SECURITY IS FOR EVERYONE.
Whether personal or business, your conversations & data are private by design.
Content is encrypted locally on user devices and is only accessible to intended recipients. Wickr never has the decryption keys.
No conversation lives beyond its useful life – you decide when your content gets automatically deleted for good.
Perfect forward & backward secrecy
Every message, file and call is encrypted with a new random key. As of now, breaking just one key would take trillions of years to decipher.
Even in the case of a breach, Wickr servers have no user communications - they are undecipherable in transit and deleted upon delivery.
User Key Verification
After exchanging keys with your contact, Wickr provides tools to help verify the identity of the person using the keys on the other side of your conversation.
Wickr enables your business to run your own private network. Control and centrally manage security policies for your users.
Users within one Wickr network can communicate with partners in other Wickr networks while still maintaining security and ephemerality controls.
Not only is your calling on Wickr end-to-end encrypted, it is also protected with forward security - whether 1:1, or in conference calls.
WICKR’S MESSAGING PROTOCOL
This infographic is designed as a high level visualization of the Wickr Messaging Protocol. For more information, please see the technical white paper by Chris Howell, Tom Leavy & Joël Alwen here and the source code here.
Special thanks to Whitfield Diffie, Paul Kocher, Dan Kaminsky, Adam Shostack, Scott Stender & Jesse Burns for reviewing this paper and/or code and providing their insightful comments and invaluable advice.
Wickr employs multiple layers of encryption to secure your data and messages, both at rest and in transit, including:
- Wickr username, application ID and device ID are cryptographically hashed with multiple rounds of salted SHA256;
- Data at rest and in transit is encrypted with AES256;
- As part of Perfect Forward Secrecy, each message has a new encryption key that is deleted as soon as message is decrypted;
- Message encryption keys are encrypted with a key produced using ECDHE;
- Messages are bound to both the receiver’s application and device;
- No password or password hashes ever leave user device;
- All user content is forensically wiped from the device after it expires;
- Your UDID (Unique Device Identifier) is never uploaded to our servers so you are always anonymous to us.
LEARN MORE ABOUT WICKR SECURITY
White Paper: "The Untrusted Server: THE REAL-WORLD IMPACT OF A WICKR SERVER COMPROMISE" by Chris Howell, Wickr CTO
White Paper "On Password Protection" by Joël Alwen, Wickr Cryptography
White Paper "Beyond Eavesdropping: Adversarial Models for Secure Messaging"* by Joël Alwen, Wickr Cryptography
* The content of this paper was presented at 2017 AppSecUSA
Premium data deserves premium security. That’s why we are committed to working with world-leading experts to thoroughly inspect our code. Wickr's messaging protocol is also available for public review.
“Aspect found no weaknesses in the latest version of Wickr software that would allow Wickr or a third party to gain access to unencrypted user messages." Read more here.
“Wickr met or exceeded the security score outlined in the Veracode Risk Adjusted Verification Methodology for an application at the high assurance level."
"Rather than relying upon point-in-time security assessment, Wickr & NCC Group developed an iterative & transparent process that attests to Wickr’s commitment to protecting critical data & communications."
BUG BOUNTY PROGRAM
Under Responsible Disclosure Terms, qualifying security vulnerabilities can be rewarded with a bounty of up to $100,000 US depending on our assessment of severity as calculated by likelihood and impact.
As a company of InfoSec experts, we know security is a team sport. Securing the world’s communications requires all resources available to us to ensure our code can withstand emerging threats. White-hats, academics, security engineers and evangelists have been responsible for some of the most cutting edge, eye-opening security revelations to date. The Wickr Bug Bounty is designed to encourage top-notch security researchers to help us identify and mitigate any potential issues in Wickr ecosystem. We pledge to drive constant improvement with the goal of keeping Wickr the most trusted messaging platform for our users.