I learnt about Kik Messenger today. It's like a cross between IM and text messaging. It was launched only a couple of weeks ago and already has a million users. There are clients for Android, iPhone and Blackberry. I decided to take a peek at how the app communicates with the Kik service, so I connected my phone to my Wifi and fired up Wireshark.
Kik has been built using XMPP, without any encryption. I sniffed this off the wire when logging in:
<query xmlns="jabber:iq:register"> <username>USERNAME</username> <password hashed="false">PASSWORD</password> <device-id>DEVICE-ID</device-id> </query> <query xmlns="jabber:iq:register"> <node>USERNAME_yhm</node> <email confirmed="true">EMAIL-ADDRESS</email> <username>USERNAME</username> <first>FIRST-NAME</first> <last>LAST-NAME</last> </query>I sniffed this when sending a message:
<message type="chat" to="RECIPIENTS-USERNAME_wti@talk.kik.com" id="********"> <body>THE-PLAIN-MESSAGE-CONTENT</body> <kik push="true" qos="true" timestamp="1289087937787" /> <request xmlns="kik:message:receipt" r="true" d="true" /> </message>So anyone listening gets your username, password, full name, email address and the content of your conversations. I personally wouldn't use Kik over an untrusted network because of this. I'm not completely paranoid though so I'll happily use it over 3G; just not over an open wifi access point in a public place. If you are going to use Kik over an untrusted network, make sure you use a password which is unique to the service. I'm sure a significant number of people are already using Kik with the same login credentials as they use for Facebook.
I've opened a couple of topics on their GetSatisfaction support page. Feel free to "like" them so they get more attention:
Secure Kik with encryption
OTR for private conversations
UPDATE (June 2011):
Kik 5.1 has just been released and it uses SSL with proper certificate verification
If you want to read more stuff like this, follow my blog or check out the rest of my articles: All, Privacy related, Security related, Web related. If you found this article helpful, interesting or entertaining, and wish to donate:If you want to leave a tip:
If you need a freelancer or some consulting, you'll find me at Cardwell IT Ltd.