Wickr vs stef's seven rules of thumb to detect snakeoil

[Seth]

Searched the cpunk archives and was surprised to find no mention of wickr  
yet.

I thought I'd run it through stef's seven rules of thumb to detect  
snakeoil so here goes:

* not free software
- Closed source (although audited by Veracode)

* runs in a browser
- no

* runs on a smartphone
- yes

* the user doesn't generate, or exclusively own the private encryption keys
- unsure (displays a message about 'securing your phone using military  
grade encryption' during first app launch/sign-in, believe local keys are  
generated during this step.)

* there is no threat model
- (claims to be 'last messaging app standing with no 0days to date',  
claims nation threat attacks were expected from day one, claims zero  
knowledge company infrastructure server configuration)

* uses marketing-terminology like "cyber", "military-grade"
- displays message 'securing your phone using military grade encryption'  
during app setup

* neglects general sad state of host security
- unsure


Additional notes:

- Offers desktop app for Win/OSX/Linux since 2014/12

- https://wickr.com/ appears to require javascript to view

- Founder Nico Sell is long time Def-Con organizer, founded Def-Con for  
kids (now called Rootz Asylum) in 2010

- Wickr company infrastructure security audited by iSecPartners