Session App Review: Everything You Need to Know

Updated: 12 September 2021
Updated: 12 September 2021

Shanika W.

Fact-checked by

Session App is an open-source private messaging application that focuses mainly on user privacy and communication encryption.

The platform is based on decentralized servers connected in a global routing network and does not require users for any personal information when creating an account.

It was developed by Oxen and it is supported by Loki Foundation, a non-governmental organization from Australia focused in privacy technology.

Oxen is the development branch of Oxen Privacy Tech Foundation (OPTF), which also includes Oxen Service Nodes, Oxen Blockchain, its tools and general applications related to it.

The blockchain background is built by design in Session, since the platform uses this type of technology in it’s protocol core.

Session works with heavy encryption of metadata and data minimization principles on behalf of the user’s identity.

The communication is done using the Signal Protocol in a decentralized network in which the servers cannot track down the message’s origin nor destination, neither the IP of the users who sent the messages in the first place – which make this a very interesting platform for secure communications.

Related guide: Signal Private Messenger review
Related guide: Telegram review
Related guide: Privacy Friendly Google Alternatives – Search, Mail & Maps

Session App

Session App Basics

Session is free and it is available for mobile on Android and iOS. There are also desktop versions for Mac, Linux and Windows, which can be downloaded on the official web-store or using application stores.

Once the users get access to the platform on their desired way, it is time to create a private account. During this process, users must generate a Session ID and by default there is no need for an email or phone numbers to create the profile.

Session App ID

Once users are set in, they are greeted with their own Session ID they can share with others so other people can find them in the application.

This information is public, and it is also possible to search for users based on ONS name. For the mobile app, it is also possible to scan QR codes for quick access.

After log in, users are also invited to create their recovery phrase. In the Session platform users can only recover lost access to their accounts using these codes, since there’s no “lost my password” option.

Session App Recovery Phrase

By starting a new conversation, users can send encrypted messages, audios, gifs, files and photos. It is also possible to disclose disappearing messages to improve security.

Session also supports visual indicators that shows when the other user in the conversation is typing or have successfully read a message, giving the users the option to deactivate these functions.

Get started: Session App website

Session App Conversation

Session App Features

Session’s biggest differences from other messaging apps are its security features and its focus on the protection of its end-users.

The Session platform includes:

Support for the Onion Routing Network, a network that uses nodes and multi-layer encryption to provide a decentralized connection to improve security.

This is made in such a way that the user’s identity is bounced in different places to make it technically very difficult to backtrack the connections and the end-user IP is hidden even from the Session servers.

Related guide: Ultimate guide to TOR

Session App IP Bouncing

Message time-to-live (TTL), an option on the privacy settings that lets users choose how much time the recipient will have to see the message before it expires and cannot be accessed for neither party. It is possible to set the expiration time from a few seconds to a week.

A high level of built-in metadata privacy, in such a way that Session itself does not record geolocation, networks or information from its users, ensuring it’s privacy policies that focuses on the minimization of metadata collection.

Public key identification and no personal data linked to accounts, since Session IDs makes possible for the user to create an account without email or phone numbers. The information is stored in a decentralized platform, the user can only recover it’s ID using the recovery phrase.

Fully encrypted and open group chats, in which the end-to-end encrypted group chats can make up for to 100 users using the decentralized platform. Users can also host open groups using their own servers, but in this case the encryption feature is limited to the transit until the server.

Built-in secure clear for local and server data, offering another layer of vestige protection for users that might want to secure their traces on a local level.

Session App Clear Data

Session App Security

Session does not store any metadata on behalf of the conversations, does not expose the user IP address to other users or even the servers that store the data – nor have ever disclosed those types of information for governments or judicial authorities until now.

It’s source code and protocol are open to ensure transparency and security.

Session Protocol is based on the Signal Protocol, which is used on the end-to-end-encryption along with the Sender Keys system for closed groups.

On behalf of its differences to the Signal Protocol, three main differences can be seen in the Session Protocol: IP logs, perfect forward secrecy and self-healing.

As for IP logs, the Onion routing used in the Session Protocol does not provide the platform with central servers with IP controls.

This is because in the Signal Protocol, in the central servers it is possible to access the IPs for each message sent on the platform.

On the other hand, the features developed for the Session Protocol provides users with one more layer of privacy and security on behalf of third parties.

Perfect Forward Secrecy (PFS) is a feature that protects conversations and messages from the exposition of long-term key information.

This works in a way that new ephemeral keys are always being shared and deleted once new keys are delivered, protecting the new messages from an exposition of the long-term key.

A similar protection for messages that works alongside the short-time key called self-healing, a feature that makes that no future message keys can be derived from a ratchet key leak, protecting future messages from this event.

Once a key is exposed, it is only possible to read messages that are associated with the current ratchet.

