Sign in Subscribe

Session Private Messenger: A look at Features, Privacy, Security, and Usage

Sigmund

28 min read
Session Private Messenger: A look at Features, Privacy, Security, and Usage

Introduction: Defining Session and its Privacy Promise

Session is carving out its own space in the busy world of secure messaging apps. It was first created by The Oxen Project and is now managed by the Session Technology Foundation based in Switzerland. Yes, Switzerland, like Proton, and that always makes me think of the Crypto AG Disaster (well, the CIA would call it the greatest operation of all time) — But that is a story for another day. The main goal of Session is to give users a way to communicate securely while keeping their identities private and limiting any traceable information linked to their messages. Their slogan, Send Messages, Not Metadata, sums this up pretty well. 

Session started as a version of the popular Signal messenger but took a different route when some folks raised concerns about Signal’s centralized system and how it could leak metadata, especially since it uses phone numbers for IDs. Signal is great, don’t get me wrong, but the Phone Number requirement, even though you can easily use services like TextVerified to somehow get around it, is a bit of a downside. Instead, Session runs on a decentralized network and uses a unique onion routing method to keep users and their messages private.

This article aims to dig a little deeper into what makes Session Private Messenger tick. It looks at its main features, breaks down the technical setup, including the decentralized network and encryption methods, and reviews how well it minimizes metadata. Security evaluations also take a close look at its cryptography and overall network safety. There’s a look at who’s using Session too, ranging from journalists and activists to some who are up to no good. Lastly, it compares Session with other big players like Signal, Wire, Threema, and Telegram to see how it fairs against those well-established players in the world of secure messaging, wrapping up with thoughts on what that means for users with different levels of risk.

Core Features of Session Messenger

Session offers a suite of features designed around its core promise of privacy, anonymity, and security, distinguishing it from mainstream and even some of the other privacy-focused messengers.

  • Anonymous Account Creation: Without a doubt, Session’s most defining feature is its account creation process, which requires neither a phone number nor an email address. Instead, upon first launch, the application generates a unique, random 66-digit alphanumeric “Session ID” (technically an Ed25519 public key, soon to be termed “Account ID”). This ID serves as the user’s sole identifier within the Session ecosystem, decoupling the user’s account from real-world identifiers like phone numbers, which are mandatory even for apps like Signal and Telegram.
  • End-to-End Encryption (E2EE): All communications within Session, including one-on-one chats, closed group chats, voice messages, and file attachments, are end-to-end encrypted by default. This makes sure that only the intended sender and recipient(s) can decrypt and read the message content. Session initially used a modified Signal Protocol but has transitioned to its own custom “Session Protocol” built upon the widely audited libsodiumcryptographic library. Voice and video calls are also available as a beta feature, employing E2EE.
  • Decentralized Server Network: Unlike messengers relying on centralized servers (e.g., Signal, Telegram, Wire), Session makes use of a distributed network of thousands of “Session Nodes” (formerly Oxen Service Nodes) operated by community members worldwide. These nodes are responsible for routing messages and temporarily storing them for offline recipients. This decentralized architecture eliminates single points of failure and makes widespread data breaches or centralized logging of user activity significantly more difficult. 
  • Onion Routing for IP Address Protection: Session employs a specialized onion routing protocol, termed “onion requests,” to route messages through its decentralized network. Similar in concept to Tor, messages are wrapped in multiple layers of encryption and sent through a three-node path. Each node decrypts only one layer, learning only the address of the previous and next hop. This process is designed to obfuscate the sender’s and recipient’s IP addresses, preventing any single node, or the recipient, from easily determining the origin IP.
  • Group Chats: Session supports two types of group chats:
  • Closed Groups: Private, E2EE group chats for up to 100 participants (initially limited to 10 or 20). These offer the same encryption protections as one-on-one chats. Recent updates (Groups v2) aimed to improve reliability and syncing for these groups.
  • Communities (Open Groups): Large-scale groups with no participant limit, suitable for broader community interaction. These rely on community-operated servers and may have different moderation policies. Communication with community servers still utilizes onion requests for transport security.
  • Voice Messages and Secure Attachments: Users can send voice snippets, photos, files, and other attachments securely within chats. Attachments are E2EE and routed through the network with the same privacy protections as text messages. File metadata (EXIF data) is automatically stripped from images sent via the desktop client, though not currently from mobile or videos.
  • Cross-Platform Availability: Session provides client applications for major mobile and desktop operating systems, including Android (via Google Play, F-Droid, or direct APK), iOS, Windows, macOS, and Linux.
  • Free and Open Source: The client application code for Session is open source (primarily GPLv3 license), allowing anyone to inspect, audit, and contribute to its development. The source code is available on GitHub. Session is free to use, without ads or trackers.
  • Recovery Phrase: Since there are no phone numbers or emails associated with accounts, Session provides a mnemonic seed phrase (typically 13 words, referred to as a “Recovery Password”) upon account creation. This phrase is the only way to restore an account and its associated ID on a new device or after reinstalling the app. Users are responsible for securely storing this phrase. Message history older than 14 days and contacts/groups older than 30 days may not be recoverable via this method.
  • Other Features: Similar to Telegram, Session includes a “Note to Self” feature for secure personal note-taking, the ability to block contacts, and disappearing messages.

