How to Develop a Secure Messenger Like Signal?

Times of sending homing pigeons and waiting for weeks or even months to receive letters are over and everyone is enjoying the convenience of instant messaging. It has become an integral part of almost everyone’s daily life, so now there is hardly a person who is not using messengers or hasn’t heard about them.

There is one issue though: just like in ancient times when a pigeon could get into the wrong hands, sensitive user data can be stolen or, even worse, used by blackmailers or made public. Thus, the question of data security is becoming even more tangible. And this is where such apps like Signal come under the spotlight.

Magic inside Signal or what makes it special

So what is Signal and what makes it the safest messaging app ever? Signal private messenger was built on the basis of the existing RedPhone and TextSecure applications and was launched in March 2015 by Open Whisper Systems. It uses end-to-end encrypted messaging protocols (Curve25519, AES-256, and HMAC-SHA256) to protect communication and make sure that no MITM (man-in-the-middle) attack will occur. What also distinguishes it from other chat apps is that its source code is available on GitHub for anyone who wants to examine it or check for security flaws.

But what does it exactly mean to be secure? According to the Electronic Frontier Foundation (EFF), there are seven criteria to assess how secure a chat app is. They are:

  • communication encrypted in transit;
  • no provider access to the key communication encrypted with;
  • independent verification of a correspondent’s identity;
  • secure past communications if the keys are stolen;
  • code open to independent review;
  • well-documented crypto design;
  • an independent security audit.

According to these criteria, Signal is considered to be an A player.

How to develop a secure instant messaging app like Signal

The core feature of the Signal app is private instant messaging but it definitely has more functions worth mentioning. In fact, the application can tick all the boxes for even the pickiest users.

Registration with a phone number

Convenience is the king and when it comes to registration it gets way easier when you don’t need to remember passwords or login information. That’s why Signal uses a phone number and confirmation code sent to it to verify user registration or login.

Disappearing messages

A user can set up a timer from 5 seconds to 1 week for all the seen messages to disappear. It is even impossible to take a screenshot of a chat because the app simply doesn’t allow that.

Voice and video calls

Signal provides its users with a possibility to make crystal-clear and secure voice and video calls, that’s why this application is also suitable for business communication.

Group chats

Together with one-to-one secure chats users can also have private encrypted conversations with their friends. Besides, the Signal server has no access to any group metadata including icons, titles, and membership lists.

Content sharing and entertainment

Signal never stops developing and introducing new features. So far, the application allows sharing not only text but also gifs, photos, videos, location, any document or file and even voice messages.

Platform-specific features

On Android, users can set Signal as their default SMS/MMS application, which allows sending and receiving SMS messages to/from non-Signal users or in case there is no internet connection. The only point is that these messages are not encrypted.

Security and encryption

Implementing security protocols is not an easy task. It presuppose a huge amount of effort. Of course, there are some comparatively easier options. One of them is, for example, using Telegram API (another secure chat app). The advantage is that you won’t need to develop back end and a database which will save you time and money. But this solution has its drawbacks as well. You won’t have access to or control over the database and therefore it will be impossible to change the flow or be 100% sure that user data is placed safely.

Having no end-to-end encryption doesn’t mean that all your chat history will be corrupted and used with bad intentions. Actually, many well-known messengers started and gained their popularity and user base without having super security protocols implemented. Let’s take for example such giants as Facebook Messenger or WhatsApp which became encrypted only recently using Signal protocol (developed by Open Whisper Systems).

Most of us don’t very often share highly confidential data in our messages. However, end-to-end encryption serves as an extra safety measure when you are sending your private information like payment details, Social Security number, username, password, etc. So, having end-to-end encryption and disappearing messages can give you heartsease and confidence.

Check the extended version of the article on MLSDev blog to see the rough estimate of Signal-like messenger development and get more information about it.