This way PFS and self-healing protects the messaging contents in a way that to access old and new messages it is necessary to have access to the long-term and short-time keys, which is a very secure feature for nowadays’ standards.

Even so, the onion routing protects the IPs from the users, adding another layer of tracing security.

Source: Oxen.io

Session App Privacy

On behalf of its users’ privacy and legal concerns, the institution that responds for Session is Oxen Privacy Tech Foundation. The Foundation cannot access user data since the Session ID is public and the institution does not have access to the user’s personal data.

Since the Protocol is based on a decentralized network, it is also not possible to track back a user’s IP, although it is still possible to retrieve the access logs for the website or App Store/Play Store.

Overall, Session does not require personal information like email or mobile number on behalf of its user’s identification.

It’s privacy by default policy are such that the platform does not collect localization, geolocation, network, or device data. It is also not possible to disclosure its users IP, because of the node system.

Even so, for legal reasons from many jurisdictions the platform must account for the information sharing to third parties: for applicable laws, regulations, legal processes, government request, criminal and fraud identifications and to protect Session’s rights, property or safety.

Session can share information of its users, although the lack of information and metadata the platform have from them is minimal.

In short: Session (like any other company) can be legally compelled to share user data, except it does not actually have user data to share.

Source: Session App privacy policy

Blockchain-Powered Privacy

Session’s blockchain technology is built on top of the Oxen blockchain, a developer platform for privacy tools that focuses on privacy and decentralization.

Oxen blockchain is maintained by OPTF and is based on a network of nodes that are operated by the community.

To use a service node, the user needs to withhold a certain amount of $OXEN, its private cryptocurrency with instant anonymous paying capabilities.

Its price varies between 15,000 and 3,750 $OXEN for a shared node, that encourages and rewards trustworthy blockchain nodes to create a more reliable system and healthy community.

The system’s network is based on scalability and decentralization policies from the Oxen Service Nodes that require members to time-lock the mentioned currency, while the user receives a part of the block as a reward for its participation in the blockchain community.

As Session’s blockchain is built on top of this network, its decentralization and reliability for the community are also withheld.

$OXEN is time-locked when a user gets assigned to a node to participate in the blockchain community, so this technology is a central point of the platform to provide users with a reliable community through positive incentives for nodes to behave honestly and offer minimum safety standards for the network.

The cryptocurrency also provides an anonymous way to transfer money, since it’s integrated into the Session app and can be easily handed through the platform, which also offers the “Oxen Wallet”, a gateway to private and decentralized transactions or communications, so that users can view, receive and transact with $OXEN.

The currency passes through a daemon which synchronizes with the network to scan for transactions.

User and Media Reception

Session got a decent review rating from users on App Store and Play Store, along with many praises on behalf of its features from technical and privacy concerned users.

In many Secure and Encrypted Messaging App reviews and rankings, Session appears as the most praised or one of the most praised ones.

Since the focus of the platform is privacy and security first and quality-of-life attributes later, some users complain about the lack of features like the Stickers being a little less user friendly, since Telegram uses an easy-to-get and easy-to-share policy on this features, but overall the response is good.

Session App Ratings

In the beginning of 2021, Signal and Session saw a fast increase in popularity, the first one getting millions of new users during one of the media coverage of messaging platforms security issues.

On the 14th of January, the Signal platform noticed in its official communication channels that in that day they achieved more than 50 million downloads on the Play Store.

Since Session uses Signal’s protocol with custom new layers of security, this increase in popularity also helped Session to become know by the public, being listed by news and specialized websites as a good alternative for WhatsApp or FaceTime.

Overall, the media reception was positive and showed Signal as one of the most or the most secure app for Internet communications with a still growing and active community, although it lacks some functionalities that might annoy some users.

On this behalf, Signal and Telegram features seems to be more appellative for the average users.

Deccan Herald listed Session as one of the main reasons to dump WhatsApp for a better privacy-focused option. Nexpit sees Session as one of the most promising messengers and an excellent choice to use alongside Telegram.

The Windows Club lists it as powerful for anonymity and security, but not feature-rich to the end costumers.

Overall, the downsides listed are the lack of two factor authentication, small room for customization features in comparison with other apps.

Written by: Miklos Zoltan

Connect with the author:

Founder & CEO Privacy Affairs

Miklos Zoltan is the founder and CEO of Privacy Affairs. Miklos has long-time experience in cybersecurity and data privacy having worked with international teams for more than 10 years in projects involving penetration testing, network security and cryptography.

Miklos founded Privacy Affairs in 2018 to provide cybersecurity and data privacy education to regular audiences by translating tech-heavy and "geeky" topics into easy-to-understand guides and tutorials.

Leave a Reply

Your email address will not be published.