Update: The information on this page is out of date. Kik Messenger now uses SSL for both the login process, and the chat connection. These changes were completed in mid 2011. Kik is no longer “insecure”.
I learnt about Kik Messenger today. It’s like a cross between IM and text messaging. It was launched only a couple of weeks ago and already has a million users. There are clients for Android, iPhone and Blackberry. I decided to take a peek at how the app communicates with the Kik service, so I connected my phone to my Wifi and fired up Wireshark.
Kik has been built using XMPP, without any encryption. I sniffed this off the wire when logging in:
<query xmlns="jabber:iq:register"> <username>**USERNAME**</username> <password hashed="false">**PASSWORD**</password> <device-id>**DEVICE-ID**</device-id> </query> <query xmlns="jabber:iq:register"> <node>**USERNAME**_yhm</node> <email confirmed="true">**EMAIL-ADDRESS**</email> <username>**USERNAME**</username> <first>**FIRST-NAME**</first> <last>**LAST-NAME**</last> </query>
I sniffed this when sending a message:
<message type="chat" to="**RECIPIENTS-USERNAMEfirstname.lastname@example.org" id="********"> <body>**THE-PLAIN-MESSAGE-CONTENT**</body> <kik push="true" qos="true" timestamp="1289087937787" /> <request xmlns="kik:message:receipt" r="true" d="true" /> </message>
So anyone listening gets your username, password, full name, email address and the content of your conversations. I personally wouldn’t use Kik over an untrusted network because of this. I’m not completely paranoid though so I’ll happily use it over 3G; just not over an open wifi access point in a public place. If you are going to use Kik over an untrusted network, make sure you use a password which is unique to the service. I’m sure a significant number of people are already using Kik with the same login credentials as they use for Facebook.
I’ve opened a couple of topics on their GetSatisfaction support page. Feel free to “like” them so they get more attention:
UPDATE (June 2011):
Kik 5.1 has just been released and it uses SSL with proper certificate verification