Tech giants are constantly reading your data. Today, I created an app to fight against that.
Since the beginning of 2018, Facebook has been in the “limelight” for their practices of breaching users’ privacy and personal data.
The Cambridge Analytica scandal, Mark Zuckerberg’s vague testimonial in front of Congress, the role Facebook played in Russia’s plot during the election, followed by a Facebook bug that exposed 6.8 million users’ photos to third-party developers. Facebook is like a hydra, with new scandals sprouting almost weekly.
If you think it’s just Facebook that is constantly breaching and manipulating our personal data, you are so wrong. Other big tech companies are famously doing the same. It almost seemed like online privacy is dead.
It almost seemed like online privacy is dead.
Inspiration
As a 21-year-old, there wasn’t much I could do to help, but watch the situation deteriorate day by day as a bystander. Until one day, on April 30th 2019, Facebook announced on their annual F8 event in which they vowed to make user privacy an important mission with the motto “The future is private”. That speech, indeed, has given me a glimpse of hope that online privacy is still alive and that tech companies like Facebook are willing to prioritize their users over the interests of Wall Street.
After watching the event, it inspired me to build an app centered around privacy and security, an app that Facebook was not.
That F8 event inspired me to build an app that is centered around privacy and security, an app that Facebook was not.
The idea was to build an application that was simple enough that I could complete within a certain time frame yet effective enough to protect user privacy. After a few minutes of brainstorming, I decided to build a fully encrypted note app, call it — Hashnotes. Think of it as a more private and secure version of Evernote that places users’ data and privacy as its top priority.
Challenges
With that said, I collaborated with my friend, Bart to work on this app together. We decided to use React Native, a cross-platform framework that can be used to build mobile apps for Android and IOS using only JavaScript.
Subsequently, as opposed to using a standard REST API, we wanted to try out a new and rising technology called GraphQL to interface with our server. GraphQL also comes with a database called Graphcool which I heard was really easy to use.
Problem 1
Since my partner and I are both web developers and have never used any of the said frameworks, It was a challenge for us to learn and build the product at the same time.
Problem 2
Besides the uphill battle we already have, we also had problems thinking of a method to store users’ data in an encrypted format without knowing their respective secret keys, while at the same time having the ability to decrypt the data when the client sends a fetch request to the server for users to view its notes.
Approach 1:
To solve that problem, we thought of many ways to go around it. One of these ways is to generate the secret key based on users’ email and password and save it in the device storage, not in our server. And in the case when users happen to change their password, we will decrypt all the notes using the old key and encrypt it again using the new key generated from the new password.
Since we used JSON Web Token to build our authentication, passwords are not stored in its pure form. As a result, we will never be able to know the users’ password to create the key.
Problem solved, right? Nope.
The problem with this method arrives when users log in with other devices. This solution does not support multi-device encryption/decryption. Because all the keys are stored in device storage, we wouldn’t be able to decrypt users notes in a different device. We’d have to think of a much better solution.
Approach 2:
After giving a few more thoughts, we came up with a pretty straightforward and simple approach.
- Create a UI input after a user signed up that will be used for creating a secret passphrase
- Create a Crypto service to hash and salt the secret passphrase.
- The hashed and salted secret passphrase will then be used as the secret key to encrypt/decrypt the notes and stored it in the device storage
- If the user logs in with a new device, it will prompt the user to enter the passphrase
- If the user entered the right passphrase, the notes will be able to be decrypted
This method supports multi-device encryption/decryption, but there is one drawback. If the user happens to forget the passphrase, there is no way the notes could be decrypted.
To solve that, we decided to put a warning message when the user is prompted to enter the passphrase.
Product and user feedback
After a couple of weeks of coding tirelessly, we completed the prototype. But before we can officially put it on the AppStore and Playstore, we wanted to release it to some of the users to know what they think. You can check it out at Hashnotes.app.
We conducted about 12 user interviews to potential users, besides some UX problems which could be fixed quickly, there were a few features that were highly requested :
- Search bar for notes
- Options to prompt for a password before viewing the data
- Exporting the notes into a different file format such as PDF
- Support Image, videos, voice, and attachments as well as the encryption of each data types.
- Share or collaborate on a note with another user
- Formatting text (font size, font, color, bullet point)
- Web app support
Note apps highly saturated the market with huge competitors like Google, Apple, and Evernote. Thus, there is still a lot of work to do in order to develop Hashnotes to a place where it is commercial-ready.
Product Vision and Strategy
The vision of this app is the build a more private and secure alternative to other note app owned by big tech companies. These apps are meant to store some of the most sensitive and private data about you. So you might as well store them in an app that wouldn’t benefit from selling your personal data.
With that said, if we ever want to turn this into a sustainable business. Here are some things we can look at.
Markets and opportunities
There are several user persona that we can target to potentially turn them into a customer.
- Business leaders and executives
- They possess a habit of taking confidential notes from business meetings or discussions
- They are also concerns about hackers leaking private notes or breaches of personal data
2. Concerned individuals
- The frustrated users over targeted advertisements feed on personal data
- The privacy activists who are tired of unethical practices of big tech companies
3. Businesses/startups
- Small to midsize startups who need to store confidential data in a secure and private solution
- Another market is to provide businesses with fully encrypted cloud storage for documents, photos, videos and etc
Revenue channels and growth
There are a few ways we can monetize from this app. Since we do not benefit from users’ data, we can only monetize directly from users. Here are some of the potential revenue streams:
- Dropbox model
- Limit users’ storage and provide a flexible pricing model to charge for more
- Invite friends to sign up to get free storage as a growth strategy
2. Subscription model
- Provide a 1 month, 6 months, and an annual subscription plan for exclusive tools and features
- Invite others to join the app to get free credit to lower the subscription fees.
Conclusion
Although building this app will not solve the problems of lack of privacy from the tech companies, having a privacy-focused alternative app on the market, in this case, an alternative of Evernote and Apple’s notes could be a small step forward in building a bigger future that is more private.
Regardless, I had a lot of fun working on this project. I hope this would inspire developers and tech entrepreneurs across the world to start placing users’ privacy as one of the key priorities when building the next big idea.
