Wire, a messaging application co-founded by former Skype, Microsoft, and Apple employees, and backed by Skype co-founder Janus Friis, has had its first independent security audit. According to the auditing firms Kudelski Security and X41 D-Sec, Wire has “high security, thanks to state-of-the-art cryptographic protocols and algorithms, and software engineering practices mitigating the risk of software bugs.”
Wire’s Reverse Engineered Axolotl Protocol
Axolotl was the end-to-end encryption protocol invented by Trevor Perrin and Moxie Marlinspike from the Open Whisper Systems nonprofit that makes the Signal (former TextSecure) private messaging app.
Wire implemented its own version of the protocol to avoid some licensing issues and rewrote its implementation in the Rust programming language--the same memory-safe language that’s developed by Mozilla and will be adopted in future versions of Firefox. The company called its own implementation of the Axolotl double-ratchet protocol “Proteus.”
Results Of The Wire Security Audit
Two security companies, Kudelski Security and X41 D-Sec, were asked to audit Wire’s protocol implementation, which included Proteus, the Cryptobox API, and its C-wrapper, Cryptobox-C. Cryptobox is a higher-level API that hides the complexity of Proteus and makes it easier for developers to work with the app.
The CoffeeScript (a programming language that compiles to JavaScript) counterparts of Proteus and Cryptobox, which are used in the Wire web app, were also reviewed. That means all implementations of the protocol that cover the iOS, Android, macOS, Windows, Linux, and the web platforms, were reviewed.
As it happens with most if not all security audits, some vulnerabilities were found in Wire’s protocol implementation. However, most are low-severity, and only a handful are medium severity. There were no high or critical severity vulnerabilities found, which is good news for the Wire app and its users.
The Wire team said that the Android and iOS apps have already been updated to include fixes for the vulnerabilities that were found, and it’s also in the process of fixing the web and desktop applications. The company also said that its client code is already open source, and the server code will be made open source by the end of Q1 2017. It also promised that every new major release of Wire will be accompanied by an independent security audit.
