-1

Background

Is the Wire messaging app secure? is the only question I find on Wire here.

I am helping a group (non-technical, non-business) to decide on whether to use Wire or Threema for event coordination/general chat. They have picked those two candidates because they are seemingly similar - per their marketing providing end-to-end encryption, storing nothing on the server, not trying to catch your soul etc.

The decision is not based around the actual encryption of the messages - this is a sports group, not a terrorist organization. Several people are being strict with the management of their identities though, and opposed to linking accounts, having accounts linkage on servers and such.

I personally am having this impression, ordered by increasing impact.

Impressions about the two

  • Open source: tit for tat, both are essentially closed source (Wire pretends to be open source by having a github, but essential parts like server side Account Management are closed source, and the github repository obviously (judging from their own README in there) is not their "real", internal repository but an edited mirror). You cannot compile the server component of either, or run your own server.

  • Peer review: Threema has, if I recall correctly, had official, accepted peer reviews (by invitation) of their server side software, as well as the client. I'm unclear about Wire - they market with it on their website, but I don't remember seeing anything about what actually was peer reviewed. I'd say it's tit for tat.

  • End-to-end encryption: Threema, 100%. Wire, only for chat messages; the rest seems not to be end-to-end.

  • Business model: Both have regular for-profit Swiss companies behind them. Threema seems to be open with this. They take money for the app, period. Wire seems to not get any money from their users; there seems to be a backing company behind them, and it is so far unclear (to me) how they are supposed to generate revenue.

  • Accounts: the big one. Threema generates a random account (PPK) locally, period. It is not linked to a mail address or phone number - you can use it right after creating it; and if you use something like Xprivacy, the app cannot get those IDs behind your back. You can transfer your public key offline with a qcode. Wire forces you to enter a phone number (which is actually verified by SMS), thus linking your Wire account to other accounts immediately. For me, that is the biggest no-no (the previous points I can ignore as beeing too paranoid), a complete blocker, purely based on my personal level of paranoia, which is a choice which I ask you to accept as given for this particular question.

So. For both, we effectively don't know (in a paranoia/security context) what's happening server-side. For Wire, we know that they immediately have our identities (assuming a bunch of non-tech, non-sec people are not going to each get a dedicated smartphone just to use this app with a separate phone number and faked name, address etc. ;)

Questions

Can you share some thoughts on my points? Please stick with the level of paranoia I have given in the question, this is one not negotiable part. I am not interested whether the NSA has our chat texts, but in business uses of our identities, linkability of identities and such, and your general impressions about the ethics of those two companies.

Especially I am interested in whether you know of trustworthy sources (i.e., trustworthy, independent, well-known security experts) which dispel my rather bleak view of Wire, or which shed more doubt on Threema.

I also am not interested in alternative apps, for this particular question - the two have been chosen by someone else, and I am simply interested in weighing the both against each other.

AnoE
  • 2,370
  • 1
  • 8
  • 12
  • 2
    There's a reason why there is only one question about Wire here: we don't do product/service reviews. – schroeder Jun 22 '17 at 11:09

2 Answers2

3

This page provides quite a comprehensive review of differences. https://www.securemessagingapps.com/

Threema strong points:

  • Doesn't collect user data (Wire collects some)
  • Has a wider range of cryptographic primitives
  • Can sign up to the app anonymously (Wire not)
  • Can add a contact without needing to trust a directory serve (Wire not)
  • User gets notified if a contact's fingerprint changes (Wire only if contact was verified)
  • Personal information (mobile number, contact list, etc.) hashed (Wire not always)
  • Encrypts metadata (Wire not always)
  • Doesn't log timestamps/IP addresses (Wire does some)

Wire strong points:

  • Wire claims to be in completely open source, unlike Theerma (but according to the user's comment above it's not true - I can't verify unfortunately)
  • Enforces perfect forward secrecy (Threema not)
  • Wire is excluded from iCloud/iTunes & Android backups (Threema messages are encrypted when backed up to the cloud)
  • Has self-destructing messages (Threema not)

Each app offers a slightly different set of settings and some of those might be more crucial than others to you.

schroeder
  • 123,438
  • 55
  • 284
  • 319
igi
  • 31
  • 3
1

Some additional info, which may not address all you points but aimed specifically at Wire: I had the same type of questions and decided to contact Wire directly. I had a few conf calls and had some questions sent back and forth. Based on that information and what I have found on twitter and the internet (their medium blog for example https://medium.com/@wireapp) I'd say that they try to handle security pretty diligently, but they are not on par with the likes of Signal and perhaps Threema. As I understood it, this is also due to some specific choices they made balancing user friendliness / ease of use and security. For example, I think that non-tech users might more easily adopt Wire than Threeam.

Mostly from a Wire perspective: I haven't used threema but have used Wire for quite a while.

Open source: indeed they're not, and I won't go into the debate of whether or not they should but in my experience open or closed only says something about the business model, not so much about security.

E2E: Wire didn't use E2E before, but from what I found it's not only chats which are E2E but also calls and attachments. (as Wire told me this was an issue a few years ago and seems to be very hard to get the information out there that they changed it).

Regarding business model: as I understood it their backing by VC affords them to offer the app for free now and pivot to a business offering which will be a paid subscription.

Accounts: from my experience Wire could be linked to an account with an email address just fine, no phone number necessary?

Some additional info, which may not address all you points but aimed specifically at Wire: I had the same type of questions and decided to contact Wire directly. I had a few conf calls and had some questions sent back and forth. Based on that information and what I have found on twitter and the internet (their medium blog for example https://medium.com/@wireapp) I'd say that they try to handle security pretty diligently, but they are not on par with the likes of Signal and perhaps Threema. As I understood it, this is also due to some specific choices they made balancing user friendliness / ease of use and security. For example, I think that non-tech users might more easily adopt Wire than Threeam.

user3244085
  • 1,173
  • 6
  • 13