Development of Secure Messaging Apps

Development of Secure Messaging Apps

Mobile applications have become an integral part of the business. And they opened up both new opportunities and new threats. While the use of applications as channels of promotion and sale is an advantage, one can suffer from application hacking, information leakage, and loss of business reputation. In 2019, the global economy lost $2.5 trillion due to cybercrime, mainly hacker attacks and hacks. This amount includes losses caused by the loss of confidential data, theft of intellectual property, and violation of business operations.

Confidentiality is the most sensitive topic of the mobile Internet era. Security breaches due to application flaws are often reported. Nothing is safe, not even messaging applications of the tech giants. Every day, private messages leak onto the Web, and accounts are stolen. There is a wide range of reasons from negligent database maintenance to the use of simple passwords. This situation has increased the demand for creating encrypted messaging apps, which are also called secure messaging apps.

The principle of operation of secure and classic messaging apps

At least half of the world’s population uses messaging applications. WhatsApp and Facebook Messenger alone have 2 billion and 1.3 billion active users, respectively. And how safe is it to use them when talking on such topics that no one except you and the other side should learn about?

Principle of operation of secure and classic messaging apps

Most popular messaging applications are based on 2 types of secure messaging protocols:

  1. HTTP + push notifications. In this case, you receive a notification that a message has arrived, and the server responds to you only after you open the application.
  2. The socket-based Extensible Messaging and Presence Protocol (XMPP). This protocol is used more often since, in this case, you always remain connected to the server. If the connection is suddenly lost, you will be switched to the offline mode.

Each messaging application has its own goal and objectives, as well as weaknesses affecting cybersecurity. And attackers choose applications that process confidential data. Then they can use this data against users or companies conducting private or corporate correspondence. The information transmitted in their messages, for example, text, image, or video, must be reliably protected.

Each messaging application uses its security methods, but the main difference between secure and classic messaging apps is the implementation and the approach to user data. Secure applications have become a separate category due to the growing awareness that communication on the Internet is unsafe since a third party can gain access to correspondence. There were cases when large companies used user data, including private messages, for targeted advertising.

End-to-end encryption

The basic principle of secure messaging is end-to-end encryption. For example, the Signal application runs on the cryptographic protocol of the same name developed by Open Whisper Systems for the first application (TextSecure). This type of encryption uses a multilevel approach, which makes it difficult to grossly penetrate the correspondence with access to data. Signal Protocol is also used by default in WhatsApp, and as an additional feature in Facebook Messenger (Secret conversations) and Skype (Private conversations).

Any secure messaging app is built on the principle of end-to-end encryption, which is as follows:

  • Two users start a dialogue. This event generates 2 sets of keys:
    • a private key (which remains on the user’s device);
    • a public key (stores on the server of the service provider).
  • When the first user writes to the second one, the public key is retrieved and used to encrypt the message so that it is accessible only with the private key. Then the message is sent to the second user via the server and decrypted using the private key.

In this scheme, the data stored on the server is useless in the encrypted form. They look like a set of letters and numbers that no one can read without the private key. And the key is so complicated that decryption methods cannot be applied: its randomly generated characters are not comparable with public key characters. If the attacker cannot find a way to obtain the private key from the user’s device, then the probability of reading correspondence and extracting information is reduced to zero.

Deleting messages

The ability to delete messages is another important piece of the puzzle. Although many messaging applications have the function of deleting messages, one cannot be 100% sure that messages are deleted from application servers and databases. Only service providers know the truth, but often do not reveal it. It is known that Facebook and Google store messages from your correspondence. It does not apply to all messaging applications — or at least you can only hope for it. In any case, the ability to delete messages is a big step towards building trusting relationship with users.

Metadata are also considered a problematic element in respecting confidentiality. They are used to identify users and their credentials. Most messaging applications store message metadata by default, such as time, sender and recipient, contact list, and device identifier. This information can be used by hackers to identify the user and apply social engineering to get the decryption key. WhatsApp is an example of an application that stores metadata.

Transparency for secure messaging apps sounds in two ways. On the one hand, you should state certain conditions of service confirming the intention to provide the user with a secure platform and privacy protection. It means that correspondence and user data should be private, not open. On the other hand, the real sign of application security is open source code that anyone can test for reliability. At the same time, this is an easy way to improve the quality of the application with the help of enthusiastic programmers who are ready to conduct free testing of interesting new products.

In total, the value of secure messaging apps is based on 4 principles:

  1. End-to-end encryption.
  2. Ability to delete messages.
  3. Limited use of metadata.
  4. Transparency of service and product.

Polygant specialists are ready to develop the terms of reference for an information security system, taking into account all 4 principles.