Technical Architecture Deep Dive

Session is different from regular messaging apps because it uses decentralization, onion routing, and a special identity system to keep your conversations private.

The Decentralized Network (Session Network / Oxen Service Nodes)

At its core, Session relies on a large, distributed network of servers known as Session Nodes (previously Oxen Service Nodes). As of early 2024, this network consists of around 2,000 to 2,200 nodes operated by community members globally. This decentralized structure is crucial for Session’s claims of censorship resistance and avoidance of single points of failure or data collection.

Staking Mechanism and Sybil Resistance: To run a Session Node, people or groups need to put up a good amount of cryptocurrency, starting with $OXEN, which is the main token for the Oxen blockchain, and then switching to the new Session Token ($SESSION) when the network updates in 2025. This staking requirement has a few purposes. First off, it helps prevent Sybil attacks, where someone tries to take control by making lots of fake identities (or nodes). By having to stake money to run a node, it makes it super expensive for anyone trying to launch a big attack. Plus, buying up tokens to attempt an attack would likely raise the token’s price, which only increases the cost of the attack.

Node operators also have a financial reason to keep things running smoothly; they earn rewards in $OXEN or the upcoming $SESSION tokens for doing their job well. If they don’t do a good job or act maliciously, they could lose their stake, which keeps everyone on the same page when it comes to the network’s health.

Relying on cryptocurrency and staking is what sets this apart. Some folks say it makes things too complex or connects the messenger to the unpredictable crypto market, but it helps support the decentralized setup without needing outside funding or user fees for the essential services. That connection between the messenger and cryptocurrency has caused some confusion, which is why they are rebranding and shifting to the Session Network and Session Token for a more straightforward system.

Swarms and Message Storage: Session Nodes are grouped into smaller teams called ‘swarms’. These swarms help make sure messages are safely stored and can be found later. If a message can’t be sent right away because the person isn’t online, it gets saved in the nodes within their swarm. Each user is assigned to a specific swarm based on their Session ID, so they can always find their swarm without needing a central hub. The network adjusts how swarms are set up, keeping things balanced as nodes come and go. Messages stay stored until they are delivered or until they expire, which usually takes about 14 days.

Transition to Session Network: The planned migration from the Oxen Network to the dedicated Session Network, powered by the Ethereum-compatible Session Token, aims to simplify branding, improve accessibility for node operators, enhance integration with Web3 technologies, and create a more sustainable economic model through optional paid features (like Session Pro or custom usernames/namespaces) whose revenue funnels back into network rewards. Crucially, the core messaging functionality is intended to remain free, and the Session Token itself is not required for using the app.

