The best messaging app should also be the most secure messaging app, and both apps compared in this article claim to be secure. Wickr and SKY ECC both offer a high level of encryption, privacy, and security, but there are points where they clearly differ. Click to see their:
- Encryption standards
- Hardware security
- Company policies
- Feature comparison
- Side-by-side comparison with a table
UPDATE February 4, 2020: Skip to a video I added which shows how Wickr’s hashed values can be obtained from devices.
Best messaging app for encryption: Wickr vs. SKY ECC
There’s no other way to look at it: if your messaging app doesn’t have great encryption it can’t be the best messaging app. Many apps have stepped up into the end-to-end encryption sphere, and both of these apps are certainly in that conversation.
Wickr currently uses a number of different encryption protocols:
- All messages are encrypted with AES 256-bit encryption. This is an industry standard, currently in use for many different applications. It gets the job done, but is in no way cutting-edge or advanced.
- Key exchange is done with 521-bit ECDH for key exchanges. This is an advanced cryptographic method, and is used for the key exchange of SKY ECC.
- Device keys are unique to each device and generated within the app. They are used to encrypt the encrypted key of the message.
- Everything is sent over to the recipient’s phone in a TLS-encrypted data packet.
Other than using lower cryptographic standards than SKY ECC for message encryption, there is not much that can be said negatively about Wickr’s encryption standards. They do their job well and protect users.
Encryption used by SKY ECC
The encryption used by SKY ECC is the highest in the industry, with 521 bit elliptic-curve cryptography (ECC) being used on all messages and key exchanges. The main advantage here is that while the AES 256-bit used by Wickr is secure, the 521-bit ECC that we use is much faster and creates smaller encrypted messages.
Faster is nice, but faster in the right environment can be crucial. Mobile environments require fast-loading content with minimal computational needs. That is exactly what ECC provides, and that is why we use it in our mobile app.
Hardware choices for the best messaging app
When it comes to apps you can download from app stores, hardware is usually their biggest weakness. This is because most phones are rarely as secure as they should be, and are hardly ever as secure as they could be.
Wickr is an app which can be downloaded onto any phone, including yours. This is, of course, very convenient. The cost of convenience, in this world, is always security. Wickr is good, but is the phone it is being downloaded onto protected against:
- Kernel rollback
- Tamper-resistance during manufacture
- OS backdooring
- Single password brute-force attacks
If you have answered ‘no’ to any of these then your phone isn’t as secure as it can be and Wickr is only as secure as your phone. Every app you download off of an app store has these same issues, and this problem was made very real by the video demonstration below:
What you saw above was a user decrypting hashed values from Wickr’s app. This is a design flaw with Wickr as they store a cache of login credentials on the actual hardware, allowing someone to crack the hashed values and access your account.
SKY ECC’s hardware
Before moving ahead, SKY ECC’s hardware can not be cracked as seen in the video above as no hashed values are stored on the device. Even if someone physically steals your SKY ECC device and miraculously obtains your device passcode (without triggering the brute force prevention) there still isn’t enough data on the phone for them to crack into your ECC account in the manner shown above.
To get into hardware choices, we have identified three phones as secure building blocks for our secure hardware. These are top-of-the-line phones built by:
Our reason for using them are that they offer tamper-resistant chips which make them secure right from the manufacturer. They are also popular and frequently penetration tested so they are not only thought of as secure, but proven as secure.
Another strategy we employ is phasing out phones as they age and lose support. The iPhone 5 was a great phone, but it’s no longer supported with security patches or updates, so we don’t use that hardware anymore. If a device can’t be kept secure, it’s insecure.
Our monthly newsletter helps you better understand secure messaging!
The best messaging apps are backed by great companies
How a company is set up, run, and how it follows a philosophy from the ground up has a huge impact on the end product. Both Wickr and SKY ECC have good companies behind them that deserve to be discussed, starting with their funding models:
- Wickr: While Wickr does currently make some money off of selling its premium features, the vast majority of funding comes from investors. At some point these investors are going to want to see a return on their investment, and it will have to come from something better than their initial idea which was selling off their tech. That isn’t sustainable, and neither is giving away a free app with no ads forever. What comes next is anyone’s guess.
