The question here is not how to make a secure messenger, but rather how to make it serve customers’ needs. It will also be of interest for those who are concerned about chat app security.
- How do secure chat messengers work?
- How do we secure a messaging app?
- Speak Freely But Stay Private.
- Cost to Make a Secure Messaging App
- Backend of the secure chat application
There are way too many tools for communication we use that actually prevent communication from happening. Only according to the messenger research in January 2018, the number of most popular chat apps reaches 9 - with similar-functioning WhatsApp, Snapchat, Facebook Messenger, Telegram, Viber,LINE and Skype. Most of us have a few of them installed for a certain “communication group” - turns out that older people choose Viber over the rests, whereas Snapchat and Telegram attract more juveniles.
How do secure chat messengers work?
As we have already explained in our article “How Much Does It Cost to Build a Messaging App Like WhatsApp” , the main value of chat apps is that they can transmit messages instantly in real time. App developers all around the Earth build their chats on 2 types of secure messaging protocols:
HTTP + Push Notifications, where you are notified once you get a message, and the server responds back to you once you open an app itself.
Extensive Messaging and Presence Protocol (XMPP) with Sockets-based chat. This protocol is more common-used, as here you always stay connected to the server; and when the connection is lost, you are automatically transferred to the offline mode.
There is always a purpose every already built messenger has. There are way too many goals these messengers cover, but the cybersecurity is still a great threat for all of them - encrypted messaging app is not what they are about, as even professors of computer engineering claim that “everything could be hacked”. What does messaging security stand on?
Read about how to make an app like Whatsapp
How do we secure a messaging app?
There are two approaches for message encryption in chat apps:
- Peer-to-peer encryption (P2P)
- End-to-end encryption.
P2P encryption has been criticized heavily these days, so let’s look at the basic working principles of the end-to-end type.
The main idea of “end-to-end” could be explained on a simple example: you send a message, it gets encoded on your device and is transferred to the server that brings it to the final recipient (e. g. your friend’s device). Only on his device decoding happens, ensuring he’s the only one to read your conversation. Above is a scheme that illustrates the encryption process.
WhatsApp had it installed in 2016, and from that time on there is a message on the top of every chat you open, saying that all your conversations are encrypted now. Though WhatsApp is not the most secure solution one could come up with.
There is a great article by technician Romain Aubert - there he explains which data WhatsApp collects from you; it collects you metadata.
Metadata is “data about other data” - so it’s basically info about the time and duration of your calls, the recipients of your messages and the type of content you send & get. WhatsApp will not have access to messages, but it will understand where you call and whom you text to. Now, let’s not forget that WhatsApp is owned by Facebook, a tool collecting user data about anything and everything - so this “phone & messages records” could be used for different purposes.
Furthermore, Facebook’s Messenger is not a safe place to have a private conversation as well - the regular messages are not encrypted at all, only if you choose “start secret conversation” option, with an ETE encryption. Though, again, your metadata is going to be stored on Facebook’s servers.
Diving deeper, Google’s messenger app is based on end-to-end encryption, but the privacy of its users rises many questions - Google has been heavily criticized for storing user’s messanges and recorded voice calls on their servers.
The same messaging app security gap has popular Viber - despite the double ratchet protocol, all of the users’ data is safely stored on their services.
Another popular messenger - Telegram, with its fancy interface and cool stickers, is a perfect match for those looking for privacy over security. Telegram claims to have their own protocol created in secure messaging application development area - they use the MTProto mobile protocol, though nobody really knows how it works - there is no open-source access to it.
However, MTProto is implemented only in Secret Chats - default Telegram chats have zero-protection.
Though there is one messenger that really stands out of the crowd of not fully- secure mobile messaging apps - an underground and considered hipstish by many Signal app.
There is a handy stats of Electronic Frontier Foundation that show the security leadership in features:
Speak Freely But Stay Private.