Onion Routing (Onion Requests)

Session implements its own onion routing protocol, dubbed “onion requests,” to anonymize message transmission and protect user IP addresses. This is a cornerstone of its “Send Messages, Not Metadata” philosophy.

The Routing Process: When a Session client wants to send a message or do something else on the network, like get messages or attachments, it picks three random Session Nodes from the list of active nodes. It then creates what’s called an onion. This means the request, like an encrypted message, is wrapped up in several layers of encryption, with each layer meant for one of the selected nodes. The encryption uses the public keys of these nodes.

  1. The client sends the fully wrapped onion to the first node (the entry node) in the path.
  2. The entry node decrypts the outermost layer using its private key. This reveals the address of the second node (the middle node) but not the original sender’s IP address (only the client’s IP is known to the entry node) nor the final destination or message content. The entry node forwards the partially unwrapped onion to the middle node.
  3. The middle node decrypts the next layer, revealing the address of the third node (the exit node). The middle node knows neither the original sender nor the final destination. It forwards the onion to the exit node.
  4. The exit node decrypts the final layer. This reveals the ultimate destination of the request (e.g., the recipient’s swarm storage server, a file server, or a community server) and the encrypted payload intended for that destination. The exit node knows the destination but not the original sender’s IP address.
  5. The exit node forwards the payload to the final destination.

Replies from the destination server are encrypted for the client and routed back along the same three-node path in reverse.

Anonymity and Metadata Protection: This layered encryption method keeps things private by making sure that no single point in the network knows both who sent a message and where it’s going. The first point knows the sender’s IP but not the destination, the last point knows where the message is going but not who sent it, and the middle points know neither. This setup makes it hard for anyone to track who’s sending messages to whom and protects users’ IP addresses. While it’s similar to how Tor works, Session uses its own network of staked Session Nodes instead of relying on volunteers. This choice helps maintain anonymity but can add some complexity. The multiple hops it takes can slow things down and might create issues that could affect performance and reliability for users.

The Session ID System

Session’s way of managing identities is a big change from regular messaging apps, and it’s key to its promises of privacy.

Generation and Nature: Session’s identity management system is a big change from regular messaging apps and is key to its claims of anonymity. Instead of using phone numbers or emails, Session identifies users with a 66-digit string called a Session ID (or Account ID). This ID is created on the user’s device when they set up the app and is based on a secure Ed25519 key pair. The public key becomes the Session ID and can be shared openly, while the private key stays safe on the device. By default, this ID doesn’t connect to any real-world identity unless the user decides to link it publicly.

Implications for Anonymity: Session stands out because it doesn’t require phone numbers like Signal, WhatsApp, or Telegram, and it doesn’t ask for emails like Wire does. This means less chance of collecting metadata or figuring out who you are. There’s no central list linking your real identity to your Session ID, so you can chat without giving away personal info tied to your phone or email. When you share your Session ID, your phone number, and other details stay private. This setup really boosts user anonymity compared to systems that use identifiers.

Usability Challenges: Being anonymous has its downsides. Since Session doesn’t use phone numbers, it can’t find your contacts automatically by checking your address book. So, users have to share their Session IDs in different ways, like talking, using another messaging app, sending an email, or scanning a QR code if they’re nearby. This can be a bit of a hassle and makes it harder to connect compared to how easy it is to find contacts on apps like Signal or WhatsApp. Hey, who said privacy was all convenient, right?

Recovery Phrase: To recover your account on a new device, Session gives you a seed phrase (also known as a Recovery Password) that comes from your private key. This phrase is your only ticket to get back into your Session ID, along with any contacts you’ve synced within the last 30 days and messages from the past 14 days. So, it’s super important to keep this recovery phrase safe since there’s no way to reset your password through a central system. This poses the challenge of how to keep that phrase secure. I manage it in my general password safe (I use 1Password, but there are many others out there, and a lot of people prefer Bitwarden, for example).

Encryption (The Session Protocol)

Session employs end-to-end encryption for all user communications, but its approach has evolved significantly from its Signal origins.

Transition from Signal Protocol: Session started out using the well-known Signal Protocol for one-on-one chats and the Sender Keys system for group chats. These methods provided solid security features, like keeping past messages safe even if a user’s long-term key is compromised. They also aimed to ensure that a recipient couldn’t prove who sent a specific message. 

But the folks at Session decided to create their own system, called the Session Protocol. They felt that the complexity of PFS and deniability in Signal was making things less reliable, especially when it came to using multiple devices and restoring backups. Everybody who has been using Signal for a while and has had to switch devices knows well where they are coming from. Plus, they believed the real-world impact of PFS and deniability wasn’t that great. For example, PFS isn’t very helpful if someone has full access to your device, which lets them bypass all the security. And in legal situations, deniability often gets overlooked, especially when there are screenshots or seized devices involved.

The Session Protocol: The custom Session Protocol, implemented using the libsodium library, prioritizes simplicity and compatibility with the decentralized network.

  • 1-to-1 Chats: In its full implementation, it uses the sender’s long-term Ed25519 key for signing and the recipient’s long-term X25519 key (derived from their Ed25519 key) combined with ephemeral keys for E2EE via libsodium's crypto_box_sealed (asymmetric authenticated encryption). A backward-compatible version used ECDH key agreement and AES-GCM symmetric encryption.
  • Closed Groups: The full protocol involves deriving a shared group keypair and using crypto_box_sealed with the sender's key and the group's public key. A simpler backward-compatible version used a shared symmetric key (SK) distributed pairwise, with messages encrypted symmetrically and signed with individual identity keys. Key rotation occurs when members leave.

Security Implications: The shift away from the Signal Protocol, especially dropping perfect forward secrecy (PFS) and strong cryptographic deniability, has stirred up quite a bit of debate. Session keeps end-to-end encryption (E2EE), but without PFS, if someone gets hold of a user’s long-term private key — say, through device theft or malware — they could decrypt all past messages if they’ve intercepted them. This is different from Signal, where even if a key is compromised, only a small batch of messages is at risk since keys get rotated frequently. The developers of Session say their design choices, like anonymity and onion routing, help reduce risks related to PFS. This choice shows a different approach to security — Session focuses more on privacy and decentralization, which might weaken protection against long-term key issues compared to Signal.

Privacy Assessment: Living Up to “Send Messages, Not Metadata”?

Session’s main focus is on reducing metadata leakage, which is really important for privacy but often ignored, even by end-to-end encrypted messengers. Metadata includes details about communications, like who’s chatting with whom, when the conversation happens, how long it lasts, and where it’s taking place. Even if the actual messages are protected, this info can still give away a lot.

Architectural Metadata Minimization: Session employs several architectural strategies to reduce metadata generation and collection:

  • No Phone Number/Email: The Session ID system lets you use accounts without tying them to your personal info, so there’s no big user database connected to your details or contacts. This is pretty different from apps like Signal, WhatsApp, and Telegram.
  • Decentralized Network: Without a central server, there’s no one place where all communication records, like User A messaged User B at time T, are kept. Instead, message routing happens across the Session Node network. Nodes only save undelivered messages for a little while, getting rid of them once they’re delivered or after a certain time. 
  • Onion Routing (Onion Requests): As detailed previously, this mechanism is designed to hide user IP addresses from recipients and intermediate nodes, preventing easy inference of location or ISP from connection data. No single server sees both the sender’s and recipient’s IP addresses simultaneously.
  • Minimal Data Collection: Session states it does not collect geolocation data, device information (beyond basic class for notifications), or usage statistics linked to user identity. Features like online status indicators are either absent or implemented without central tracking.

IP Address Protection: The onion routing system is the primary mechanism for IP address protection. The goal is that neither the person one is communicating with nor the servers handling the data (except the initial entry node) learn the user’s true IP address.

