Modern messenger apps have made daily communication fast and easy, exceeding many people’s wildest expectations. Sadly, however, the security of these apps is full of “holes”. There is ample opportunity for personal data leaks — a risk faced by any app user.
Today’s best security solutions for conventional apps are end-to-end encryption and asymmetric cryptography systems. Both ensure a user’s data exchange with the server is completely secure. Yet, there is a “weak spot” remaining — the device itself that carries the app and stores the data.
So we set ourselves an ambitious mission: create a messenger app that would protect its user’s data even if the device ends up in the wrong hands. In this article, we will share how we are planning to develop the Aegees Messenger, what it will feature and how close we are to achieving our goal.
Aegees Messenger: Reinventing the Wheel
Reinventing the wheel is certainly a cliché as old as time. Yet, we believe that what we are trying to build now is akin to the wheel and cart prehistoric man came up with after an age of blood, sweat and tears carrying and hauling heavy stuff around. Metaphorically speaking, this describes the gap between Aegees Messenger and all other messenger apps on the market.
When addressing security, most messenger app developers opt for encryption solutions to do the job. But truth be told, phone tapping and data interception are not employed on a large scale, even in North Korea, let alone anywhere else, which renders this type of protection quite useless.
Even if someone were to try and obtain another person’s data, it would be much easier to get hold of their phone/device, install a backdoor, or make a data backup, or have message data exchanged from the app operator. So, potentially any person of interest could find themselves facing a whole range of threats.
In order to create Aegees, we began analyzing what these possible threats are. Here is what we identified:
● traffic interception;
● device can be taken away from the owner at the time of communication;
● data interception can occur at the time of data transfer via communication channels (phone calls, text messages, file exchange);
● device can be lost;
● device can be taken away for a visual check;
● device can be taken away for a lab check;
● owner can be forced to give up authorization data;
● device can be replaced with a similar-looking one without the owner’s knowledge;
● user’s SIM-card can be retrieved and replaced (resulting in interception of text messages and/or incoming calls);
● a fake caller can call a user;
● server system infrastructure or its components can be accessed or retrieved.
The usual assumption is that any of the above is unlikely to happen to most users. However, in some situations personal exchanges may require as much protection as state secrets. Also, confidentiality is paramount for business activities where any data leak could adversely affect overall operation, security and revenues.
We decided to develop a messenger application that would be able to protect data in almost any situation, including loss of the mobile device. Even if — hypothetically — the device were taken away from the unfortunate owner and they were forced to give up the password to unlock it, it would be possible to give the perpetrators a special password that would initiate the process of clearing the device of all the app data on it once entered, completely unknown to the perps.
Aegees Messenger will compete strongly with all other messenger apps on the market in terms of functionality and usability. It will be supported on Apple iOS, Google Android, Microsoft Windows, Linux, and MacOS platforms, and at the same time it will eliminate all the risks associated with the “holes” in these systems.
Cryptocurrency Transfers and Cryptocurrency Exchange
After browsing through all the apps on the market, we came up with the idea of fitting Aegees with a set of tools to work with cryptocurrencies and fiat digital assets. In the short-term, we are planning to develop functionality for cryptocurrency (Bitcoin, DASH, Etherium, NEM, Monero, Ripple, Bitcoin Cash, EOS, Litecoin, Stelar, TRON, IOTA, zCash) transfers between users using e-wallets, both existing and new.
At a later stage, we plan to develop full-scale cryptocurrency exchange functionality for all these cryptos. Certainly, these additional features increase development time and costs, but we see a pressing demand for them, both among the business community and private users.
To eliminate brute-force password cracking, we chose ARGON2i, a KDF algorithm that can avoid storing and transferring personal data on and to servers. The algorithm hashes the data so it is the hash that is being transferred to and stored on servers. Decrypting hash is so resource-intensive that it makes no sense to attempt it (at least until a commercial version of a quantum computer is produced).
The other advantage offered by Aegees is that all your personal data will be stored in an isolated crypto container located in a reserved space on your device’s file system. This approach to storing data eliminates the possibility of using “holes” in the OS to access data and protects the user’s personal data in situations where the device is lost or stolen, or the login information ends up in the wrong hands.
Technology Stack and Our Developers
Naturally, such an ambitious and large-scale project required an impressive technology stack:
We literally scoured the world and handpicked a team of 50 experts. You can rest assured that we went to all possible, and even impossible lengths, to find just the right person for every job, and we know all too well how difficult that is.
Remember the old joke about a house construction project?
– So I see you built a house, how many rooms does it have?
– Eh, one, it didn’t make sense to build fewer.
