Ailyaut's blog

Smoke

Disclaimer: I did this in 2 days in 2023 without knowing anything about cryptography and wrote most of the text at that time. I'm leaving this page online for the sole purpose of showing a project I've done in the past. I do not intend to continue working on it.

A secure, federated, end-to-end encrypted messaging app built with Godot Engine.
(or at least this is what I wanted it to be)

Why?

Why make a new messaging application when there are dozens of them?
When I made this project, I thought there was no perfect messaging app, so I had to make one. I didn't want to use proprietary applications (and still don't), and I felt that the open source options weren't good enough, Signal being centralized and XMPP being a hard sell for non-tech-enthusiasts.

Today (2025), I have a different opinion, and that is that there can't be a "perfect" messaging app because there are just too many different use cases for these. Signal is fantastic for everyday use, I love the independence that XMPP provides me, and I'd definitely use Briar if the situation called for it.

My goal was to create a secure federated messaging app with modern UI like Signal and that was extremely easy to set up for people who wished to host their own server. It also had to be open source.

I used Godot Engine because I was familiar with it.

Sending encrypted messages

Every message sent in the Smoke app is end-to-end encrypted with AES. Godot already had an implementation of the AES algorithm so I used it as-is.
Every message created in the app is turned into a dictionary that looks like this:

var message = {
  "from": from,  #the address of the sender ([email protected])
  "to": to,  #the address of the recipient ([email protected])
  "type": type,  #the message type (text, image, video, file, ...)
  "time": time,  #the time when the message was sent, in UNIX time
  "data": data  #the content of the message, which is encrypted
}

The “data” part is AES-encrypted with a symmetric key. For now, there is no key exchange algorithm so the key is the same for everyone, which is NOT secure (also the fact that only the "data" part is encrypted makes all the metadata unencrypted, which is... not good).

For the UI part, I used WhatsApp’s dark mode colors. It doesn’t matter too much since the app is not to be released.
This is what it looks like:

A screenshot of a conversation in the Smoke app. Person A says 'hey', person B replies 'hello', and then person A asks 'How do you do?'

It still needs work of course. The message bubble will need to show the hour the message was sent at, and there should be a “received” and “read” checkmark in the bottom-right corner. Sending images is also not supported for now.

After a message is sent or received, it is stored in plain text in a JSON file containing all your message log with the person you’re currently talking with. Each conversation is a different file, and the according file is loaded each time you enter a conversation. The goal for later will be to create a way to load only the last x messages of the log file and load older messages only when needed in order to speed things up.

Managing your contact list

The main screen of the app is a list of your conversations with all your contacts. You can add a new contact (and therefore a new conversation) with the + button in the bottom-right corner, which will send you to the ‘Contacts’ menu where you can add and delete contacts. Each time you add or delete a contact, a file in the JSON format is updated accordingly.

Here are the ‘Conversations’ and ‘Contacts’ menus:

A screenshot of the conversation list in Smoke. There is only one conversation available, with a contact named 'Ailyaut'. A screenshot of the contact list. Only one person is in there.

Logging in

There is no real login system for now, the address you use on the login screen will determine your identity for the session. No password is currently required. For later versions, the app will ask for a password, which will be hashed and sent to the server with the login. From there, the credentials will be compared against those in the server database and that’s it.

A screenshot of the login screen. It says 'Welcome!' in big letters.

Hosting your own server

One of my goals was to make it easy to self-host a Smoke server. This is why I also developed a server-side software for the messages to be sent through. DNS records were a pain when I set up my XMPP server, so I wanted to avoid that as much as possible. For this purpose, I made it so that when you login or register with an account, the domain part is converted into a “smoke” subdomain under the hood. No need for SRV records and multiple subdomains, just enter your login credentials like this:

[email protected]

And the app will transform it to:

[email protected]

But the first one will still be displayed. The app will just know that it has to send messages to smoke.example.com. If you’re hosting the server, you will host it on smoke.example.com and never think about it again.

Limitations

The app is not complete, and it is also not secure. The encryption key is currently the same for everyone and there is no login system. This app should NOT be used for secure communication!

My role

Programming

Software used

Godot Engine