Data Handling Practices: Messages are end-to-end encrypted. If a message isn’t delivered right away, it’s stored for a bit on the swarm nodes and deleted once it’s sent. Encrypted files are kept on a special Oxen File Server, but only the people in the chat can access them using E2EE keys. Plus, IP addresses are hidden when you upload or download things.

Identified Limitations and Trade-offs: Even though Session really emphasizes keeping metadata low, its privacy isn’t completely foolproof.

  • Initial Seed Node Connection: When you first start using the Session client, it connects to a seed node run by OPTF/STF to get a list of active Session Nodes. This means your IP address gets shown to the seed node, but Session says they don’t keep a record of it. If you’re concerned about this, using a VPN can help protect your IP.
  • ISP Visibility: Session keeps your content and where you’re going private, but your Internet Service Provider (ISP) can see that you’re connected to the Session Node network. Some skilled attackers could try to figure out your traffic patterns, but the onion routing makes it tough for them.
  • “Fast Mode” Push Notifications: Session has a Fast Mode for quick notifications on your phone. It uses Google’s Firebase Cloud Messaging for Android and Apple Push Notification service for iOS. If you choose Fast Mode, your device’s IP address and a special push notification token are shared with Google or Apple. Session believes this is not a big deal since these companies probably already have this information. But if you want to keep things private, you can switch to Slow Mode. In this mode, the app checks for messages in the background now and then, which might cause some delays in getting your notifications.
  • Attachment Metadata: Session removes EXIF data from images on desktop, but it doesn’t do this for videos or files sent from mobile right now. If you want to keep that info hidden, you’ll have to manually remove the metadata before sending those files. The file server can’t access the metadata because it’s encrypted.

Overall Assessment: Session works hard to cut down on metadata compared to many other messaging apps, especially centralized ones. It uses things like anonymous IDs, decentralization, and onion routing to help protect users from casual snooping and data collection by platforms. But there are limits to this approach. Users should keep in mind issues like how connections are made, what ISPs can see, the trade-offs with push notifications, and how attachments handle metadata. The slogan Send Messages, Not Metadata fits well with how it’s designed, making it a big step up from basic end-to-end encryption, but completely getting rid of metadata in any online communication is still a tough challenge.

Security Design Evaluation

To assess Session’s security, you need to look at its encryption methods, how the network is set up to protect itself, the audit trail, and its known weaknesses.

Encryption Protocol Analysis

The Session Protocol offers end-to-end encryption with the well-known libsodium library, but its security isn’t all that straightforward. Some of its design decisions don’t quite follow the usual best practices seen in the Signal Protocol.

  • Strengths: It offers baseline E2EE for all messages and attachments, leveraging well-vetted cryptographic primitives (X25519, Ed25519, ChaCha20/AES-GCM, Poly1305, HKDF) via libsodium. Its design aims for simplicity and better integration with the decentralized network.
  • Weaknesses (PFS and Deniability): The biggest concern with security is the removal of Perfect Forward Secrecy (PFS) and strong cryptographic deniability. Without PFS, if someone compromises a user’s long-term private key, they could decrypt all the past messages linked to that key. While Session claims that its architectural protections help, this still makes it less secure compared to protocols like Signal or Wire’s Proteus. The loss of cryptographic deniability may not seem like a huge deal, but it does weaken the security compared to Signal.
  • Non-Standard Key Generation: Session generates its Ed25519 identity keys using only 128 bits of entropy (padded with zeros to 256 bits) to enable shorter 13-word mnemonic recovery phrases. This non-standard approach was flagged as a low-risk finding in the Quarkslab audit. While Session argues that practical attacks (including multi-target batch attacks) remain computationally infeasible even with this reduced entropy , relying on non-standard cryptographic practices generally raises concerns among security experts and deviates from the principle of using well-established, fully vetted methods.

Choosing not to use Perfect Forward Secrecy (PFS) means giving up some security for the sake of privacy, particularly when it comes to protecting metadata. It can make things simpler to set up, but it leaves past messages more vulnerable if a key is later compromised. This choice affects Session’s overall security, making it tough against some threats like tracking communication patterns, but less so against others, like decrypting old messages after a key theft.

Decentralized Network Security

The security of the Session Node network relies heavily on its staking mechanism and distributed nature.

  • Sybil Resistance: The requirement for nodes to stake cryptocurrency ($OXEN/$SESSION) provides a significant economic barrier against Sybil attacks, making it costly for an adversary to control a large fraction of the network nodes needed for widespread traffic analysis or message interception.
  • Onion Routing Security: The 3-hop onion routing design aims to prevent any single node from correlating senders and receivers. However, sophisticated adversaries controlling multiple nodes, particularly entry and exit nodes in the same path (potentially in the same jurisdiction), could theoretically attempt traffic correlation or deanonymization attacks, although the scale and cost required are substantial. The randomness of path selection and the large number of nodes aim to mitigate this risk.
  • Node Incentives: Rewards for node operation incentivize good behavior, while the risk of losing stake disincentivizes malicious actions.

5.3. Audits and Vulnerabilities

Independent security audits are crucial for verifying the security claims of complex cryptographic applications.

  • Quarkslab Audit (2021): Session underwent a security audit by Quarkslab covering its Android, iOS, and Desktop clients, completed in April 2021. The audit occurred during Session’s transition from the Signal Protocol fork to the Session Protocol. The overall assessment was positive, deeming the security level “good” and suitable for privacy-concerned users. Key findings included:
  • One severe vulnerability on Android related to TLS verification when fetching the node list (potentially allowing malicious CA attacks), which was promptly fixed.
  • Several lower-severity issues related to potential information leaks (e.g., sensitive data in logs, clipboard handling) and usability/security trade-offs (e.g., allowing screenshots, recovery phrase handling).
  • The non-standard 128-bit key generation was noted but classified as low risk due to the lack of a practical exploit path.
  • Post-Audit Claims: A security researcher later published claims regarding vulnerabilities stemming from the 128-bit key generation and potential batch attacks. Session publicly refuted these claims, providing analysis arguing that practical attacks remain infeasible and that the researcher’s proof-of-concept code contained flaws.
  • Need for Continuous Scrutiny: While the 2021 Quarkslab audit provides valuable assurance, it predates significant developments like the full rollout of the Session Protocol, Groups v2 implementation, and the upcoming Session Network/Token migration. With these changes and the new protocol in place, it’s a good idea to keep doing regular security checks. Just counting on an audit from a few years back, especially when big changes were happening, might not give a true picture of how secure the app is now.

Limitations

Session currently does not offer support for Two-Factor Authentication (2FA), a standard security feature for protecting accounts against unauthorized access if the primary credential (in this case, the recovery phrase or device access) is compromised.

6. Who Uses Session? From Activists to Adversaries

Session’s cool features draw in a wide range of users, from folks who value their privacy to those who might be up to no good.

Legitimate Use Cases and Demographics

Session is created for people who really value their privacy, want to stay anonymous, and don’t want to be watched. Some main groups that would find this useful are:

Privacy-Conscious Individuals: General users seeking to minimize their digital footprint and avoid the data collection practices of mainstream platforms.

  • Journalists: Session provides a channel for communicating with sources without revealing phone numbers and minimizing traceable metadata, crucial for protecting source anonymity and journalist safety, especially under repressive regimes or when dealing with sensitive information.
  • Activists and Human Rights Defenders: Secure communication is vital for organizing, coordinating actions, and avoiding surveillance by state or non-state actors who may seek to suppress dissent or target individuals. Session’s anonymity and censorship resistance are particularly valuable in these contexts.
  • Whistleblowers: The ability to communicate anonymously is paramount for whistleblowers needing to expose illegal or unethical activities without risking identification and retaliation.
  • Politicians and Sensitive Communications: Individuals needing to discuss classified or highly sensitive information may utilize Session for its E2EE and metadata protection features.