Jokes aside, it didn’t make sense to us to hire fewer experts, as cutting down on necessary human resources would increase the project’s duration exponentially.
How We Use SCRUM
In terms of effective team collaboration, our choice predictably fell on agile software development solutions, namely Scrum, which adapted quite easily to our project needs. The project’s scale, relatively tight timeline and reputation of waterfall models were the main factors that determined our choice.
We break our work down into sprints each lasting between one to three weeks. Each sprint begins with a planning stage, during which we identify a set of tasks from the project backlog in accordance with the priorities set by the project owner; it finishes with a demo of the results. An operational planning approach allows us to make adjustments based on the results of the completed sprints.
Evaluating each sprint serves to improve the quality of the software. As we review and appraise each sprint, we identify successful and unsuccessful solutions, which help eliminate problems in our ongoing work.
Each sprint’s results are compiled in an output document, which is signed by all participating developers. Reviewing protocols helps identify ways to improve our team’s work both in terms of quality and time. Experience tells us it’s often better to pull a couple of all-nighters and make it on time than to spend time later analyzing why we missed the deadline.
In terms of operational management, the team’s day begins with 5-to-10-minute meeting at 11 am, where we coordinate activities and sort out all the issues on hand. Strategic, financial and human resources management is performed with the help of the project backlog.
Tight deadlines, cross-platform development and test automation were the requirements that made us choose a continuous integration process for our project.
The way this works is that automated tests designed to test for flaws in all sensitive areas are developed in a parallel stream to the product development flow. We began by making it a basic rule that in all cases the master branch must remain functional at all times. This rule defined the following software development stages that need to be covered before the code can be merged into the master:
● Developer creates a pull request for changes in the master branch;
● The continuous integration system responds by attempting to make an updated build for all OS types, i.e. iOS, Android, Windows, MacOS;
● The continuous integration system launches automated tests for the updated build;
● Once all builds across all platforms complete the tests successfully, a mandatory code review takes place;
● After all the above stages are successfully completed, the developer can update the master branch.
Why Atlassian Jira?
This is a rhetorical question. Atlassian Jira has become the industry standard for a vast majority of projects that use agile methodologies. Jira provides Scrum and Kanban boards for developer teams.
We chose Jira because it provides all the necessary modules to support full-scope code documentation for our project. Jira’s great advantage is Github integration (which enables mapping any ‘story’ with a code segment in the repository) and Atlassian Confluence collaboration opportunities.
This level of integration provides us with code base management, project management and a knowledge base all on one single platform. This is super functional and saves a lot of time. All our developers have had previous experience of working with Atlassian Jira.
Yet another thing that makes Aegees special is our three-stage testing algorithm. At stage one we use low-level autotests to test each module in the common core, which allows us to avoid breaking the core functionality when attempting to change code in the master branch.
Successful completion of low-level autotests triggers automated UI tests that use Appium.
Additionally, we employ non-automated “manual” testing when testing the app’s compatibility with new device models, nonstandard OS builds, etc. In addition to our in-house testing team, we outsource project testing to a team of 30. Manual testing runs for 1 to 2 weeks between the test release and production.
We also plan to design and run a special “hack” test for the app. We’ll pretend to be hackers and try all conceivable ways of retrieving data.
Current Project Status
We are nearing a soft launch stage. Since 2016, when we began work on Aegees Messenger, we have developed the following:
● Crypto container for storing confidential information
● Message and file exchange functionality
● Audio calls
● Group chats
● ARGON2i implementation
● Audio conference calls
● User notepad
● Desktop version of the app
● Device synchronization
We have also completed in-house testing of Aegees Messenger and are in the process of rolling out a global server infrastructure in test mode.
Over the next 18 months, we plan to implement the following:
● Video calls
● Cryptocurrency transfers (Bitcoin, DASH, Etherium, NEM, Monero)
● Video conference calls
● Intruder eyes on the screen detection
● Customizable channels
● Screen and theme customization
● File manager for the protected crypto container
● Decentralized transport infrastructure and resistance to all known blocking methods
● Development and integration of bots
● Functionality to support more cryptocurrencies
● Document viewer and media file playback within the app
● Hidden chats
● Functionality for P2P cryptocurrency exchange
● Migration to completely decentralized infrastructure Aegees.DCI
We plan to roll out Aegees Messenger globally in 2019, once we have developed the decentralized transport infrastructure.
We are continuing our meticulous development process. We have made quite a lot of progress, but there are still a number of issues remaining and we are deploying all our resources to find the solutions.
Our goal is to produce the best messenger app on the market for safe and secure communication. Aegees aspires to be the new industry standard for personal and business communication in all spheres of activities: legal and medical practice, financial management, and administrative and governmental affairs, to name a few.