I've implemented Chat function for my app. Since I'm a security noob what is the preferred way of encrypting the messages End-to-end maybe?

I'm definitely not leaving them as plain text :)

  • 3
    Rsa pub/private key pairs generated on both clients, they exchange public keys, encrypt their messages with each others public key, then send thr payload and decrypt with their own private key.

    Its your job to now think about how your going to solve the issue of reinstalling device or logging into another device. (For each session, you could generate new pairs and not store them)
  • 2
    What language/framework are you using?

    With crypto, it's usually best to not roll your own. Especially the hybrid encryption algorithm needed for e2e, but to a lesser extent also the negotiation & packaging which glues asymmetric key exchange & symmetric content encryption together.

    It's fun to play with custom algorithms, but for production systems its also too easy to make fatal mistakes, so use existing and trusted code.

    You could take a peek at https://github.com/google/...
    for one implementation. It's a solid and well thought out implementation from Google, although JS crypto is still young, but it might give you some insights.

    For mobile apps there's Twillio, which is used by Airbnb, Dell, Salesforce, Twitch, Twitter, etc — its basically a paid plug and play encrypted chat API. Of course, they're not nice enough to share their full code with everyone.
  • 0
    I'm using ASP. Net Core for my backend. Ok thanks for your answers I have now a rough idea.
  • 0
    I did this with a Firebase backend. Works like a charm.
    Checkout 'Socio' on Playstore.
Add Comment