it comes to transparency reports. They have an archive of reports going back to 2013. I like seeing the continuity of reporting here. Some services seem to merely publish one or two reports so they can say they publish transparency reports… then never publish another. Here’s a link to the Wickr Transparency Report page.
The Wickr Me Android app gets a good score of 4.7 out of 5 stars and has been downloaded over 5 million times. While this is a healthy number of downloads, it is dwarfed by the big names in the space like the Telegram Android app, which has been downloaded over 500 million times.
Installing Wickr Me on an Android phone requires selecting a username and password. This means you can create an anonymous account since no personally identifiable information, such as an email address or phone number, is required. The username you enter serves as your Wickr ID.
Next, WickrMe gives you the option to enable Contact Finder. Contact Finder will scan your phone’s address book looking for contacts that are also Wickr users. This contact information is stored on your device and, “a cryptographic representation of your contacts that we store on our servers to match with your friends,” according to Nico Sell, Wickr co-founder and CEO.
You can link your own phone number to your Wickr ID so others can find you. But this is optional so you can skip it if you want to protect your anonymity. You can also enable Biometric Prompt, which requires biometric or password authentication whenever you launch Wickr Me.
Finally, Wickr Me offers you a guided tour of the app’s features. Since the team continues to add new features to their apps, I recommend you spend a moment to complete the tour and get updated on any features I didn’t cover in this WickrMe review. Once you do, you’ll be ready to start using Wickr Me.
Using Wickr Me is much the same as using any other messaging app (at first). Tap a contact to initiate a Direct Message with them. As you might expect you can send voice messages or have live voice chats. Beyond that you can share files, photos, and videos.
Remember that I told you Wickr Me uses ephemeral messaging. All Wickr messages have a limited lifespan and are automatically destroyed after that. The app includes a digital shredder feature that destroys the messages in such a way that they are immune to forensic recovery. When they are gone they are really, really gone.
The expiration timer comes into play when you create a message. You can see evidence of it in the text entry field before you start typing a new line of text.
The expiration time is not the only auto-destruct timer built into Wickr Me. The other is called the Burn-On-Read timer. This timer starts ticking as soon as a messages is marked as “read.” Between them, the expiration timer and burn-on-read timer completely control the life of a message.
The expiration timer is the maximum lifespan of a message. When the expiration timer hits its limit the message is irretrievably deleted. This happens even if the message has not yet been read, or the burn-on-read timer still has time left on it. But if the burn-on-read timer expires before the expiration timer goes off, the message will be deleted based on the burn-on-read timer.
In other words, a message is shredded and completely deleted when either the expiration timer or the burn-on-read timer fires, whichever comes first.
Group messaging and other features
Wickr Me supports basic group messaging through the use of un-moderated Rooms. This is one of the reasons you might want to consider Wickr Pro Basic. That version allows for bigger rooms and an assigned moderator for the group. Other useful features of Wickr Me include:
- Key verification allows you to confirm the identity of someone in your contacts list.
- Location sharing. This works similarly to the same feature in WhatsApp. You can either share a snapshot of your current location, or continuously transmit your live location to recipients.
- Quick responses are canned (pre-made) responses you can send in lieu of crafting a custom message at an inconvenient time.
Wickr Me desktop apps
You download the Wickr Me desktop apps directly from the Wickr website. Here’s the link. The page also provides download links for the mobile version as well. While Wickr has long included the mobile apps here, it is looking like a prescient move as Apple and Google have recently begun evicting apps they don’t like from their stores (Parler, for example).
Once you download and install the correct desktop app, you will get the opportunity to go through the Wickr Me tour. After that, you’ll find yourself in the desktop app, which looks like this:
The desktop apps have most of the capabilities of the mobile apps. This includes the ability to send your current location, although doing so will probably require you to give Wickr Me access to the OS’s location services.
Wickr Me support
I was impressed with the information available here. You’ll likely find the answers to any Support questions — but if you don’t, hit the Submit a request link at the top of the page.
Wickr Related products
As you saw earlier, Wickr publishes a growing family of products. At the time of this Wickr Me review, the family included Wickr Me, Wickr Pro, Wickr Enterprise, and Wickr RAM. Let’s take a (very) short look at each.
Wickr Pro works for individuals, but is more intended for secure small team and business collaboration.
Wickr Enterprise is designed for enterprise level installations with full control and regulatory compliance. For more information, click here.
Wickr Me is one of the most secure personal messaging app available. The fact that Wickr was one of two apps (along with Signal) approved for use by the soldiers of the 82nd Airborne’s Task Force Devil when they deployed to the Middle East says a lot about the quality of Wickr products.
But there’s still one problem. Wickr Me does not have many users. This means you may have trouble actually connecting with friends and family on this platform. This is in stark contrast to Signal and Telegram, which have ballooned in users over the past year with an exodus away from WhatsApp over privacy concerns. Meanwhile, WickrMe remains a less-well-known product with significantly fewer users than other options in this space.
Assuming this secure messenger fits into your usage model, and you can find people to connect with, I strongly recommend you check out Wickr Me or Wickr Pro Basic.
Other secure messaging apps on SecurityTech: