I created KeepItSafe because sometimes I'm not 100% sure incoming messages really come from the accounts I trust — accounts can be compromised. This app gives me a simple, offline way to create and verify short signatures for messages using a shared password (the pre-shared key).
This project is open source (MIT by default). I can change the license if you prefer another.
- Agree a strong pre-shared password with the person you want to verify messages with. (See "How to share the pre-shared key" below.)
- In the app, paste the message (WhatsApp, Telegram, Instagram) into
WhatsApp Message. - Type the agreed password into
Password. - Tap
Create Signatureto append a short signature to the message. The signed result is automatically copied to your clipboard. Share the signed message as you normally would. - To verify, paste a received signed message into
WhatsApp Message, enter the same password, and tapVerify Signature. The app shows a green ✅ if the signature matches, or a red ❌ if not.
I keep it intentionally simple and transparent:
- The app computes HMAC‑SHA256 over
message + passwordusing the password as the HMAC key. - The app takes the last 8 hex characters of that HMAC and appends them to the message using the separator
__(two underscores).
Signed message format:
<original message>__<8-hex-signature>
Verification: the app splits the input by the last __, recomputes the HMAC the same way, grabs its last 8 hex chars and compares them to the provided signature.
Implementation details: The core function is:
fun hmacSha256(message: String, secret: String): String { ... }and the UI is implemented in Jetpack Compose (Android).
- Message:
Meet at 9pm - Password (preshared key):
mySuperSecret123! - Computed HMAC (hex) → last 8 chars:
7f3c9a2b - Signed message:
Meet at 9pm__7f3c9a2b
Paste the signed message into the app and Verify Signature with the same password to confirm authenticity.
I do not trust third‑party platforms (email, WhatsApp, SMS) for sharing keys. Here are secure options I use and recommend — ordered from safest to least:
- In person (face-to-face): Say the password or scan a QR code on your phone. This is the safest.
- QR code printed on paper: Exchange the paper in person. It avoids retyping mistakes.
- Phone voice call (short-lived, verify verbally): Say the passphrase and confirm spelling. Don't leave it in chat logs.
- Secure ephemeral channel (optional): If you must use an online channel, use an end‑to‑end encrypted messaging app that you both already trust (e.g., Signal), and then delete the message and log after confirmation. Prefer in-person when possible.
Do NOT store the preshared key in cloud notes, email drafts, WhatsApp chats, or other platforms where compromised accounts can leak it.
- Short signature length. I currently use 8 hex characters (32 bits of the HMAC). That is compact for sharing in a chat but provides limited collision resistance. If you need high assurance, I recommend increasing the signature length or using the full HMAC output.
- Key strength matters. Use a strong, high-entropy passphrase (12+ characters, mix of words/symbols). Avoid single-word or reused passwords.
- One key per contact. Don't reuse the same pre-shared password across multiple people/services.
- Threat model. This protects against someone impersonating you without the preshared key. It does not protect if the attacker already has the preshared key, or if the receiving device is fully compromised.
- Replay attacks. This scheme signs the message content only — if the same message and signature are re-sent later, verification still passes. If you need replay protection, include timestamps or nonces in the signed message.
- Increase the signature length or include the full HMAC to improve security.
- Add optional timestamp + nonce to the signed message for replay protection.
- Provide a secure QR exchange flow for offline key sharing.
- Add a settings toggle to change separator or signature length for compatibility.
I built it because I wanted a lightweight, offline method to increase confidence in short messages I receive on WhatsApp or similar platforms — especially when account compromises are a real concern.
This repository is open source. I suggest the MIT license by default. Feel free to open PRs if you want to: improve signature length, change the crypto choices, add replay protection, or port to other platforms.