A friend and I are developing an android application that will share data with other users through use of a node.js server. To properly secure it I am going to: Assign each client a public/private key pair. The public key will be stored in the server. The server will also have its own public and private key pair. Whenever a client wishes to send data to other clients a symmetric key will be randomly generated and sent out to the server and from their to the other clients. This key will, of course, be encrypted using the client's and server's public keys. Once every client has this symmetric key the data is then sent having been encrypted using said symmetric key. My question is, is this a secure system (if I also use digital signatures) and if so where would I store the private key for each user/device. I cant embed if in the code as android apps are easily decompiled. Thanks in advanced.