# Kik Messenger Insecure

**Update:** The information on this page is out of date. Kik Messenger now uses
SSL for both the login process, and the chat connection. These changes were
completed in mid 2011. Kik is no longer "insecure".

I learnt about [Kik Messenger](https://kik.com/) today. It's like a cross
between <abbr title="Instant Messaging">IM</abbr> and text messaging. It was
launched only a couple of weeks ago and already has a million users. There are
clients for Android, iPhone and Blackberry. I decided to take a peek at how the
app communicates with the Kik service, so I connected my phone to my Wifi and
fired up [Wireshark](https://wireshark.org/).

Kik has been built using [XMPP](https://xmpp.org/about/), without any
encryption. I sniffed this off the wire when logging in:

```html
<query xmlns="jabber:iq:register">
  <username>**USERNAME**</username>
  <password hashed="false">**PASSWORD**</password>
  <device-id>**DEVICE-ID**</device-id>
</query>

<query xmlns="jabber:iq:register">
  <node>**USERNAME**_yhm</node>
  <email confirmed="true">**EMAIL-ADDRESS**</email>
  <username>**USERNAME**</username>
  <first>**FIRST-NAME**</first>
  <last>**LAST-NAME**</last>
</query>
```

I sniffed this when sending a message:

```html
<message type="chat" to="**RECIPIENTS-USERNAME**_wti@talk.kik.com" id="********">
  <body>**THE-PLAIN-MESSAGE-CONTENT**</body>
  <kik push="true" qos="true" timestamp="1289087937787" />
  <request xmlns="kik:message:receipt" r="true" d="true" />
</message>
```

So anyone listening gets your username, password, full name, email address and
the content of your conversations. I personally wouldn't use Kik over an
untrusted network because of this. I'm not completely paranoid though so I'll
happily use it over 3G; just not over an open wifi access point in a public
place. If you are going to use Kik over an untrusted network, make sure you use
a password which is unique to the service. I'm sure a significant number of
people are already using Kik with the same login credentials as they use for
Facebook.

I wonder if they even investigated using SSL to encrypt the traffic? I'd also
like to know exactly what data they log. Do they log the actual conversation
data? I couldn't find an exact answer in their privacy policy...

**UPDATE:**

I've opened a couple of topics on their GetSatisfaction support page. Feel free
to "like" them so they get more attention:

[Secure Kik with
encryption](http://getsatisfaction.com/kik/topics/secure_kik_with_encryption)

[OTR for private
conversations](http://getsatisfaction.com/kik/topics/otr_for_private_conversations)

**UPDATE (June 2011)**:

Kik 5.1 has just been released and it uses SSL with proper certificate
verification