Messaging application popularity statistics

Different countries have their messaging application ratings based on monthly active user statistics. In 169 countries, WhatsApp ranks first, but in 25 countries, it lost the leading position. In 15 of these 25 non-conquered countries, its relative application Facebook Messenger became leader, and only in 10 countries, the most popular messaging applications do not belong to Facebook.

Since the market is so globalised, let’s go from the general to the specific. This is what the global messaging application ranking looks like now:

Global messaging application statistics

Data on the monthly number of active users is compiled at the end of 2019, and the number is indicated in millions.

And here are the top 3 messaging applications in various countries:

Country1st place2nd place3rd place
The United KingdomWhatsAppFacebook MessengerSkype
The United StatesFacebook MessengerSnapchatWhatsApp

Here is an amazing fact: in the domestic market, the world leader WhatsApp is inferior to both the other Facebook messaging app and the competitive app, although they appeared 2.5 years later.

Popular encrypted messaging apps

As a rule, ratings are compiled without taking into account application features (protocols, functions) and even without sorting into secure and classic ones. Therefore, to complete the picture and match the topic, we provide verified lists of secure messaging apps, that is, applications using encryption by default.

The best encrypted messaging apps according to the AVG website (Avast company) as of March 2020:

  1. Signal.
  2. Wickr Me.
  3. Dust.
  4. WhatsApp.
  5. Telegram.

The best encrypted messaging apps according to the TechRadar online publication as of April 2020:

  1. Signal.
  2. WhatsApp.
  3. Telegram.
  4. Threema.
  5. Silence.

We hope that your future messaging application will be included in one of these ratings. And we can start developing it at any time, even right now, if you contact us.

Blockchain messaging applications: why they are useless

Even secure messaging apps face security challenges. Many people already know about blockchain technology and consider it a security solution. Of course, companies are trying to implement blockchain everywhere. Only then it turns out that miracle technology is not able to secure absolutely everything, reduce costs, and increase revenue at the same time.

In theory, the blockchain has many fields of application, but in practice, it still benefits only in the field of financial services, trade, and production. If you narrow the range of interest to messaging, then two obstacles will lead to the incompatibility of trending technology with messaging applications.

Blockchain needs storage space

The first obstacle when trying to use the blockchain in messaging applications is the storage for everything that accompanies sent and received messages. Long gone are the days when a message was only plain text. Now it is often photos, voice messages, videos, and documents. All this requires a place to store, which users of non-blockchain applications do not think about.

The creator of the blockchain messaging application must decide where to place all the data from the messages. After all, blockchain needs full nodes with a synchronised copy of the ledger. The servers of the messaging application owner can act as full nodes, but then there will be no decentralization. Therefore, user devices must assume this role. But would people like to store gigabytes of extraneous information in their devices, especially on smartphones? They have only 32–128 GB of internal memory; 256 GB microSDXC card costs around 40 €. Compare it with the following: in May 2020, the size of the Bitcoin blockchain reached 280 GB, and the size of the Ethereum blockchain was 140 GB. This is only transaction information, no photos, audio and video files. You will have to somehow motivate network participants to maintain blockchain functioning.

Besides, secure messaging apps will have a conflict of interest: the blockchain will store either all messages (including attachments) or metadata, and you won’t be able to delete them. And this is a violation of two of the four principles on which security is built.

Blockchain needs validators

The second obstacle is the consensus algorithm, which is necessary for any blockchain to create trust between network participants. It is not enough to distribute the ledger to thousands of devices for storing information. Some of them must constantly verify user actions before adding entries to the block. For example, in peer-to-peer payment systems, such actions are cryptocurrency transactions. For validation of transactions, miners, stakers, or delegates take a commission; for adding a block to the chain, they receive coins from the system. Validators need an incentive in the form of a reward; otherwise, they do not need to maintain a network.

If someone finds it interesting to create a secure messaging app on the blockchain, the innovator should be ready to share something with the main participants in the network. Then they will also share their resources and time for the validation of messages passing through the network. You will have to create tokenomics where it was not originally needed. Everything is interconnected: without payment for actions, validators will not appear, without validators, there will be no trust, without trust, there will not be so many users who are ready to keep full nodes active.

And at the same time, these main participants of the network become its bottleneck. If there are few of them, or if the number of operations per second is at peak for the system, then they will not have time to validate the actions performed by users, which will lead to a strong delay.

