Products

Secure Messaging

Leave a comment

The news about governments eavesdropping on private conversations on the web brings awareness for information security. When Facebook announced their acquisition of WhatsApp, it’s becoming a tipping point for some people to look for secure messaging app.

There have been secure ways to send message using private/public key pairs. However, it does not come as default feature in many popular applications. The same goes with messaging apps on mobile platform. Many popular apps do not have such feature. When it was available as OTR (off-the-record) feature on apps like ChatSecure, but it was mainly designed to work when both parties are online and communicating in the real-time. So, no offline messaging is supported and the secure communication may not get established when needed.

This opens up a market opportunity for a messaging app with built-in encryption and data security. There are several apps trying to get that market share and here are some of them.

They all offered end-to-end encryption without providing the servers key or password to decrypt the message. By reading through the reviews for those apps on Google play store, I noticed following concerns from the users

  1. How secure is the encryption?
  2. Even though the messages are encrypted, will the server still know who the user is and whom the user is messaging with?
  3. Will the server store the messages?
  4. Does it support picture, voice, video, and group messaging?

How secure is the encryption?

Since there is no widely accepted encrypted messaging protocol, many of those apps are implementing their own protocol based on existing cryptography protocols. Some apps are proprietary and some apps are open source. Some claimed to have security audit, and some claimed to have reviewed enough reviews and comments due to being open source.  Some challenged hackers to break their encryption. There has been no known cases of encrypted messages being hacked. So, it should be secure enough, but no one can really say for sure yet. However, I notice that Whistle.im has stopped any update since September of 2013. Some people have questioned the security of their protocol before. It does look like something went wrong. It may not really be related to their protocol. It may as well be funding, the team, etc.

Even though the messages are encrypted, will the server still know who the user is and whom the user is messaging with?

This question differentiates two groups of users. One group of user wants to use a secure messaging as a step up from regular ones like WhatsApp, Viber, Line, etc. They want the ease of setup including auto discovery of their friends. They don’t care if the server knows their phone number, or upload all the information about their contacts. They may consider it as a reasonable price of privacy to be paid for the convenience. Another camp of the users want secure messaging app to also be private. They don’t want the app to be checking who is using the app. They don’t want to give out their contact list. They don’t want the app to be reading their messages and emails. What they want is a way for them to contact securely with someone they choose to contact. A total privacy is what they look for.

Will the server store the messages?

The message can only be hacked where it exists in some form. Even though they are encrypted, messages stored on the server is not as secure as the messages that is not there. However, it is related to certain features. In order for the app to support access from multiple devices, the messages need to exist somewhere and would get synced to those devices. Message history is also a feature that requires messages to be stored. For a pure end-to-end message delivery, user experience with access from more than one device may not be very smooth. On the other hand, if the identity of the user is tied to particular phone, there’s no need for the server to keep those messages (that’s how WhatsApp has offered certain data privacy).

Does it support picture, voice, video, and group messaging?

One might think that as the apps mature, they will be supporting those features. However, it may not be that simple. Messages need to be secure. For example, Surespot locks the image by default when it is sent so that the recipient cannot save it into gallery or take screenshot. So, it can be more complicated than other regular messaging apps without encryption to support certain features. Supporting a easy-to-use group messaging with end-to-end encryption may not be that easy. Will new users be allowed to join existing group? If they are, will they be able to read previously sent messages in the group? How will those messages be encrypted so that it’d be flexible to add/remove users in the group?

Some other pains

There are also certain issues that users need to be aware of. Since most of the servers do not store the password, there is no way for the users to recover them. Some apps do not even store the private keys on their servers and so, not only does the user have to remember the password, he or she also need to keep the private key in a secure place so that the identity can be restored when the phone is switched or formatted. Even though it is not discussed much in the reviews and comments, it can be a growing pain for users of certain secure encrypted messaging apps.

Who would be the next WhatsApp, Viber or WeChat in secure messaging world?

What I mentioned above are the concerns of individuals. Messaging apps need more than one user to be useful and successful. Can two friends settle on one secure messaging app? Will all their friends agree with their choice? How many percentage of mobile users actually care about the privacy and security of their communications? Which team would figure out a way to implement a secure messaging app, which would be so simple and easy to use that people will adopt it without much friction?

Product management

What is product management?

Leave a comment

Product management begins before the product exists.  It starts with the idea or the need to have an idea. Here, I use the term product, but it is not limited to a physical product that you can hold or see it. A product represents anything that can be offered to a customer. Here would be a short overview of what product management would cover.

Crafting idea

Some start with a product idea such as “I want to create an email client for Android phones”. However, in some companies, a team would brainstorm new product ideas. The ideas can be vague in the beginning and more works need to be done to get a more specific product idea.

  • What features of the product would differentiate it from similar products?
  • Who are the target users? Would they use it? How much would they pay for it?
  • What technologies would be required to create such a product?
  • How much would it cost to create the product?
  • What kind of revenue would it make?

Visualizing the idea

It’s better to show and tell than explaining someone what our product idea is. A minimal viable product (MVP) should represent the most important aspects of the final product. If the new email client focuses on performing certain activities in minimal interaction, MVP should support such interactions. That MVP does not need to include other features that are not the focus of this product such as supporting multiple email server types. The main use of MVP is to validate how important the major features are to the target customers. Give the MVP to the customers who are in target group and get feedback. Since it has few features, making changes to them would also be easy. With quick turnarounds, MVP should be updated so that it would include all the features that are important to the customers who would pay for the final product.

Creating a road-map for the idea

With a better understanding of the idea with confidence from potential customers’ feedback, a road-map can be built.

  • Phases of release with list of features to be supported in each phase
  • Who would be target customers for each phase?
  • What are the objectives for the phases?

Selling the idea

If it is a product for a start-up and if the start-up is seeking external financing, it is very important that the potential investors need to buy the idea. If it is a product for an existing company, it is also very important that the company management would want to invest in such a product.  Interests and concerns of the stakeholders should be taken into consideration and an appropriate presentation should be made to get the idea sold.

Transforming the idea into product

Product development would involve multiple teams – designers, developers, testers, technical writers, IT support, etc. While the product is being developed, sales and marketing teams need to get updates about the product. Executives would also like to know how the product is coming along. Potential customers may also be consulted for certain details about the product.

Protecting the idea/product

Product management needs to put on so many different types of hat during the life of the idea and eventually the product to make sure that it remains true to what the customers want and would pay for.

Launching the product

Some products may be launched with the minimal viable product with beta users. Some products may need to build up suspense before a big launch. A good launch plan needs to be crafted with marketing team based on the product type and market.

Improving the life of the product

Market may change. Technologies may change. Customers’ expectation may change. Company’s revenue expectations may change. In the world of uncertainty, it’s very important to improve the product along the way to make it relevant and maintain its attractiveness with the customers.

The world according to Aung