My application allows users to send messages using XMPP. For the server side, Openfire was used to handle the distribution of XMPP messages. In terms of encryption, messages support end-to-end encryption if the user so chooses. Encryption is done using the RSA algorithm, and public keys for each user are stored in the Firebase Realtime Database, and the private keys are stored using the Android Key Store. One of my app's main features is the user-defined "available hours," which determine when the user receives a notification for any message. If a user sets their available time between 8:00 a.m. and 5:00 p.m., then any messages received between these times will trigger a regular notification on the device. Though if it is received any time before 8:00 or after 5:00, then the app will only display a silent notification on the device. As well as controlling when notifications are displayed with the available hours, users can mute individual conversations. Additionally, there is a setting to mute all group conversations globally. If a chat is silenced, no notification will be displayed, not even a silent one, but the user has still received all their messages. Each message also shows sent, read, and received receipts to indicate further information to the user. If a user desires, they can turn off read receipts and typing indicators, so any recipient will never know if the user is typing or if they have read their message. Also, every user can view their contact's availability times and presence (offline, away, and online). Note that even if a user is technically online (using the application), but they are outside of their availability hours, the user will appear offline to all their contacts. In terms of security, as previously mentioned, end-to-end encryption can be used to secure all messages if the user has this setting on. For additional protection, all XMPP traffic is sent over secure network traffic, using the SSL certificates obtained via Lets Encrypt for the app's domain, tapinapp.com. To secure the app itself, the user can choose to lock the app with biometric credentials (fingerprint). The app attempts to disallow screenshots, though this is not guaranteed protection, as it depends on what Android version the device is running and whether the device is rooted.
For the backend, Openfire XMPP server was used as well as an embedded Ktor server.
- Openfire Changes: https://github.com/cmmcmm9/OpenfireServer
- Ktor embedded server: https://github.com/cmmcmm9/Openfire-Plugin