What does secure messaging mean?

Secure messaging allows us to exchange information with another person without being afraid that it will be compromised. This is achieved by encrypting the message it’s sent. That is how the third party cannot access your information that might be sensitive as well.

What information is sensitive

Sensitive information is the one that can harm the person or the business in case it becomes publicly available. It includes:

• Personally identifiable information (PII) — the data that can be traced back to the person (passport, medical, financial information, personal messaging, account credentials)
• Business information containing confidential data about the company (trade secrets, customer data, financial information).

Compromising such data means mostly financial damage or loss of security. That is why both personal and corporate sensitive information should be encrypted at rest and in transit.

Security criteria

Generally, sensitive information is protected using encryption algorithms both on client-side, server-side, and infrastructure level. Thanks to it, even if the information gets in wrong hands, the attackers cannot read it without a secret key.

Client-side

Client-side encryption is performed within your browser or application. The private key is never transmitted to the server and the data is protected within the user device and network. No third party, including cloud providers, cannot read the encrypted data.

Server-side & Infrastructure

At this level, encryption stands for preventing intrusions to the servers and databases. It can be done by using secure development practices like code scanning and test coverage. Protecting the cloud infrastructure is essential as well. Let’s see the possible ways to secure this layer:

• Protecting the infrastructure using WAFs
• Encrypting client-server communication with SSL-certificate
• Server access & security configuration
• Data backup
• Regular security audits
• Using up-to-date software

International information security standards

Protecting customer personal information is regulated by the following international acts:

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a generally accepted set of security standards and requirements for protecting health information. It regulates the exchange of protected health information (PHI). PHI is transmitted via a secure platform that makes it available to only the authorized hospital employees.

General Data Protection Regulation (GDPR):

The General Data Protection Regulation is a unified framework of data privacy rules, introduced by the European Parliament. GDPR sets strict regulations on how businesses operating in the EU collect, store and manage personal information. They must protect sensitive data and notify affected parties in the event of a breach.

QuickBlox security practices

We have spoken about preventing security incidents in your product. For QuickBlox, the security of our clients is essential, so we follow the latest client-side and server-side security practices.

Client-side communication

To secure the customer data on the client-side, the QuickBlox team uses HTTPS protocol to ensure that all traffic is protected from malicious attacks. Also, we use our own modification of the Auth token-based security protocol.

Each application has an owner ID, app ID, public key, and secret key. Client-server traffic is signed with a unique token generated using the application key and device ID. This means each request is only valid for the specific token, specific app and specific user.

All user passwords are encrypted via a one-way hash function which means even if someone has access to the database, they will not be able to find out users’ passwords.

QuickBlox XMPP includes a method for securing the stream from tampering and eavesdropping. This channel encryption method makes use of the Transport Layer Security (TLS) protocol. We use TLS v1.2. for API, admin endpoints, ssl_protocols, chat, and video.

Server-side communication

To ensure the backend security, we protect our infrastructure with SSL certificates. We also included nonce & timestamp protection which secures against ‘replay attacks’. This means if request is intercepted somewhere in the network, tampered with and re-sent later, it won’t pass the authorization as timestamp will be different to what is authorized for current token.

We use HMAC with a cryptographic hash function SHA1 160 bit. Also, we store cipher keys using hashing algorithms and “salt” value, so, the passwords are never stored as a “raw” value.

Our DevOps team is able to configure HIPAA and/or HA/DR instance, which means we can enable encryption for all data stored (including DB). We can enable AES-256 encryption for AWS S3 as per the client’s request which means data is encrypted via 256 bit AES and the keys are stored by Amazon separately. Also, the QuickBlox team can encrypt both the boot and data volumes of an EC2 instance using the AWS Key Management Service (AWS KMS).

As a premium function for our Enterprise customers, we give the possibility of implementing Custom Identity provider (the clients can link the user from their database with our server using QB_userID). So, the user is anonymous, and we don’t know the owner of a chat or other information.

Conclusion

Protecting user data must be a high priority and should never be ignored. Due to increasing privacy concerns, more companies are starting to secure their messages. QuickBlox takes security issues seriously. By default, we apply all the practices that were listed in this article. Yet, for different businesses, there are different security requirements, so we will configure the infrastructure according to your needs.