- SKY ECC: This is not a free app and is funded by its users. Users are given complete control over their data, with no worries that their data will ever be collected for targeted advertising–we simply don’t need to collect money in that way. We can’t access user data (data is always encrypted as it passes through our servers), nor do we know who our users even are (we don’t associate personally identifiable info to use SKY ECC). Not knowing who our users are makes it difficult for us to market SKY ECC, but it’s a sacrifice we chose make to offer the best product on the market.
The location of the company is also a large consideration:
- Wickr: Founded in Silicon Valley, Wickr is an American company headquartered in the USA. The US is a highly surveilled nation, with even Nico Sell (former CEO) admitting to an FBI agent trying to talk her into adding a backdoor to the app. It can’t be said that the USA is an ideal country for a privacy app due to how heavily government agencies are working to undermine security and encryption there.
- SKY ECC: Located in Canada, where digital privacy laws and protections are well established. Canada was not on Reporters Without Borders most recent “Enemies of the Internet” list while the USA was. Make your own judgements based on that.
Policies are a core component of how a company says it will protect you, and both apps have important points to note:
- Wickr: With concern for privacy being a founding aspect of Wickr, they have met their goals in user privacy policies. What worries us is their ID Connection feature and how it does, with heavy cryptography, associate you with your phone number. Yes, it’s convenient, but the tradeoff is always security and privacy. They have a few issues, I feel, with collecting user-provided data which should be rectified as well.
- SKY ECC: The app collects absolutely no data, with anonymous sign ups, no customer information, and no association of your phone number with your SKY ECC ID. We don’t actually ever know what your phone number is, it’s not part of our sign up process, so we can never compromise it. SKY ECC devices don’t even have phone numbers. They are data-only devices. When you use SKY ECC, those conversations are “air gapped” from anything that could identify you.
Both apps do well with privacy, with Wickr lagging behind due to the collection of user-provided data while SKY ECC doesn’t collect anything at all. Wickr is also at a constant disadvantage with the NSA, FBI, and the rest of the alphabet looking over their shoulder and whispering in their ear about backdoors.Wickr is a good #securemessaging app with a few flaws with collecting user-provided data, stored hashed values, and associating your phone number with your account through their ID Connection feature. Click To Tweet
Features of the best messaging apps
How the app is built will always impact how private and secure it is, and you can’t claim to have the best app for messaging if you’re missing key features. Here are the four major points we always look at:
- Photo storage: Wickr almost got this right by allowing users to open files within the encrypted container of the app. Where they failed is allowing users to export files to unencrypted areas of their phone. SKY ECC prevents this by only allowing storing photos and files within the encrypted container of the app called The Vault (seen to the right). The Vault requires its own password, to protect it further. There is also a default feature which disables screenshotting, and another which keeps people from downloading photos and files that users send.
- Contact approval: There is no contact approval feature on Wickr which would prevent people from contacting you without your authorization. You have the option to block users once they contact you, but by then some damage is done. SKY ECC requires receivers to approve of contacts before anything can be exchanged. Plus someone can’t “just find” your ECC ID, you have to give it to someone or have it shared by a mutual contact. This vastly cuts down on spam as you can block anyone before they send you anything and prevents random strangers sending you horrible things.
- Metadata: Both apps handle metadata in the same way by protecting it with AES 256-bit encryption. This important aspect of privacy is often overlooked, but both apps pull this off well.
- Self-destructing messages: This is another feature which both apps excel at. Wickr has two settings which apply; Expiration and Burn-on-read. Expiration sets how long the data may exist before being deleted, Burn-on-read sets how long after a message is marked as read will exist. SKY ECC has a setting for message expiration adjustable from seven days to two hours, as well as a flash messaging feature which deletes messages 30 seconds after they are read.
Both apps have good intentions behind all of their features, but only SKY ECC gives the maximum amount of security and protection. With some work on their contact approval and file storage, Wickr could vastly improve their messaging app’s features.
Which is the best messaging app for privacy?
Wickr is an okay app for messaging with privacy, there’s no glossing over that. The app is easy to use, designed well, and has good features. It does not, however, reach the same level of privacy and security as SKY ECC.
Here’s a quick comparison chart which further shows the differences visually:
Wickr does hold its own to a certain degree, but it doesn’t go all the way to establish true privacy and security like SKY ECC does. Another lacking feature with Wickr is their support, which is not available 24/7. Go ahead and contact our support team right now to see that we’re available to help you right away: