Firebase Is Now Riding the End-to-End Encryption Wave

Firebase Is Now Riding the End-to-End Encryption Wave

Dmytro Matviiv — June 4th, 2018

Note: The Virgil SDK used in this tutorial has been replaced by the Virgil Security E3Kit SDK. Please follow the Firebase guide found here.

Howdy Firebase community! We’re Virgil Security, the tech behind Twilio’s End-to-End Encrypted Messaging, securing hundreds of apps and IoT products on the Internet today. We receive a ton of requests from Firebase developers; they love the Firebase platform, but are concerned about its privacy and security. So, we integrated our SDK with Firebase to enable End-to-End Encryption for the Firebase platform and your app!

Today, at AltConf, next door to Apple’s WWDC, we are announcing our integration with Firebase. You can now add End-to-End Encryption (E2EE) to your Firebase project: build a secure WhatsApp-like chat app, protect your users’ profile data, health records, social photos–anything and everything!

While End-to-End Encryption may sound like smoke and mirrors, it’s super-simple. Here’s an explanation.

This is how your app looks today

Firebase app without End-to-End encryption

Data is only encrypted as it goes over WiFi and the Internet, but unencrypted elsewhere. Technically, every server and database service along the way can access your users’ plaintext chat messages. When cloud service providers add an extra layer of security by using “at rest” encryption, it only means that the database file is encrypted on disk with a key (or keys) that they can access. Why is this a problem? A two year study in the UK found that 88% of data breaches were caused by developer error, not cyberattacks. While Google is doing a great job protecting their cloud infrastructure, end-to-end encryption is a layer on top that protects developers from mistakes and hacks.

This is how your app looks after you implement client-side End-to-End Encryption

Firebase now has end-to-end encryption

Your app encrypts sensitive user data on the users’ devices when data is typed up, photos uploaded, etc. Your users hold the private keys to their own data which they can share with others using client-side key management. It may sound crazy, but you can totally lock yourself and Google out from seeing your users’ sensitive data. And while you might trust yourself and trust Google, this may be data that you don’t want to see and don’t want to get into trouble for by accidentally breaching it out. So, why store it unencrypted

WhatsApp’s acquisition price: $21.8 billion

E2EE isn’t just a marketing trick to stand out in the crowd.  Imagine you make one mistake and breach your users’ personal data. With E2EE, the breached data is still encrypted and valueless to the rest of the world that doesn’t have the correct key: cool, isn’t it? Which user would you rather be: the one in the first picture or the second?

Get Started

Follow our technical tutorial here to get started. You'll need to sign up for a free developer account at and then download the sample E2EE Firebase chat app according to the tutorial's instructions.

Build E2EE into your app, give privacy to your users. Be safe. Be cool. Don’t ask for trust. Oh, and if you happen to be in the Valley, NYC, or in Sofia, meet the team on the Virgil World Tour. If not, no worries, join us online:

Want to learn more about the Virgil Security products? Join our Slack community to start a conversation.

Virgil Security, Inc. is a stack of security libraries and all the necessary infrastructure to enable seamless, end-to-end encryption for any application, platform or device.

We guide software developers into the forthcoming security world in which everything will be encrypted (and passwords will be eliminated). In this world, the days of developers having to raise millions of dollars to build secure chat, secure email, secure file-sharing, or a secure anything have come to an end. Now developers can instead focus on building features that give them a competitive market advantage while end-users can enjoy the privacy and security they increasingly demand.

Virgil Security Launches Pythia to End Password Breaches
Rebecca Yarbrough — May 24th, 2018
WWDC and AltConf: The Land of Secure and Privacy-First Apps
Rebecca Yarbrough — June 12th, 2018