I just wanted to share an experience I had implementing E2E Encryption into Mogul. Mogul is a personal CRM with both an iOS and web app.
If you are unfamiliar with End to End, here is a brief summary:
"End-to-end encryption (E2EE) is a method of secure communication that prevents third-parties from accessing data while it's transferred from one end system or device to another. In E2EE, the data is encrypted on the sender's system or device and only the recipient is able to decrypt it."
The main reason to implement this is user privacy. In my mind, E2EE is the highest form of user privacy you can offer. The privacy is so strong that it could soon be illegal because even the government cannot access your data.
Another reason I implemented it is because it looked like such a fun challenge. I can only name a handful of apps that have this feature and I thought it would be cool if Mogul had it as well.
So my experiences:
I thought I could just use an open source library to encrypt/decrypt data but was very wrong. Since I allow users to use multiple devices (and multiple operating systems) I realized that the problem would be more complicated than I thought. E2EE is also much more than simply encrypting and decrypting on device.
The next problem was compliance. I was unaware that you had to declare encryption use in your application (iOS) and if I got it wrong then I would face penalties and removal of the app. I also had to remove the app from France because the hurdles to get approval from the French government were too high (I also don't speak french and the entire application was in french).
With these 2 big problems, I opted to use Virgil Security (http://virgilsecurity.com/) to handle the E2EE. They also have registered their encryption in the US so I was able to get approved on the app store with no issues. Virgil also has a great out of the box Firebase integration, which helped speed up the process for Mogul.
One of the biggest issues I encountered was that a lot of features ended up breaking. Mogul is extremely simple, but a few core features such as search and push notifications stopped working because of E2EE.
For search, I utilized Algolia, but now that the data is encrypted there is no way for Algolia to index the data.
If I had any complex feature that required data to be parsed on a server, it would have broken. This also means any future features need to be local only.
It makes a lot of sense why none of my competitors have implemented this. Aside from the technical and compliance challenges, it just doesn't make sense to implement it if it breaks a lot of core features.
Highly recommend implementing it though if you app allows it. Happy to answer any questions about E2EE!
PS: We have a free trial (https://mogulnetworking.com) if you want to try out E2E for yourself 🔒