Ahoy Back4app community!
We’re the crypto tech behind Twilio’s End-to-End Encrypted Messaging. Our friends @ Back4app asked us to show you how to build an End-to-End Encrypted chat app on top of Back4app.
In this post, we’ll walk you through the steps to make Back4app Android Simple Messenger app End-to-End Encrypted! Are you ready?
PS: If you don’t care about the details, simply skip to the practice part.
First, let’s start with a quick refresher of what E2EE (End-to-End Encryption) is and how it works. E2EE is simple: when you type in a chat message, it gets encrypted on your mobile device (or in your browser) and gets decrypted only when your chat partner receives it and wants to display it in chat window.
The message remains encrypted while it travels over Wi-Fi and the Internet, through the cloud / web server, into a database, and on the way back to your chat partner. In other words, none of the networks or servers have a clue of what the two of you are chatting about.
What’s difficult in End-to-End Encryption is the task of managing the encryption keys in a way that only the users involved in the chat can access them and nobody else. And when I write “nobody else”, I really mean it: even insiders of your cloud provider or even you, the developer, are out; no accidental mistakes or legally enforced peeking are possible. Writing crypto, especially for multiple platforms is hard: generating true random numbers, picking the right algorithms, and choosing the right encryption modes are just a few examples that make most developers wave their hands in the air and end up just NOT doing it.
This blog post will show you how to ignore all these annoying details and quickly and simply add End-to-End Encryption using Virgil E3Kit.
For an intro, this is how we’ll upgrade Back4app’s messenger app to be End-to-End Encrypted:
- During sign-up: we’ll generate the individual private & public keys for new users (remember: the recipient's public key encrypts messages and the matching recipient's private key decrypts them).
- Before sending messages, you’ll encrypt and sign chat messages with the recipient's public key.
- After receiving messages, you’ll verify anf decrypt chat messages with the recipient's private key.
We’ll publish the users’ public keys to Virgil Cards Service so that chat users are able to look up each other and able to encrypt messages for each other. The private keys will stay on the user devices.
Keep it simple
This is the simplest possible implementation of E2EE chat and it works perfectly for simple chat apps between 2 users where conversations are short-lived and it's okay to lose the message history if a device is lost with the private key on it.
- Sign up for a Back4app account and create a new app (Note: this demo is for Parse 3 server version);
- Sign up for a Virgil Security account (we’ll create the app later)
- You’ll need Android Studio for the coding work, we used 3.0.1.
- Find
main.js
andpackage.json
inscripts
directory; - Open
main.js
with your favorite editor.
If you don't have an account yet, sign up for one.
- Open Back4App “Dashboard” of your app -> “App Settings” -> “Security & Keys”;
- Replace
PARSE_APP_ID
with yourApplication ID
andPARSE_REST_API_KEY
with yourREST API key
;
const PARSE_APP_ID = "YOUR_PARSE_APP_ID";
const PARSE_REST_API_KEY = "YOUR_PARSE_REST_API_KEY";
If you don't have an account yet, sign up for one.
- Create an application on Virgil dashboard:
const APP_ID = "YOUR_VIRGIL_APP_ID";
const APP_KEY = "YOUR_VIRGIL_APP_KEY";
const APP_KEY_ID = "YOUR_VIRGIL_APP_ID";
- Open Back4App “Dashboard” of your app -> “Core” -> Cloud code functions;
- Click
+ADD
and select yourmain.js
andpackage.json
(fromscripts
directory), after that move both of them to thecloud
folder; - Click
DEPLOY
;
Don't forget to setup Back4App cloud code function first. It is a mandatory part of this demo. After this, go through the following steps:
- Open Android Studio -> File -> New -> Project from Version Control -> Git
- Git Repository URL: https://github.com/VirgilSecurity/chat-back4app-android
- Open Back4App “Dashboard” of your app -> “App Settings” -> “Security & Keys”;
- Go to
/app/src/main/res/values/strings.xml
file in your android project and replaceyour_back4app_app_id
with your “Application ID” andyour_back4app_client_key
with yourClient Key
.
<string name="back4app_app_id">your_back4app_app_id</string>
<string name="back4app_client_key">your_back4app_client_key</string>
- Open Back4App “Dashboard” -> “Core” -> “Database Browser” ->
Create a class
and create classes ofCustom
type namedMessage
andChatThread
;
- Go to Back4App your apps list;
- Press the “Server Settings” button on your Application;
- Find the “Web Hosting and Live Query” block;
- Open the
Live Query
Settings and check the “Activate Hosting” option as well as “Activate Live Query”; - Choose any name for your
Subdomain
and activate Live Query for the 2 classes you've created:Message
andChatThread
; - Copy your new subdomain name and click the SAVE button;
- Go to
/app/src/main/res/values/strings.xml
and replaceyourSubdomainName
with the one you've created in the step above.
<string name="back4app_live_query_url">wss://yourSubdomainName.back4app.io/</string>
After these steps you will be able to hit the Run button in Android Studio and get the sample to work. Use emulator or real device to test it out.
To see the result of running the demo, you'll need to:
- Sign up 2 users;
- Start a conversation between them and send a couple of messages;
- Open Back4App “Dashboard” -> “Core” -> “Database Browser” -> "Message".
You can see the messages that users have sent to each other, but you won't be able to read their contents because they are end-to-end encrypted.
End-to-End Encryption is a way to meet the technical requirements for HIPAA (the United States' Health Insurance Portability and Accountability Act of 1996) & GDPR (the European Union's General Data Protection Regulation). If you need more details, sign up for a free Virgil account, join our Slack community and ping us there: we’re happy to discuss your own privacy circumstances and help you understand what’s required to meet the technical HIPAA & GDPR requirements.
Virgil is a stack of security libraries and all the necessary infrastructure to enable seamless, end-to-end encryption for any application, platform or device, find more information about what you can build with Virgil Security here.
If you missed pieces from the puzzle, you can get additional information about end-to-end encryption with our developer documentation.
Also, our developer support team is here to help you, you can find us on Twitter, send us email support@VirgilSecurity.com or get extra help on Slack.
Don’t forget to subscribe to our Youtube channel. There you will find a video series on how to do End-to-End Encryption.