An App That Encrypts, Shreds, Hashes and Salts

The Wickr app.The Wickr app.


When it comes to mobile apps and social networks, the devil, increasingly, is in the default settings.

Companies have little, if any, incentive to let users opt out of services that siphon their personal data back to the advertisers who pay their bills. Nor do companies have any legal mandate to secure users’ personal information with hacker-proof encryption. The responsibility is very much on the user to opt out of services and read through the fine print in privacy policies to understand how their personal data is used, secured and sold.

A group of computer security experts want to turn that model on its head with Wickr, a new mobile app that they hope will set a new standard for how personal data is disseminated.

Wickr’s motto: The Internet is forever. Your private conversations don’t need to be. The app, which became available in Apple’s iTunes store on Tuesday, lets users transmit texts, photos and videos through secure and anonymous means previously reserved for the likes of the military and intelligence operatives.

Text messages, photos and videos sent via Wickr are secured using military-grade encryption and never stored. The service camouflages user names and other identifiable information, such as a phone’s identification number, by appending several random digits to each value, then mashing them up with a mathematical algorithm, a process security experts refer to as “salting” and “hashing.” Wickr hashes and salts that information several times and only stores the encoded result.

The app gives users the option to set a self-destruct timer for anything they send so that they can control how long a recipient views their videos, photos or texts before it disappears completely.

Typically, when someone deletes anything from a phone, metadata from the file remains on the phone’s hard drive, where skilled hackers, forensics investigators or law enforcement officials can piece it back together. Wickr’s app contains an anti-forensics feature — the mobile equivalent of a paper shredder — that erases deleted files for good by writing over that metadata with gibberish text.

The app is the brainchild of a team of security experts who envision it having as much appeal for the tinfoil-hat-wearing crowd as it will for congressmen, hackers, journalists and their sources.

Wickr was co-founded by Kara Lynn Coppa, a former defense contractor; Christopher Howell, a former forensics investigator for the State of New Jersey; Robert Statica, a director at the Center for Information Protection at the New Jersey Institute of Technology; and Nico Sell, a security expert and longtime organizer for Defcon, an annual hacker convention.

The co-founders snubbed advertising in favor of a “freemium” business model. The app offers core services for free, but charges a fee for premium services such as sending files to groups of more than 10 people or dispatching larger files.

“Right now, everyone is being tracked and traced in ways they don’t understand by numerous governments and corporations,” Ms. Sell said in an interview. “Our private communications, by default, should be untraceable. Right now, society functions the other way around.”

“There is no reason your pictures, videos and communications should be available on some server, where it can easily be accessed by who-knows-who, or what service, without any control over what people do with it,” added Mr. Statica.

Ms. Sell said one of the reasons she created the app was for her two daughters.

“If my daughter wants to post a picture of our dog, Max, on Instagram, she shouldn’t have to know to turn the geo-location off,” Ms. Sell said. “People have always asked me ‘How do I communicate securely and anonymously?’ There was never an easy answer, until now.”

Wickr is not without loopholes. Even if users time their communication to self-destruct, for instance, a recipient can still grab a screenshot of their phone screen and store the information that way. Ms. Sell said Wickr’s team was working on ways to notify a sender if a recipient had captured a screenshot of their dispatch.

But, she added, her best advice is: “Don’t send secrets to anyone you don’t trust.”