A texting app that showed up in the iTunes store Wednesday is restarting the conversation about how to have secure conversations – especially via text – on smartphones.
The app, from startup Wickr is designed to make text, photos and videos sent from iOS machines more secure by encrypting them using 256-bit symmetric AES and RSA 4096 and proprietary algorithms.
Messages are encrypted on the device and while they're being transmitted – a vulnerable time for most secure-messaging apps, which protect messages when they're stored but not in transit.
Messages are sent to Wickr servers to be routed and delivered, rather than through those of the carrier or another messaging service, to give Wickr full control over them.
Message content is never stored on Wickr servers; Wickr keeps no records of the content, or any data about a particular message to identify the device that sends and one that receives it. Once the message transit is complete, Wickr loses that data, too, according to Wickr's FAQ.
Users can define who should be able to receive or decrypt the message and for how long it should be available. Once it passes its set time limit, the message self destructs.
Wickr won't even know users' identities if users want it that way:
"Your username, along with all other user and device information related to your account, is irreversibly encoded with multiple rounds of salted cryptographic hashing prior to being sent to our servers. Even we cannot determine the actual values based on the hashed values we store." – Wickr FAQ June 28, 2012
The goal is to leave no trace of either the message itself or evidence that two users ever communicated and give users the ability to control that level of security, not the app provider.
Wickr also has "anti-forensic" capabilities the company describes as having been designed to match the way mobile devices store data. Rather than letting data representing a text sit on a particular chunk of memory, Wickr continually wipes areas of main memory and storage that were used to write or display texts and pictures, according to the FAQ.
The first version of Wickr runs only on iOS machines, but later versions will be available for Android and for Windows and Mac PCs, according to co-founder Nico Sell, a former organizer of the DefCon security conference.
Wickr isn't the only mobile app with "military grade security" to hit the mobile market this month, though.
Privacy becomes a trend, as personal-security toolbox starts to fill up
Keeper Security launched a new version of its password vault Keeper, with connections to cloud services including DropBox and Evernote.
It added BCrypt to encrypt passwords stored on a phone (there's the "military grade encryption") and when it's stored on the cloud.
Keeper uses 128-bit AES to encrypt data in place and SSL to keep it safe during transmission, and doesn't store the master password; users have to keep track of that themselves.
Earlier this month, CipherCloud offered "military grade encryption" for Gmail, though it is not focusing specifically on the mobile market.
Its software runs on a virtual gateway between a corporate Gmail subscriber and Gmail, using 256-bit AES to encrypt data as its transmitted – without changing the way Gmail works or its speed, according to the company.
That CipherCloud works on both Android and iOS by default (through the gateway) is "icing on the cake," according to a statement to Forbes by CipherCloud's VP of marketing.
Rather than pitching it as a way to maintain privacy and security, however, CipherCloud describes it as a way to allow companies "with strict data privacy and compliance requirements to adopt Google Apps for Business."
That's a much broader focus than apps that simply encrypt, conceal or secure communications on a particular device.
It also addresses the well-founded suspicion many IT people have of cloud-based services by giving them control over the encryption keys, data lifecycle and access rights, without changing the devices or networks users want to access. The gateway, not devices, takes care of that.
Minor enhancements could make a major impact
CipherCloud offers similar services for Salesforce, Amazon's EC2 PAAS cloud and other cloud-based apps.
None of these is infallible, and none is comprehensive enough to counter efforts by the FBI, NSA, foreign intelligence agencies and virtually anyone else who considers nosiness a virtue and intrusiveness a right from spying on the activity of consumers or mobile workers who increasingly rely on a mix of mobile and cloud-based technology to get their work done.
Even calling the encryption and/or other security features "military grade" is a misnomer (one hopes), considering the Pentagon's poor record of securing its networks or anyone else's.
Neither of those issues makes any difference to what these particular product introductions represent: a widening realization and acceptance of the need for tight encryption and private communication between consumers – security tight enough that even the vendors supplying the technology or government agencies snooping around it can't (theoretically) break.
Six months ago that was a radical concept. Six weeks ago Apple was still claiming its operating systems weren't vulnerable to "pc viruses."
Now everyone seems to acknowledge that every device is vulnerable, every user should have the ability to control, to some degree, who can eavesdrop on or access private information. Not every security software vendor, employer or service provider supports all that privacy, but most give it lip service at least.
Unless some coalition of privacy-quashing vendor- and government groups acts fairly quickly to stamp out "military grade" encryption of private data and private communications, the technology supplying it will soon be too widespread to be stuffed back in the toothpaste tube.
None of these products or services is particularly revolutionary in its technology or implementation. They are all on a very significant cutting edge, however: The one slicing a divide between those who demand the right to snoop and those who prefer not to be snooped upon.
Until recently, the anti-snoopers didn't have the tools to do more than complain about their lack of privacy.
However well any of these particular offerings pans out, the rest of us can only hope the trend toward allowing Internet users a little privacy continues.