Thanks for your reply, - it's closed source, so you don't know if server holds your private keys or not > https://www.zdnet.com/article/wickr-encrypted-messaging-app-goes-open-source/ - Servers are located in USA. DEA / LE / Interpol / whoever can either seize or buy the company, change the source code in the way nothing will be sent encrypted anymore, like they did with Hansa market (Seized the servers, changed the source code for addresses auto-encrypting sent in clear text, and kept them running for almost two months, collecting a huge numbers of data and addresses) Hamsa was an ilegal criminal organisation, with no defense case or rights, completely different purpose and the encryption protocol was merely a simple function within an interface. I don't see the relevance here... Its true that they are in the USA, however, specially so, with such prolonged use of wickr, why have they never done this then? - If you are using it on your phone and not on a burner phone, if they seize your phone they could proof that the conversation was sent from this phone through IMEI of the phone. How so if medata is stripped from messages?

Hi, thanks for your clarifications. Yes I was aware about the fact the encryption they use is open source - but does it really assure servers are not holding private keys? What is servers will be seized or company bought from undercover big company that will share with LE/DEA the access to serves and modify the code? If they never done this, it's because they probably know Sellers should not be so stupid to give out personal information - but you know better than me some sellers are totally ignoring OPsec and could say things that could allow to track them. The cost of operaration if probably too big, they are looking for big fishes, what they will get for sure are buyers addresses, but this won't help to catch sellers, if they didn't said anything compromising. About the IMEI I can't give you further details, I'm no specialist, but I had a long explanation from a guy programming secure phones for a criminal organization in NL, I don't think he was the kind of guy telling BS. But same here - if the app is modified to read the IMEI and stored to server, if the will seize the phone they can proove that messages were sent from this phone. As I said, I just don't get why people should stick with wickr, when there are other IM programs (Jabber, Keybase, maybe Dust) that are a lot safer, and especially keybase is easy to use for any noob even if he doesn't know / want to configure own pgp certificate. Better safe than sorry no?

Thanks for the input. Well thats the whole concept, when you have the app, you can only sign in to your account through that same device you installed it in. Because private keys are stored locally and not remotely. If the code was to make an additional copy of the private key and store it in the servers it should of been visible when it was open sourced. Yeah posibly better to run on a burner phone with prepaid 3g and blocked cameras. Its all about convenience and user base, the standard tool seems to be Wickr. Because you can have it on your phone and its practical. I would prefer Jabber with OTC ofcourse for security but this cannot be done on a phone, and needs a certain degree of technical effort. So less convenient. Because everyone uses wickr as its more practical whilst still secure, everyone is forced to use wickr. In the same manner that most users will be on a market which might clearly not be the best, but vendors and further users must go where the major user base is...

Thanks for you input as well. But what is the reason to prefer wickr over Keybase, that is compatible on any device, with the same features and even more than wickr, and it's crystal clear safe? Or Dust, that is hard-coded 24 hours expire, read or unread, no matters what. Jabber is definitely complicated for a newbie to set it up. Keybase is really simple like wickr, no need to use own certificate, keybase can create them for you automatically and handle in the same way like your own certs, as can be seen in the source.

Thanks for creating the account to post this, very interesting information. This is the thing, whenever I do research on the matter what I find its a lot of people just giving their opinnions. And that is worthless research, what matters is: 1. Have there been any busts where wickr was used to provide evidence? (I cannot find them either) 2. Technical intricalites that someone with knowledge could valuate

https://www.zdnet.com/article/wickr-encrypted-messaging-app-goes-open-source/

If I remember correctly, that was only the protocol for their enterprise version, and they still hadn't either released the consumer version nor moved the consumer version over to that protocol.

wasnt that before the CEO left the company and they took over and decided to make everything open source?

identifiers?

https://www.zdnet.com/article/wickr-encrypted-messaging-app-goes-open-source/ ?? Interesting, I mean the fact he is under investigation by the US for treason makes me trust him more than not. However blackwater/academi is a shady company, however never seen any bust related due to wickr?

yeah they are playing a long game. I always read articles about what academi is up to. and the treason investigatoin is being squashed, so it's all a black box in the wickr corp. I didn't know they went open source but I've looked at the company pretty thoroughly and it just doesn't look like an app company... or a commnications company. IDK what it is and as they say if you dont understand it, get rid of it ;-)

Please expand

Thanks for your reply, but you are assuming a lot of stuff which you simply do not know about me. Funny you mention that, because in fact it was through a seller friend of mine who told me after he got busted and did time that they retrieved signal messages from his device and used them in court...

can you elaborate on the "signal" part? I thought signal was one of the best open source encrypted msging apps?

theres an Israeli device developed whcih LE can use & there is an article out there somewhere where they tested this & where able to retrieve deleted Signal messages from phones. Cant remember what this is called though

If you care about security to the point where Israeli companies are being contracted to catch you, don't use a phone. If you do use a phone, encryption would prevent the type of retrieval you talk about. Signal has also done a lot of work on disappearing messages in the past year.

im not. im simply referring to /u/boste post above where he mentiions that Signal messages where able to be retrieved

Good to know, lets say signal or app wickr wasnt even on your phone. is there any way they could see that still?

Me too... I can't really elaborate much more, he just got busted, they took the phone and then in court were using messages from chats he had which had been supposedly deleted. I lack more background information on that story though. I mean, i am no expert, but think about it, signal is linked to a phone number. You get a phone number, and then you can trace that back to a device, install malware like a keylogger that monitors screen use and fetch all data without having to take part in any of the communications encryption process hacking.

What if the number linked to signal was from a text free app. And wouldn't all communications be encrypted? I have to do more research myself. Any help would be appreciated.

Then you would be cutting out that possibility, unless they have some other way to identify target phone. Think about it like when you need support for something and what they do is remotely use your computer, you can be using tor and pgp and what not, but if they are seeing your screen the same way you are seeing it, then they are seeing that information same as you are.

very interesting...I've also read that wickr had a case with uber and none of its info could be retraced?

Thanks for bringing that too light, wickr is growing on me

Any actual evidence or explanation? Encrophone is amazing, specially when you are carrying it and police wonders why the fuck you have an 800euro phone known to be owned only by drug dealers. And if I recall correctly, you can only talk to people that have also spent 800 euros on that same phone right? Where they not also hacked? something about a backdoor and a strange explanation..

You can make almost ANY phone into a device just as protected if not more so than Encrophone. For starters they essentially remarket PGP that can be faciliated by ANY email client or used with a mobile by using OpenKeychain They use outdated hardware that does NOT use a secure enclave meaning your device will still be vulnerable to physical attacks. Never trust a service that offers a Remote Wipe option. You do not know how this has been implemented and in most cases will only agitate LE as they will most likely have imaged the device depending on the jurisdiction you may as well have signed your sentence. You can easily purchase a Pixel 3 or the cheaper 3a and flash Graphene OS onto it. It will provide an open source platform that will still be cheaper and arguably more effective than Encrophone.

Never liked that encro phone... Thanks, some valuable information here

No problem, I setup devices for clients of mine with similar use cases so I figured I would put forward my input. Graphene OS is a great project, I hope they are able to keep improving on the project; I'd hate if it ended up like its predecessor Copperhead OS