Session App is an open-source private messaging application focusing mainly on user privacy and communication encryption.
The platform is based on decentralized servers connected to a global routing network and does not require users for any personal information when creating an account.
Oxen developed it, supported by Loki Foundation, a non-governmental organization from Australia focused on privacy technology.
Oxen is the development branch of Oxen Privacy Tech Foundation (OPTF), which also includes Oxen Service Nodes, Oxen Blockchain, its tools, and general applications related to it.
The blockchain background is built by design in Session Messenger since the platform uses this type of technology in its protocol core.
Session Messenger works with heavy encryption of metadata and data minimization principles on behalf of the user’s identity.
The communication is done using the Signal Protocol in a decentralized network in which the servers cannot track down the message’s origin or destination or the IP of the users who sent the messages in the first place – which makes this a very interesting platform for secure communications.
It operates on a decentralized network of servers that form a worldwide routing system, eliminating the need for personal information upon account registration.
Developed by Oxen and backed by the Loki Foundation, an Australian NGO dedicated to advancing privacy technology, the app ensures stringent encryption of both metadata and data while adhering to principles that minimize user identity exposure.
Session Messenger is free, and it is available for mobile on Android and iOS. There are also desktop versions for Mac, Linux, and Windows, which can be downloaded on the official web store or using application stores.
Once the users get access to the platform in their desired way, it is time to create a private account. During this process, users must generate a Session ID, and by default, there is no need for an email or phone number to create the profile.
Once users are set in, they are greeted with their Session ID they can share so other people can find them in the application.
This information is public, and it is also possible to search for users based on ONS name. For the mobile app, it is also possible to scan QR codes for quick access.
After logging in, users are also invited to create their recovery phrase. In the Session platform, users can only recover lost access to their accounts using these codes since there’s no “lost my password” option.
Users can send encrypted messages, audios, gifs, files, and photos by starting a new conversation. It is also possible to disclose disappearing messages to improve security.
Session also supports visual indicators that show when the other user in the conversation is typing or has successfully read a message, giving the users the option to deactivate these functions.
Get started: Session App website
Session’s biggest differences from other messaging apps are its security features and focus on protecting its end-users.
The Session platform includes:
Support for the Onion Routing Network, a network that uses nodes and multi-layer encryption to provide a decentralized connection to improve security.
This is made so that the user’s identity is bounced in different places to make it technically very difficult to backtrack the connections, and the end-user IP is hidden even from the Session servers.
Message time-to-live (TTL), an option on the privacy settings that let users choose how much time the recipient will have to see the message before it expires and cannot be accessed by either party. It is possible to set the expiration time from a few seconds to a week.
A high level of built-in metadata privacy, in such a way that Session itself does not record geolocation, networks, or information from its users, ensuring its privacy policies that focus on the minimization of metadata collection.
Public key identification and no personal data linked to accounts, since Session IDs make it possible for the user to create an account without email or phone numbers. The information is stored in a decentralized platform; the user can only recover its ID using the recovery phrase.
Fully encrypted and open group chats, in which the end-to-end encrypted group chats can make up to 100 users using the decentralized platform. Users can also host open groups using their servers, but in this case, the encryption feature is limited to the transit until the server.
Built-in secure clear for local and server data, offering another layer of vestige protection for users that might want to secure their traces on a local level.
Session does not store any metadata on behalf of the conversations, does not expose the user IP address to other users or even the servers that store the data – nor have ever disclosed those types of information to governments or judicial authorities until now.
Its source code and protocol are open to ensure transparency and security.
Session Protocol is based on the Signal Protocol, which is used on the end-to-end encryption and the Sender Keys system for closed groups.
Concerning its differences from the Signal Protocol, three main differences can be seen in the Session Protocol: IP logs, perfect forward secrecy, and self-healing.
As for IP logs, the Onion routing used in the Session Protocol does not provide the platform with central servers with IP controls.
This is because in the Signal Protocol, in the central servers, it is possible to access the IPs for each message sent on the platform.
On the other hand, the features developed for the Session Protocol provide users with one more layer of privacy and security on behalf of third parties.
Perfect Forward Secrecy (PFS) is a feature that protects conversations and messages from the exposition of long-term key information.
