University calls out Wire private messenger over code structure


Written by

Wire, a popular secure messaging app with over 1 million downloads, ended 2016 by fielding a potent list of criticism after a researcher at the University of Waterloo concluded that “users should avoid using the service while numerous problems remain unfixed.

Wire, created by Skype technologists including co-founder Janus Friis, is being dinged for closed-source server code, problems in call and account authentication as well as problems with an overly complex code structure that make the attack surface very large. A unnamed researcher at Waterloo’s Cryptography, Security, and Privacy (CrySP) lab, wrote users “should avoid Wire audio/video calls for secure conversations” until the problems are rectified.

“The problems listed above weaken the security of Wire relative to competitors like Signal, but the problems are not insurmountable,” the author wrote. “The chat features offered by Wire have a very modern aesthetic that is very popular with users, and this makes Wire a very interesting offering. Users should be aware of these concerns before choosing to use Wire. While these problems are unaddressed, users should avoid using Wire audio/video calls for secure conversations, assume that Wire passwords could be silently compromised, treat the Wire application like a constantly updating web service rather than a semi-stable desktop application, and consider sandboxing Wire on sensitive systems.”

The company’s response indicates that they want to address many of these issues in the coming year, including by opening up the server code behind it the app, within the first quarter of 2017.

Many of the problems the report identifies stem from that code. Without access, the computer scientist had to rely on Wire’s documentation on security and privacy to make critical assessments. The open sourcing of the code should begin newly intense and enlightening expert scrutiny and auditing of the app.

In the middle of a boom in secure messaging, apps like Signal and Wire are now receiving greater scrutiny from researchers evaluating the apps advertising paramount security for users. Examination of both continue but Signal has received glowing reviews so far.

Wire, first launched in 2014, is developed by a 50-person startup based in Switzerland, a country playing host to numerous privacy-focused tech firms due to friendly laws. The app boasts a wide range of features combined with strong encryption and security, plus no advertising. It’s a for-profit company, but there is no discernible business model at this point. That, however, has been true of many startups: Grow quick and figure out the money end later on.

You can read the full set of criticisms and Wire’s responses at Waterloo’s website.

Correction: This article previously misidentified the author of the report as David Cheriton. In fact, the report is credited to the Cryptography, Security, and Privacy Research Group at the David R. Cheriton School of Computer Science at University of Waterloo. No individual researcher is listed as author by the school.

-In this Story-

encryption, security research, Wire