Kik sends passwords and messages without encryption: Update – passwords are encrypted

kik

Kik, the popular and free messaging service which has just arrived on Windows Phone 7 is a great service that works very well.

Raphael Riviera from WithinWindows has however analysed the data flowing from the app to the internet and discovered the software sends everything, including passwords and messages in plain text.

This means when you are on WIFI at work or cafe for example, anyone with a network analyser on the same network will be able to see your messages, get your full name, user name, email address, password and possibly even impersonate you.

This is a apparently a flaw which has been in existence for at least  a year, suggesting the company does not really care about security.

If our readers are similarly unconcerned the app apparently works very well, but users should be cautioned never to use it for anything resembling work.

Update:

Corry from Kik responds:

Hi Surur, Corry from Kik here. As I just posted on WithinWindows, we are aware of this issue and plan to add WP7 message encryption in a future release. We want to reiterate that the password is not being sent in clear-text, and that our Android and iPhone clients feature full SSL encryption (login info + messages). Thx!

It appears on further investigation that Corry is right, and passwords are in fact encrypted. While this still leaves a lot of information exposed, and leaves a user open to eavesdropping, this is no worse than an unencrypted email conversation, and removes the much more dangerous risk of having an account stolen and some-one else impersonating you.

Comments