Kik is based on the XMPP protocol. Back in November, I described how they were sending login details in plain text over the network. This was shortly rectified, but the remainder of the communication is still being performed unencrypted. An employee of Kik named Chris Best left a comment on my blog post about how they intended to work end-to-end encryption into their next major release. It is now four months later, and yesterday they released a new version of Kik which supports images and group chat. There is still no encryption.
To me, this says that Kik cares more about new features than securing the privacy of their users and integrity of their messaging infrastructure. And on that note, I have developed a proof of concept application which will insert signatures into Kik messages when they are being sent using your network. Here is an example of the app running on my Linux router:
mike@alfa:~$ sudo ./kiksig.pl --port 12345 --no-repeat 3600 --signature "Sent using Mikes Wifi - https://grepular.com/" Tue Mar 7 22:38:24 2011 Executing: iptables -t nat -I PREROUTING -p tcp -d 220.127.116.11 --dport 5222 -j REDIRECT --to-port 12345 Tue Mar 7 22:38:24 2011 Listening for incoming connections Tue Mar 7 22:38:26 2011 Kik session opened for user MyKikUsername Tue Mar 7 22:39:01 2011 Adding signature to message from MyKikUsername to SomeElsesKikUsername ^CTue Mar 7 22:39:44 2011 Executing: iptables -t nat -D PREROUTING -p tcp -d 18.104.22.168 --dport 5222 -j REDIRECT --to-port 12345The sender does not know that the messages they send using Kik are appended with " -- Sent using Mikes Wifi - https://grepular.com/". When the app starts, or is killed, an appropriate firewall rule is added/removed, which will intercept outgoing Kik connections and pass them to kiksig.pl for processing. kiksig.pl merely forwards the traffic on, but modifies the message body when a message is sent. If you run the app with the --debug argument, you will see the full content of the XMPP conversation, which contains all incoming and outgoing messages in plain text.
If you run a cafe which offers free Wifi, perhaps you'd benefit from adding " -- Sent using the free Wifi at Bobs Cafe on Foo Street" to peoples outgoing Kik messages? Whether or not this is legal, probably depends on your country of residence, and what sort of permission you have obtained from your users.
GTalk, ICQ and Skype all manage to secure their IM traffic with encryption, so why can't Kik? An app which logs both incoming and outgoing Kik messages, and stores any images sent/received would be equally simple to code.
You can download the app from Github here. Run it with no arguments, for usage information.
UPDATE (June 2011):
Kik 5.1 has just been released and it uses SSL with proper certificate verification
If you want to read more stuff like this, follow my blog or check out the rest of my articles: All, Privacy related, Security related, Web related. If you found this article helpful, interesting or entertaining, and wish to donate:If you want to leave a tip: