Messaging App Wickr Touts Its Security With Big Bug Bounty
For the past 18 months Wickr has been offering a more secure option for those who want the features of WhatsApp or Snapchat, but with an additional layer of security.
Wickr offers the ability for all its messages — photos, videos, voice calls and text messages — to self destruct after a period of time. The data is encrypted on the sending device and decrypted on the receiving device, and Wickr doesn’t have the key to unlock the data.
Aiming to prove its security is more than just talk, the company is offering a huge bounty to anyone who can poke holes in its system. The bug bounty of up to $100,000 for finding a critical vulnerability is in addition to the money Wickr already pays hackers to try to break through its protections.
“Snapchat hired lobbyists when they should have hired hackers,” Wickr CEO and co-founder Nico Sell told Re/code in an interview Tuesday. Sell says Wickr is more secure than a host of other products on the market, such as Confide, Skim, Gryphn, Blink, Frankly and Ansa.
Wickr, which is available for iOS and Android, uses what Sell calls a “zero knowledge” system in which the company stores neither the information nor the keys needed to decrypt the data. All the company knows about its users is the country they are from (based on the downloads from Apple’s App Store and Google Play).
The company has a “find friends” feature like the one that Snapchat had hacked but unlike Snapchat and others, Wickr doesn’t upload your address book to its servers. Instead, it uses a representation (or hash, in security speak) of the data and matches that against its user database (also encrypted).
Working with the security community is a key part of making sure the system stays secure, Sell said. “It’s really important to engage hackers,” Sell said. “If someone can find critical vulnerabilities, we want to work with them. … No one has found one yet.”
In its call to hackers to find bugs in the app, Wickr aims to appeal to both their wallets and a sense of purpose.
“Beyond making lots of money, you can feel good about helping Wickr because we were founded to protect the basic human right of private correspondence,” the company says in a blog posting shortly on its website. “Private correspondence is extremely important to a free society. People all over the world depend on Wickr. Please help us with this mission.”
So far Wickr has been downloaded one million times, and it expects to send its 100 millionth message this month.
One of Sell’s challenges will be making money — after all, that’s tough to do when you barely know who your customers are. The plan, Sell says, is to charge for certain premium features such as unlimited voice calls, international calls and conference calling.
Sell is also open to licensing pieces of the company’s technology, such as the self-destruct mechanism or the secure friend finder, to other companies to help make their products more secure.
“That could happen this year,” said Sell, whose company is raising $7.4 million in a Series A round led by In-Q-Tel founder Gilman Louie.
As for the unintended consequence of creating a tool that could be used by criminals or terrorists to evade law enforcement, Sell said that “every good tool is guaranteed to be used by good people and bad people.”