An alternative solution to the notification system is to still use Firebase and other systems BUT end-to-end encrypt every notificaiton to avoid google reading it.

The theory of E2EE encryption

• Alice and Bob want to exchange secret messages.
• Alice and Bob both generate a RSA key pair. A public key and a private Key.
• Alice and Bob Exchange their public key to each other. Alice must ensure that the other part is not a “man in the middle” that pretend to be Bob. Bob also must ensure that the other part is Alice. There are protocols to do this correctly.
• Now, Alice can generate a new (Secure random) AES key, a new (secure Random) IV and encrypt the secret message using an AES encryption algorithm.
• Alice then encrypt the AES key using Bob’s RSA public key.
• Alice send both the encrypted payload (with IV) and the encrypted AES key to Bob.
• Bob can then decrypt the AES key using his RSA private key and decrypt the payload using the Decrypted AES key and the IV.

Note : For one-way encryption (notif) only the client must generate his key pair.

Web + Elixir implementation

Elixir Implementation

To load the client public key, use this

def load_pem_b64_rsa(pem_base64) do
  pem_string = :base64.decode(pem_base64)
  [entry] = :public_key.pem_decode(pem_string)
  :public_key.pem_entry_decode(entry)
end

To generate AES key :

def gen_aes_key() do
  :crypto.strong_rand_bytes(32)
  |> :base64.encode()
end