From my limited googling I've noticed that a lot of the mainstream encrypted messaging apps all are either (or a combination of!) closed-source, run through an uncontrolled third-party server, use a proprietary algorithm, or use out-dated algorithms. In my opinion, this is just straight up unacceptable.
My plan was to build an open-source skeleton app that implements a basic messaging UI, then build a system that handles custom encryption algorithms by way of open-sourced plugins.
I'm hoping that by using a plugin system, users are free to choose which algorithm to use and that the plugins themselves will be facing serious scrutiny by the general security community.
Why I'm posting this here: I currently know very little about how to properly handle encrypted data. What are the weak points in this implementation? How does one enforce open-source plugins?
General notes:
- I know that SMS from a service provider counts as a third-party service. I'm thinking of including functionality to point the app at a server of your choice, so you have more control over your channels of communication (though I guess your ISP can still track meta-data and what-have-you)
- Initially, my plan is to only support in-person key exchanges (or whatever method of authentication is required). Over time, if the app proves useful and used then the custom server implementation mentioned above could be used for remote authentications