2
I am developing an Android messaging application using Firebase and I realized that it will be necessary to protect the user data and the messages exchanged by them, because at the moment it is possible to see everything by the Firebase console (which probably facilitates an invasion) but I’m not finding much about it. How it works?
The data are name, profile photo, email, nickname, as well as the messages exchanged in each chat room.
Um.. let me see if I got this straight.. you want the messages to be encrypted inside firebase tokens ?
– Dev
I don’t have much experience with development like this, but I believe that not even developers can have access to user conversations, right? @Matheus
– Leila
Ai depends on the policy of the company or the developer himself... But I think firebase doesn’t have this feature, but you could create your own encryption and save in firebase the already encrypted data, and when receiving this data you could decrypt them
– Dev
Ignoring Firebase itself, you store public keys (or something that allows key derivation). For simplicity (min. secure, not ideal) each user generates two pairs of keys (RSA/Curve25519), one for signing and one for encrypting (receiving messages). When starting a conversation the customer asks for the person’s public key, then sends the message, encrypted and signed, but this is SLOW. Another way would be some ECDH (and perhaps use some key derivation), so it could create a symmetric key between two parts and use a Chacha20poly1305 or AES-CBC + HMAC or AES-GCM.
– Inkeliz