This works in a way that new ephemeral keys are always being shared and deleted once new keys are delivered, protecting the latest messages from an exposition of the long-term key.
Similar protection for messages that works alongside the short-time key called self-healing, a feature that ensures no future message keys can be derived from a ratchet key leak, protecting future messages from this event.
Once a key is exposed, it is only possible to read messages associated with the current ratchet.
This way, PFS and self-healing protect the messaging contents so that to access old and new messages, it is necessary to have access to the long-term and short-time keys, which is a very secure feature for nowadays’ standards.
Even so, the onion routing protects the IPs from the users, adding another layer of tracing security.
On behalf of its users’ privacy and legal concerns, the institution that responds to Session is Oxen Privacy Tech Foundation. The Foundation cannot access user data since the Session ID is public, and the institution does not have access to the user’s data.
Since the Protocol is based on a decentralized network, it is also not possible to track back a user’s IP, although retrieving the access logs for the website or App Store/Play Store is still possible.
Overall, Session does not require personal information like email or mobile number on behalf of its user’s identification.
Its privacy by default policy is such that the platform does not collect localization, geolocation, network, or device data. The node system also makes it impossible to disclose its users’ IPs.
Even so, for legal reasons from many jurisdictions, the platform must account for the information sharing to third parties: for applicable laws, regulations, legal processes, government requests, criminal and fraud identifications, and to protect Session’s rights, property, or safety.
Session can share information of its users, although the lack of information and metadata the platform have from them is minimal.
In short: Session (like any other company) can be legally compelled to share user data, except it does not actually have user data to share.
Session’s blockchain technology is built on top of the Oxen blockchain, a developer platform for privacy tools that focuses on privacy and decentralization.
Oxen blockchain is maintained by OPTF and based on a network of nodes operated by the community.
To use a service node, the user must withhold a certain amount of $OXEN, its private cryptocurrency with instant anonymous paying capabilities.
Its price varies between 15,000 and 3,750 $OXEN for a shared node that encourages and rewards trustworthy blockchain nodes to create a more reliable system and healthy community.
The system’s network is based on scalability and decentralization policies from the Oxen Service Nodes, requiring members to time-lock the mentioned currency.
At the same time, the user receives a part of the block as a reward for their participation in the blockchain community.
As Session’s blockchain is built on this network, its decentralization and reliability for the community are also withheld.
$OXEN is time-locked when a user gets assigned to a node to participate in the blockchain community. This technology is a central point of the platform to provide users with a reliable community through positive incentives for nodes to behave honestly and offer minimum safety standards for the network.
The cryptocurrency also provides an anonymous way to transfer money since it’s integrated into the Session app and can be easily handled through the platform, which also offers the “Oxen Wallet”, a gateway to private and decentralized transactions or communications, so that users can view, receive and transact with $OXEN.
The currency passes through a daemon, which synchronizes with the network to scan for transactions.
In many Secure and Encrypted Messaging App reviews and rankings, Session appears as the most praised or one of the most praised ones.
Since the platform focuses on privacy and security first and quality-of-life attributes later, some users complain about the lack of features like the Stickers being a little less user-friendly since Telegram uses an easy-to-get and easy-to-share policy on these features, but overall the response is good.
Check out our Telegram review for more info about this service.
At the beginning of 2021, Signal and Session saw a rapid increase in popularity, the first getting millions of new users during one media coverage of messaging platforms’ security issues.
On the 14th of January, the Signal platform noticed in its official communication channels that on that day, they achieved more than 50 million downloads on the Play Store.
Since Session uses Signal’s protocol with custom new layers of security, this increase in popularity also helped Session to become known by the public, being listed by the news and specialized websites as a good alternative for WhatsApp or FaceTime.
Overall, the media reception was positive and showed Signal as one of the most secure apps for Internet communications with a still growing and active community. However, it lacks some functionalities that might annoy some users.
On this behalf, Signal and Telegram feature seems more appropriate for the average users.
Deccan Herald listed Session as one of the main reasons to dump WhatsApp for a better privacy-focused option. Nexpit sees Session as one of the most promising messengers and an excellent choice to use alongside Telegram.
The Windows Club lists it as powerful for anonymity and security, but not feature-rich to the end costumers.
The downsides listed are the lack of two-factor authentication and a small room for customization features compared to other apps.