Today we want to talk about the True Secure Messenger (TSM) and share our experience with the practical implementation of security concepts.
Keep your eye on the key points of this application development.
This product was developed by Telesens in 2016 and is available on Google Play Market.
So what is TSM?
This is a secure messenger in which user authorization and all communications are based on cryptographic methods.
TSM is a software solution for:
– client (for a mobile device running the Android operating system);
– client application for PCs running Windows and Linux.
Its security concepts on practice. We took into consideration dozens of security principles during the development process to provide truly secure communication. Below several of them are highlighted.
Storing information on the server in an open form could lead to full access to confidential data, correspondence, files in case of hacking.
Therefore, all data on the server is stored in an encrypted form, and decryption is performed only on the client (user) side using his personal decryption key. This completely excludes information leakage due to the fault of the administration of the service or as a result of hacking.
Open source code
This principle allows interested users (companies) to independently verify that this software is not malicious and does not have any hidden capabilities (backdoor) to gain access to confidential information.
Highly reliable algorithms (AES, EdDSA, Curve25519) with a key length of 256 bits are used to encrypt data and digital signatures. A temporary session key is used when transmitted information encrypting. It changes with each change in the chat participants’ structure, as well as after a specified period of time.
Secure communication between client and server
All messages/operations of the user and information coming from the server are confirmed by digital signatures of the user and the server, respectively. The user’s personal password is not stored on the device and never leaves it. The user’s private keys for electronic signature and “cloud” storage are stored on the device in an encrypted form. They are never transmitted over the network in any form; they can be exported to another device only via a file or QR code.
Multi-factor authentication is used to identify the user. It is carried out on several grounds: device identifier, application identifier, registration key, personal signature. The user device is authenticated using one-time server codes — the combination of features cannot be reused. Device IDs are stored in the server database in a hashed form, which eliminates the possibility of their use in the event of a data leak from the server.
The messenger has settings for storing chat history. It allows you not only to store it in encrypted form on the server or only on the client for a selected period of time but also completely disable saving history. When a new user is registered, there is no binding to a mobile phone number and there is no need to access the phone book, which also highlights this product from analogs on the market.
As a conclusion
We would like to mention the built-in protection against attacks of the type “man in the middle” (MITM), which automatically blocks chat when a threat is detected. All of the above allows us to conduct secure communication in the digital world both with each other and with structures such as banks, courts, etc.
True Secure Messenger — security concepts in practice.