Igor Bubelov About Blog Photos

Client-Side Encryption

January 21, 2020

Many apps depend on servers and there are good reasons for that. We often hear of data breaches, and it may seem like the price we have to pay for the convenience of not having to worry about losing our data. There is always a full copy, somewhere in the cloud. Sometimes, bad people can hack their way to this data, but what can we do about that?

I was thinking about that for quite some time. The reason is: I’m working on a portfolio tracking app which deals with really sensitive data. Is there a good reason for our target audience to share their financial data with a bunch of shady Russian guys? I wouldn’t do that, would you? I mean, a lot of people wouldn’t mind, but we’re also responsible for protecting that data, and it’s not simple at all.

Actually, there is no need to share user data with “The Cloud” in order to make sure it’s available from any device, as long as users remember their auth credentials. You might have heard of the services such as ProtonMail or Tresorit, they adopted that model, and they provide their services without knowing anything about the private data of their users.

That’s really cool, and I hope more services will follow their lead but there is a problem with client-side encryption: it’s hard, at least for me. I’m a total noob in cryptography, but I feel that it’s the only way forward. So, I’ve found an interesting article to start with. I’ll play with this scheme and, hopefully, implement it in our app, so we won’t know anything about the financial data of our users. No data, no problem.