Grepular

Kik Messenger Insecure

Written 14 years ago by Mike Cardwell

Update: The information on this page is out of date. Kik Messenger now uses SSL for both the login process, and the chat connection. These changes were completed in mid 2011. Kik is no longer “insecure”.

I learnt about Kik Messenger today. It’s like a cross between IM and text messaging. It was launched only a couple of weeks ago and already has a million users. There are clients for Android, iPhone and Blackberry. I decided to take a peek at how the app communicates with the Kik service, so I connected my phone to my Wifi and fired up Wireshark.

Kik has been built using XMPP, without any encryption. I sniffed this off the wire when logging in:

<query xmlns="jabber:iq:register">
  <username>**USERNAME**</username>
  <password hashed="false">**PASSWORD**</password>
  <device-id>**DEVICE-ID**</device-id>
</query>

<query xmlns="jabber:iq:register">
  <node>**USERNAME**_yhm</node>
  <email confirmed="true">**EMAIL-ADDRESS**</email>
  <username>**USERNAME**</username>
  <first>**FIRST-NAME**</first>
  <last>**LAST-NAME**</last>
</query>

I sniffed this when sending a message:

<message type="chat" to="**RECIPIENTS-USERNAME**_wti@talk.kik.com" id="********">
  <body>**THE-PLAIN-MESSAGE-CONTENT**</body>
  <kik push="true" qos="true" timestamp="1289087937787" />
  <request xmlns="kik:message:receipt" r="true" d="true" />
</message>

So anyone listening gets your username, password, full name, email address and the content of your conversations. I personally wouldn’t use Kik over an untrusted network because of this. I’m not completely paranoid though so I’ll happily use it over 3G; just not over an open wifi access point in a public place. If you are going to use Kik over an untrusted network, make sure you use a password which is unique to the service. I’m sure a significant number of people are already using Kik with the same login credentials as they use for Facebook.

I wonder if they even investigated using SSL to encrypt the traffic? I’d also like to know exactly what data they log. Do they log the actual conversation data? I couldn’t find an exact answer in their privacy policy…

UPDATE:

I’ve opened a couple of topics on their GetSatisfaction support page. Feel free to “like” them so they get more attention:

Secure Kik with encryption

OTR for private conversations

UPDATE (June 2011):

Kik 5.1 has just been released and it uses SSL with proper certificate verification

Want to leave a tip?BitcoinMoneroZcashPaypalYou can follow this Blog using RSS or Mastodon. To read more, visit my blog index.