Nishchal Foolish Kesarwani
Preseed Web Lab
Published in
4 min readNov 7, 2017
Chattodo tech stack and security

1. Java for Android (client side)

2. Firebase Real-time DB: For communication (messaging) and real time data changes.

3. Cloud Functions: For triggers and notifications.

4. Mongo for external server where backup of data stored on firebase is taken. (Currently using an aws server to manage the same). Location:

The final decision on location will be taken based on where we have most of our users. Multi-regional looks most likely in that case.

5. FCM (Firebase Cloud Messaging) : to manage notification updates [push and client to client].

A note on how security is managed in firebase real time environment.

Firebase Realtime Database Rules determine who has read and write access to your database, how your data is structured, and what indexes exist. These rules live on the Firebase servers and are enforced automatically at all times. Every read and write request will only be completed if your rules allow it.

The Firebase Realtime Database provides a full set of tools for managing the security of your app. These tools make it easy to authenticate your users, enforce user permissions, and validate inputs.

Firebase-powered apps run more client-side code than those with many other technology stacks.

The Firebase Realtime Database handles many other security details. For example, they use SSL with strong 2048 bit keys for certificates.

Authentication
A common first step in securing the app is identifying users. This process is called authentication. We use Firebase Authentication to have users to sign in to our app. Firebase Authentication includes drop-in support for common authentication methods like Google and Facebook, as well as email and password login, anonymous login, and more.

User identity is an important security concept. Different users have different data, and sometimes they have different capabilities. For example, in a chat application, each message is associated with the user that created it. Users may also be able to delete their own messages, but not messages posted by other users.

Authorization
Identifying your user is only part of security. Once you know who they are, you need a way to control their access to data in your database. Firebase Database Rules allow you to control access for each user.

{
“rules”: {
“foo”: {
“.read”: true,
“.write”: false
}
}
}

The Firebase Database Rules include built-in variables and functions that allow you to refer to other paths, server-side timestamps, authentication information, and more. Here’s an example of a rule that grants write access for authenticated users to /users/<uid>/, where <uid> is the ID of the user obtained through Firebase Authentication

{
“rules”: {
“users”: {
“$uid”: {
“.write”: “$uid === auth.uid”
}
}
}
}

Data validation
The Firebase Realtime Database is schemaless. This makes it easy to change things as you develop, but once your app is ready to distribute, it’s important for data to stay consistent. The rules language includes a .validate rule which allows you to apply validation logic using the same expressions used for .read and .write rules. The only difference is that validation rules do not cascade, so all relevant validation rules must evaluate to true in order for the write to be allowed.

These rule enforce that data written to /foo/ must be a string less than 100 characters

{
“rules”: {
“foo”: {
“.validate”: “newData.isString() && newData.val().length < 100”
}
}
}

Refer the link below for more on security rules in firebase real time DB

Note -: We may also use the following as we scale —

1. XMPP — The Extensible Messaging and Presence Protocol, a set of open technologies for instant messaging, multi-party chat, voice and video calls. XMPP servers allow us to transfer/receive messages between devices.

2. Smack Api — A highly modular and portable open source XMPP client library, written in Java, for Android. Used to send and read messages from the XMPP server.

The front end

Is being rebuilt with expo which is a library for making native iOS/Andorid apps with React and at the same time gives the option to publish it for web as well.

On-premise hosting for maximum security and data control is something we will add to our offering one day for enterprises.

SECURE MESSAGING FOR POLICE, RESCUE FORCES & MILITARY is a part of our goal.

Secure Alternative to Whatsapp for Police, Rescue Forces and Military
Police. Rescue forces and the military often use insecure services like Whatsapp, because they have no way to quickly exchange digital content like photos, videos and documents. Strong data protection and a secure alternative to Whatsapp.

Tap-proof and military-grade encryption that meets the demand of police, rescue and military forces for very strong data protection based on German and European standards.

--

--

Preseed Web Lab
Preseed Web Lab

Published in Preseed Web Lab

Here perspective on our ideas and a lot of else baking at weblab.preseed.in is written about.

Nishchal Foolish Kesarwani
Nishchal Foolish Kesarwani

Written by Nishchal Foolish Kesarwani

Here, I write my first flawed & fearless drafts of things that matter to me, mostly freedom. Let us start flaws with misspelling ‘Chief’, in my designation.

No responses yet