Mobile app security: Using end2end encryption for protecting mobile messengers
How it all began
Today, when we face a plenty of hacker attacks and application crackings, providing data security and privacy takes the center stage. Even a few years ago there was no evidence that the third party really exists and user personal data was actually being viewed.
However, after Edward Snowden case, the entire world became concerned about ensuring mobile app security and establishing strong safeguards. At the moment, end2end encryption (E2EE) is the most reliable and advanced way of protecting user data, that has special significance in developing mobile messengers.
For instance, WhatsApp famous messenger (belonging to Facebook) implemented end2end encryption in 2016, thus having made impossible for governments and security service to view user information. In the same year, Viber also decided to add E2EE in order to provide data security and privacy. But what does end2end encryption actually mean?
How does E2EE work
End-to-end is the system, implying that devices transmit encrypted information to each other without servers’ participation. Thus, the communication is direct, there are no intermediaries, and all the data, including messages, calls, images, and video, is fully encrypted.
E2EE means that only those people (devices), who are involved in communication, have the keys for both encrypting and decrypting messages. So, only the users participating in chat (one-to-one chats, group chats) will be able to read the messages or hear the calls exchanged between them.
In other words, the files and emails will pass through multiple third-party services, but since they are fully encrypted, they are completely unreadable for them. Hence, only the end user will be able to read information.
Considering the situation from the point of view of companies owning mobile messengers, they should take into account the price they have to pay for using end2end encryption. By implementing E2EE, they remove the possibility of collecting data about their users.
An encryption algorithm represents a mathematical process of converting information into understandable data strings.
The source data is often called open or plain text. Interestingly that it doesn’t matter for the encryption process what the information is – real text or another kind of data. Similarly, the encrypted information is called encrypted text, but as a rule, it doesn’t look like ordinary text.
More precisely, an encryption process looks as follows: the open text is being downloaded into an encrypted mechanism, which creates an encrypted text.
It should be also noted that an encrypted mechanism may even represent a mechanical device like Enigma, a famous cryptography machine, that was used during the Second World War. However, nowadays almost all encryption machines are computer programs.
Public key encryption
Public key encryption is based on two keys – public and private. The first key (public) is used for encrypting messages and the second (private) – for their decrypting.
An advantage is that a public key can be freely distributed, so everyone to whom you gave your public key, can send you an encrypted message. And since only you possess a private key, only you can decrypt a message.
Public key algorithms have other advantages too. For instance, they provide the ability to transfer the public key through unprotected channels without worrying that it will be read by a third party.
Nevertheless, systems with a private key are still used everywhere. Also, you can often find a hybrid system, where the public key algorithm is applied to transmit a private key, which is used to exchange data until the end of the communication.
This complexity is compensated by the fact that algorithms with a private key work three times faster than public key algorithms.
How we encrypted RealSmile chat
In mobile messenger RealSmile chat, for ensuring complete user data security and privacy we used end2end encryption. For that, we used RSA encryption algorithm, the most famous public key algorithm, published in 1978.
A client program (iOS/Android) generated public and private keys for each registered user. A public key is sent to the server, while a private one is stored on the client.
When creating an encrypted chat we get a public key of a chat participant for encrypting messages that we will send to him (her). At the same time, a user also receives a public key with the ability to give it to other users.
Then, we create a message, encrypt it with a generated public key and send on the server. After that, the server sends this message to a chat participant, who can decrypt it with the help of a private key, stored on his/her device only. This way, all data exchanges are fully protected.
The end2end encryption, implemented in RealSmile, works according to the following rules:
- Encrypted messages are transmitted via a communication channel (via HTTP protocol).
- A private key is stored on the user device only.
- The server stores public keys only. To decrypt messages with a public key is impossible (you need both keys).
- After deleting a mobile app private keys are also deleted and to read messages, that you received earlier, becomes impossible. When a user reinstalls the application, the encryption keys are generated again.
Also, find out how we developed RealSmile chat and what features we implemented in the app.
For today, end2end encryption is without any doubt is the most reliable way of establishing safeguards and ensuring data security and privacy.