SecureBoard

• 

  Typing a message with SecureBoard is as easy as sending a Twitter DM.

• 

  With SecureBoard for Bots, your messages stay between you and your digital assistants.

Inspiration

In the wake of major hacks like the recent Equifax security breach, it's clear that we need to provide better tools to help people keep their digital lives and communications secure. While there are several high-quality secure messaging options including Telegram, Signal, and Keybase, these solutions share one fatal issue: none of our friends use them. We wanted to build an app that lets you encrypt your chat without leaving the apps you love.

What it does

SecureBoard is the magic keyboard that encrypts everything you type. It uses industry-standard OpenPGP encryption, with a seamless user interface that's just as easy as regular messages. When you enter a supported messaging app (in our prototype, Twitter Direct Messages), SecureBoard adds its automatic secure layer right on top of the "Enter a message" field. With automatic Keybase-powered key discovery, there are no keychains to manage and no web of trust to maintain – everything just works.

How we built it

To build SecureBoard, we hacked the Google Keyboard using Android's accessibility and screen overlay APIs. We detect when the user has entered a message session and render our features directly on top.

We also developed a solution to allow bots to take advantage of SecureBoard. SecureBoard for Bots is a connector for the Microsoft Bot Framework that allows any Azure Bot Service bot to communicate using PGP. It's just as seamless as the human version, with easy integration for developers and a full unencrypted fallback.

Challenges we ran into

We ran into two major challenges in developing SecureBoard:

1. Encryption, especially OpenPGP, is considerably more complicated than it first appears. To get even the basic functionality working correctly, we needed to add support for complex features like subkeys and multiple encrypted data objects.

2. The Android accessibility APIs are not designed for our type of use case, so it took considerable hacking to make the encryption overlay look and behave properly.

Accomplishments that we're proud of

CryptoBoard works, and it works well. Since we use the well-established PGP protocol for encryption and the well-known Keybase service for key discovery, you can already use the app to communicate with tens of thousands of people. Talking to our demo bot, an adaptation of the Microsoft LUIS demo, shows just how easy it is to add CryptoBoard for Bots to an existing project.

What we learned

As a back-end developer without any front-end mobile experience, Mohit learned a lot from the process of building CryptoBoard. And as his first hackathon, Cal Hacks 4.0 was challenging and rewarding.

Carter has been using public-key cryptography tools for a while, but working on SecureBoard taught him about how they worked under the hood.

What's next for SecureBoard

One area that we didn't get a lot of time to focus on was the onboarding experience – what new users see the first time they launch the app. By improving this flow, and supporting more apps and message types, we hope to bring secure messaging to the widest audience possible.

Built With

• android
• azure
• bouncycastle
• kotlin
• microsoft-bot-framework
• node.js
• openpgp
• rsa