Skip to main content

Pushbullet Now Protects Messages With End-To-End Encryption

Pushbullet, the cross-platform app that allows messages from different IMs and notifications to be synced to the desktop, added the much requested end-to-end encryption functionality. This should protect the data even from Pushbullet itself, because only the user has the key to decrypt it.

According to the developer, the feature didn't take anything away from Pushbullet's main functionality except a couple of weeks of development time. Now, users can breathe easier knowing that they don't have to worry about Pushbullet seeing all of their IM messages or smartphone notifications.

Up until now, you may have used an app such as Hangouts, for instance, which encrypts everything between you, Google's servers, and the recipient of your messages, making your communications secure (with some exceptions in situations where either Google is hacked, or governments request your data).

However, when you added Pushbullet to the mix, your messages could also be read by the company's servers. Pushbullet is a relatively new company that you may not trust as much as you do Google or some other IM vendor. With the new end-to-end encryption scheme, the messages can't be seen by Pushbullet anymore (although they can still be seen by Google, in the former example, or other IM vendors that also don't use end-to-end encryption).

But Hangouts already has a desktop web-based client, so why would you even bother with Pushbullet? The advantage of Pushbullet is that you can keep all of your messengers in one place, be it Hangouts, Whatsapp, Facebook Messenger, Telegram, Line or what have you. The app even allows you to reply to SMS text messages, and you can check other phone notifications, as well.

Pushbullet's end-to-end encryption is nothing fancy, but in this case it seems to do the job rather well. The company actually uses symmetric encryption rather than asymmetric encryption, which most other end-to-end encryption systems use, by requiring you to add a password to each one of the devices you want synced.

For instance, you will need to add the same password to both your smartphone and your PC in the app's End-to-End Encryption settings. Once you add it to your smartphone, it will also give you a notification on the PC to add the password (after you install and sign in to the Pushbullet Chrome extension).

Symmetric encryption (AES-256 with GCM authentication) works in this case because sending the messages involves only devices in close proximity, and you don't have to exchange a password or key with someone else over the unsecure Internet.

Neither Pushbullet's servers nor the devices will store the password. Instead, the password will be used to derive a key using the PBKDF2 function. This key is then used to encrypt the data locally. All Pushbullet sends after that is encrypted data between your devices, and the data is automatically decrypted when it arrives on the other devices that also use the same password.

The new end-to-end encryption feature is supported on Android, Chrome and Windows, and it will soon be supported on iOS and Mac, as well. Support for Opera, Firefox and Safari will be added once the developers sees that everything works well in Chrome.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.