Consider Bitcoin: under ideal conditions, a BTC transaction is validated in 10 minutes — that is the time needed to create a block. In May 2020, an average of 3.44 transactions per second was carried out through the Bitcoin network (there were no delays). The maximum traffic is 7 transactions per second. The limit for the block is 7 * 60 * 10 = 4200 transactions, and everything that exceeds it is queued for the following blocks.
Compare with WhatsApp: in April 2020, an average of 752,000 messages per second was sent via this messaging application. If WhatsApp ran on the Bitcoin blockchain, then users would queue to create 179 blocks that could accommodate such a number of messages. And instead of one second, they would wait 1790 minutes, that is, it would take 1 day 5 hours 50 minutes to deliver a message.

Also, there is still a violation of the principles of protecting privacy for secure messaging apps: hundreds of validators and thousands of other network participants will see message metadata. Privacy lovers are worried that one company (for example, Facebook) owns their data, and in the case of blockchain, the entire network will know when and to whom they sent messages.

What features a secure messenger should offer users

Registration by phone number

Convenience should come first. Given that the use begins with registration, it will become easier if people do not have to remember passwords and other information necessary to enter the application. Besides, attackers can gain access to email, and it is unlikely to access a SIM card.

Deleting messages and account

The ability to delete messages is an integral function that must be present in a secure messaging app. In some applications, you can enable the deletion of messages after a specified period. The same rules may apply to the deletion of the account: if the user has not logged in to the application within the specified period, the account is automatically deleted along with all the dialogues and other data.

Voice and video calls

It makes no sense to talk a lot about such a useful feature of messaging applications as audio and video calls, not just text messaging. The purpose and necessity of this method of communication are obvious.

Group chats

By creating secure private chats, users can conduct encrypted conversations about personal matters with relatives and friends, and talk about business with colleagues and partners. At the same time, the application will become ideal if the server does not have access to any group metadata, including icons, headers, and lists of participants.

Content sharing

The transfer of images, documents, audio and video files is a mandatory function of any messaging application. It must also be present in secure messaging apps. It is only advisable to add the option to not save received files or automatically delete them from the default folder.

What opportunities a secure messenger brings to a business

Secure messaging app for business

In business operations, communication has become an important element in maintaining an efficient and dynamic workflow. Since businessmen and their employees are loaded with many tasks, messaging applications have become their main assistants. However, just as they can help, they can do much harm.

The flow of information on the Internet is always controlled by someone. Data is transmitted through servers from point A to point B and beyond. Communication via a messaging application relies on a third-party service provider. Although the terms of service assume that all user data is considered confidential and therefore untouchable, this data is available to the service provider. This means that theoretically they can be used for purposes other than storing information since users accept the terms of the agreement. And people usually do not read the terms or do not notice the cunning wording where the service representative disclaims responsibility for data confidentiality.

It turns out that using some messaging applications is unsafe: the service provider may be unreliable. It is one thing when the user compromises, and quite another when the service is compromised. Businessmen should not risk their confidential information.

In this case, your own encrypted messaging app will solve the problem of protecting your data during communication. You can make the application private: registration will be available only at the invitation of an existing user or a specific person. You will store data on your server, and you will be able to completely delete it at any time. You will control the information flow in your messaging application.

Cost of creating an encrypted messaging app

Developing a secure messaging app is a complex and time-consuming process. You cannot gather a crowd of inexpensive freelancers and complete the task in a few days. The back end for such an application has special nuances, and only with a competent approach can you simplify the process, reduce the development time and its cost. It all depends on the technology stack used and the features being implemented.

For this work, you need a qualified team of developers and testers. Professionals will make sure that the security of communication and solving business issues in the messaging application is 100% confidential, and the information does not leak into the wrong hands.

If the application is developed not for a narrow circle of users, but the whole world, then we need to plan more broadly and further. For your new messaging application to be noticed, you will need a unique business model, a convenient and friendly user interface, as well as a well-developed marketing plan.

The creation of a secure messaging app consists of the following stages:

  1. Writing technical specifications (if you do not have one) — from 50 hours.
  2. Business analysis and specification — from 40 hours.
  3. UI and UX design — about 150 hours.
  4. Back-end development — over 500 hours, depending on the required functionality of the application and the number of platforms (OS).
  5. Mobile application development — more than 320 hours.
  6. Testing — about 250 hours, depending on the number of platforms and functionality.

Based on these data, the approximate cost of an MVP of the application starts at $50,000 and further depends on factors that complicate the work. You will also have to take into account in advance that after the development is completed, the messaging application still needs to be supported: to correct possible errors, refine and implement new functions. Such service after release is paid separately.

Polygant has been creating messaging apps for various platforms for 10 years. We can develop unique secure applications, always take into account the wishes of customers, and adapt to the specifics of the activity. Send a request and after a detailed discussion, we will immediately start working on your project!

06 August 2020

Feel Free to Contact Us