Kik Messenger is an app for Android and iPhone that was launched late last year. It works similar to SMS and BlackBerry’s BBM service. It allows you to send messages to other Kik users for free. I have written an application which will allow you to add signatures to peoples outgoing Kik messages when they are using your Wifi.
Kik is based on the XMPP protocol. Back in November, I described how they were sending login details in plain text over the network. This was shortly rectified, but the remainder of the communication is still being performed unencrypted. An employee of Kik named Chris Best left a comment on my blog post about how they intended to work end-to-end encryption into their next major release. It is now four months later, and yesterday they released a new version of Kik which supports images and group chat. There is still no encryption.
To me, this says that Kik cares more about new features than securing the privacy of their users and integrity of their messaging infrastructure. And on that note, I have developed a proof of concept application which will insert signatures into Kik messages when they are being sent using your network. Here is an example of the app running on my Linux router:
mike@alfa:~$ sudo ./kiksig.pl --port 12345 --no-repeat 3600 --signature "Sent using Mikes Wifi - https://grepular.com/" Tue Mar 7 22:38:24 2011 Executing: iptables -t nat -I PREROUTING -p tcp -d 18.104.22.168 --dport 5222 -j REDIRECT --to-port 12345 Tue Mar 7 22:38:24 2011 Listening for incoming connections Tue Mar 7 22:38:26 2011 Kik session opened for user MyKikUsername Tue Mar 7 22:39:01 2011 Adding signature to message from MyKikUsername to SomeElsesKikUsername Tue Mar 7 22:39:44 2011 Executing: iptables -t nat -D PREROUTING -p tcp -d 22.214.171.124 --dport 5222 -j REDIRECT --to-port 12345
The sender does not know that the messages they send using Kik are appended with “ – Sent using Mikes Wifi - https://grepular.com/". When the app starts, or is killed, an appropriate firewall rule is added/removed, which will intercept outgoing Kik connections and pass them to kiksig.pl for processing. kiksig.pl merely forwards the traffic on, but modifies the message body when a message is sent. If you run the app with the –debug argument, you will see the full content of the XMPP conversation, which contains all incoming and outgoing messages in plain text.
If you run a cafe which offers free Wifi, perhaps you’d benefit from adding “ – Sent using the free Wifi at Bobs Cafe on Foo Street” to peoples outgoing Kik messages? Whether or not this is legal, probably depends on your country of residence, and what sort of permission you have obtained from your users.
GTalk, ICQ and Skype all manage to secure their IM traffic with encryption, so why can’t Kik? An app which logs both incoming and outgoing Kik messages, and stores any images sent/received would be equally simple to code. You can download the app from Gitlab here. Run it with no arguments, for usage information.
UPDATE (June 2011):
Kik 5.1 has just been released and it uses SSL with proper certificate verification.