Kik Messenger Insecure

Published @Sun, 7th Nov 2010
Update: The information on this page is out of date. Kik Messenger now uses SSL for both the login process, and the chat connection. These changes were completed in mid 2011. Kik is no longer "insecure".

I learnt about Kik Messenger today. It's like a cross between IM and text messaging. It was launched only a couple of weeks ago and already has a million users. There are clients for Android, iPhone and Blackberry. I decided to take a peek at how the app communicates with the Kik service, so I connected my phone to my Wifi and fired up Wireshark.

Kik has been built using XMPP, without any encryption. I sniffed this off the wire when logging in:
<query xmlns="jabber:iq:register">
    <username>USERNAME</username>
    <password hashed="false">PASSWORD</password>
    <device-id>DEVICE-ID</device-id>
</query>

<query xmlns="jabber:iq:register">
    <node>USERNAME_yhm</node>
    <email confirmed="true">EMAIL-ADDRESS</email>
    <username>USERNAME</username>
    <first>FIRST-NAME</first>
    <last>LAST-NAME</last>
</query>
I sniffed this when sending a message:
<message type="chat" to="RECIPIENTS-USERNAME_wti@talk.kik.com" id="********">
    <body>THE-PLAIN-MESSAGE-CONTENT</body>
    <kik push="true" qos="true" timestamp="1289087937787" />
    <request xmlns="kik:message:receipt" r="true" d="true" />
    </message>
So anyone listening gets your username, password, full name, email address and the content of your conversations. I personally wouldn't use Kik over an untrusted network because of this. I'm not completely paranoid though so I'll happily use it over 3G; just not over an open wifi access point in a public place. If you are going to use Kik over an untrusted network, make sure you use a password which is unique to the service. I'm sure a significant number of people are already using Kik with the same login credentials as they use for Facebook.

I wonder if they even investigated using SSL to encrypt the traffic? I'd also like to know exactly what data they log. Do they log the actual conversation data? I couldn't find an exact answer in their privacy policy...

UPDATE:

I've opened a couple of topics on their GetSatisfaction support page. Feel free to "like" them so they get more attention:

Secure Kik with encryption
OTR for private conversations

UPDATE (June 2011):

Kik 5.1 has just been released and it uses SSL with proper certificate verification


If you want to read more stuff like this, follow my blog rss twitter or check out the rest of my articles: All, Privacy related, Security related, Web related. If you found this article helpful, interesting or entertaining, and wish to donate:If you need a freelancer or some consulting, you'll find me at Cardwell IT Ltd.

CommentsAdding comments disabled for this post