Signal developers were the first to make an encrypted-messaging app back in 2013, combined out of two tools - encrypted calls app RedPhone and PGP texting program Text Secure. Later on, they both were united into one singular program, offering a number of solid benefits. In particular, Signal is handy for people concerned about the surveillance of their content - their text messages, their photo video, and audio files. Many entrepreneurs also have a fear of phone calls wiretapping, and Signal promises to keep their conversations private as well, without any additional fees on overseas roaming. More to this, Signal is a completely open-source solution and is not monetized in any way - no ads, no subscriptions and no pricy stickers, as founders are supported by free donations & grants.
Another interesting thing about Signal’s users is that even if you don’t have this app installed on your device, you’re still already using it - if you have WhatsApp, Facebook messenger or Google Allo. Very soon Skype users will also be in this list. You might wonder why it happens so - the trick is, they all use one protocol, originally created by Signal developers to build a really safe chat application.
According to Wiki, the Signal Protocol (formerly known as the TextSecure Protocol) is a non-federated cryptographic protocol that can be used to provide end-to-end encryption for voice calls, video calls, and instant messaging conversations.The protocol was developed by Open Whisper Systems in 2013 and was first introduced in the open source TextSecure app, which later became Signal.
The surprising thing about Signal is that it is more a non-profit startup, rather than a workable business.
As application founders claim on Signal official website, it is not monetized in any way - no ads, no affiliate marketers and no in-app purchases, and it also is not advertised in any way (except for a few guest posts).
Cost to Make a Secure Messaging App
We took an iOS version of a messenger and estimated it. Below you can find a table with features and estimated time for their accomplishment:
Onboarding feature that includes user sign up via the phone number
Maintenance/project setup feature - all the project settings that our iOS developers need to implement first
Authorization feature - that includes sign in and forget password algorithms
Settings feature - in-app custom settings for a user
Profile - user profile customization and development
Status/Invite/Privacy/Notifications/About feature - the ones that include user status (on/off modes), invitations for out-of-system users, privacy & notifications settings, and about app feature
Linked Devices - includes ability to scan QR-code with your mobile phone in order to link the laptop and install a desktop application version
Sockets/Real-time feature - development of the real-time chats
Signal Protocol Integration - integration of the well-known end-to-end encryption into chat app
Backend of the secure chat application
Backend for a basic chat application has a few nuances you might need to consider when looking to create one. The language commonly used for backend development (Ruby) is hardly a perfect match for big message volumes. It could fit for a text message chat, but it would not work for audio or video calls in the app; you would need a subsidiary server like Faye to help with a stream connection. Another option for this case would also be a language transition - backend could be written on Elixir language with a Phoenix framework.
Taking the estimation of the same features as with iOS client app, backend development for a Signal-like app could take around 400 h, depending on the tech used and features to be implemented.
Though, making a Signal clone would never be enough if you want it for business. You’ll need a usable business model, a smooth user experience and a solid marketing plan to get noticed. In Mind Studios we do all that during the stages of:
Business analysis and specification - up from 40 hours
UI & UX design - up from 120 h
iOS client app - 320+ hours (please note this is an MVP product with only features available in SIgnal app)
Backend development - up from 400 h
Testing - roughly around 200 hours
Therefore, an approximate cost for an MVP of a Signal like app would start at $37,000.
Market Has Many Solutions, But Not the Ones People Need
As you can see, how to encrypt text messages is not the most difficult question to answer. What to do next is way harder to decide.
A rule of a thumb claims customers want their messenger to be simple, intuitive and secure. With the current market situation, there are user-friendly and fancy-looking chat apps (e. G. Telegram, WhatsApp, Facebook Messenger), and there is simple - but secure - alternative - Signal app. Though as you can see there is a demand for a different combination, for a breakthrough in chat market - so why don’t you satisfy it with your own product?
If you have an app idea, contact us for a free and confidential app consultation.
Written by Yuriy Smirnov and Elina Bessarabova.