Secure Messaging App Wire Stores Everyone You've Ever Contacted in Plain Text
The decision is seemingly a trade-off for usability across multiple devices.
Image: Lane V. Erickson/Shutterstock
The secure messaging marketplace is pretty saturated right now. You've got apps like Signal, that typically put privacy first, and then giants like WhatsApp, that have added end-to-end encryption to its already established products. Even though many aim to do roughly the same thing—let users communicate securely—there's still a lot of variety between these apps.
In the case of Wire, a messaging app available for iOS, Android, and desktop devices, the company has decided to keep a list of all the users a customer contacted until they delete their account.
To be clear, this isn't necessarily a security concern everyone needs to worry about: it depends on your own threat level, Wire users don't have to use a phone number to sign up, and clearly Wire has made a decision to store customer data like this. But, for some users, it may be something they want to bear in mind.
"Hey Wire, why does your database schema include plaintext storage of threads between users?" security researcher Thomas H. Ptáček tweeted on Wednesday, with a link to some of Wire's code (Wire is open source).
The reasoning, judging by a Wire tweet in response, was to help with syncing conversations across multiple devices (something that Signal, for sake of comparison, is currently quite sloppy at).
Wire CEO and co-founder Alan Duric confirmed to Motherboard in an email that this list of people users have communicated with is kept until a user deletes their account.
"All connections, email and/or phone number and username are removed from Wire servers when an account is deleted," he wrote.
Wire may change its approach, however.
"We are specifically exploring alternative ways to handle connections between users in the context of multi-device messaging," Duric added.
Regardless, some may wish to sacrifice convenience for the knowledge that potentially interesting metadata about their conversations isn't being stored until they wipe their Wire account.
"Keeping all conversation metadata in a database forever does not seem like a great plan," Matthew Green, assistant professor at Johns Hopkins University, told Motherboard.
Subscribe to Science Solved It, Motherboard's new show about the greatest mysteries that were solved by science.