Wickr, the encrypted messaging app, finally goes open source

All it took was nearly five years and a shuffle of senior management.
Written by Zack Whittaker, Contributor

(Image: file photo)

Finally, Wickr has released its core crypto code to the open source community.

The end-to-end encrypted messaging service launched in 2012, long before Signal took off and WhatsApp rolled out encryption of its own.Yet Wickr became one of the last to publish its code to the open source community.

The service's use of encrypted and disappearing messaging, à la Snapchat, helped to gain users' trust that their messages wouldn't be stolen, leaked, or exposed to either hackers or federal agents.

But the company's choice to restrict access to its crypto code made it impossible for anyone to be sure that the service was free from vulnerabilities or backdoors, except for a very few select cryptographers and security auditors.

Wickr hopes that publishing the source code will allay those fears and nullify one of the app's biggest critiques -- that nobody could be certain the app was truly secure.

The company released the code on GitHub along with a technical white paper.

"It is now time to begin opening the source code so our customers and partners can easily review the crypto codebase and validate the promises we make to Wickr's users," said Joel Wallenstrom, Wickr's chief executive.

But while the source code release was months in the making, the company didn't consider the move until recently.

When we met former chief executive Mark Fields in May, he said in the face of his company's critics there there would be no release of source code, citing the company's proprietary intellectual property and a for-profit business structure as barriers.

He departed the company several months later, and the company underwent an internal about-face.

While the service was initially used by dissidents and activists, the company late last year announced its leap into government and enterprise markets with its secure professional-level service in an effort to challenge the collaborative workspace apps, like Slack and Convo, while making the service free for personal use.

When Wallenstrom took over at the helm in November, his focus was set on bolstering that enterprise customer base, and pushing an open source mantra, something which he believes is important in the security space.

The company said it listened to "key voices" to inspire a push towards opening its code to the public, including the Electronic Frontier Foundation, which its most recent "Who Has Your Back" report gave the company de facto full-marks for its privacy and security stance.

But that still wasn't enough to convince some companies to turn over their internal communications systems to an untrusted partner during a time of greater scrutiny in the wake of high-profile hacks and suspicion of surveillance.

Wickr hopes that now that anyone can see the code, it will ease the minds of privacy-minded companies.

The response to Wickr's open-sourcing so far has been positive.

"You can't leak what you don't have," said Dan Kaminsky, a veteran security researcher who also advises Wickr.

"For years, Wickr has been at the forefront of ephemeral communication. With Wickr Professional, they are allowing teams to be confident that what is discussed is not distributed. And by opening their code, they are giving the engineering community strong reasons to trust their platform," he said.

Opening its code to the world may be unfamiliar territory for the company, but Wallenstrom calls it "an important milestone in Wickr's growth."

Realistically in security, service will only get you so far. It's trust that these companies strive for. In Wickr's case, it's late to the party, but it's better now than never.

Editorial standards