Getting precise user details for Session is tough because it prioritizes privacy. Session doesn’t gather user data itself. The usage stats that are out there mostly come from optional, anonymized analytics from app stores like Apple and Google. These only include users who chose to share their info and don’t account for those on desktops or using different download methods like F-Droid or APK files. So, even though Session claims it has a lot of users, we don’t really know the exact numbers or who they are, but it’s safe to think many of them care about privacy.

The Dark Side: Adoption by Cybercriminals

Session has some features that draw in people who want privacy, but those same features also attract folks looking to break the law and avoid getting caught. Security reports have noted that cybercriminals are using Session as well. Most of the time, you will find a Session ID on the usual Cybercrime Forums as a means to contact a threat actor or a seller of data. Take this as an example:

Evidence and Examples: Session has become a way for different hackers, including ransomware gangs, to communicate. For example, groups like Boramae, BackMyData (the Phobos variant), and KillSecurity have included Session IDs in their ransom notes, giving victims a way to reach out for negotiations. They also use it along with other messaging apps like Telegram, Discord, and Tox to share sensitive info away from watchful eyes.

  • Role in the Ecosystem: Telegram is still the go-to messaging app for cybercriminals because of its features, big user base, and the ability to set up channels and bots. On the other hand, Session seems to serve a more specific purpose. It’s likely used by people who are really careful about their security or for sharing sensitive info, where staying anonymous is more important than having lots of users or fancy features. In contrast, apps like Telegram and Discord often get misused by info-stealer malware for things like controlling operations or stealing data, taking advantage of their bot APIs, and file sharing. This kind of misuse isn’t really seen with Session, based on the reports we have seen.

Analysis: Why Illicit Actors Use Session

Cybercriminals are using Session because of its strong privacy and security features.

  • Anonymity: One big reason people like this is that you don’t need to give a phone number or email when you sign up. This means folks can make accounts without tying them to their real identities, which makes it harder for the police to track them down.
  • Decentralization and Censorship Resistance: The distributed network architecture makes it significantly harder for authorities to shut down the service entirely or block access compared to centralized platforms.
  • IP Address Obfuscation: The onion routing mechanism effectively hides users’ real IP addresses, making tracking and location identification difficult.
  • End-to-End Encryption: Provides a secure communication channel, protecting the content of illicit discussions from eavesdropping.
  • Perception of Security: Its reputation as a highly private and secure messenger likely contributes to its adoption, even if some users don’t fully grasp the technical nuances or trade-offs (like the lack of PFS).

Session is used by both at-risk groups and shady characters, showing the tricky side of strong anonymity tools. Features meant to keep journalists safe from harsh regimes or support whistleblowers can also be used by criminals trying to avoid getting caught. This creates a tough situation since limiting bad use could take away protections that honest users really need. On top of that, Session isn’t as popular in the underworld compared to Telegram, pointing to other reasons why criminals choose their platforms. Things like how easy they are to use, available features, and even issues with Session’s reliability probably matter more for a lot of cybercriminals. The hassle of exchanging Session IDs and some performance issues might also scare off those who aren’t very tech-savvy or who need speed over complete privacy.

Session vs. The Field: A Comparative Analysis

To really get what makes Session stand out, it’s good to look at it alongside other well-known secure messaging apps like Signal, Wire, Threema, and Telegram. Each of these apps has its own way of balancing security, privacy, ease of use, and features.

The following table summarizes key differentiating factors:

Comparison Table

Session vs. Signal

Comparing Session and Signal makes sense since Session actually started as a version of Signal.

  • Architecture: Session runs on a decentralized network that uses onion routing, which helps keep things private and resistant to censorship. On the other hand, Signal relies on central servers, making it easier to build and likely more reliable, but this means there’s a spot where some data could be collected, and it’s also easier to block.
  • Identity & Anonymity: Session stands out because it uses anonymous Session IDs while Signal requires you to register with a phone number. This means Session offers better privacy since it keeps your identity separate from your data. But this can make it harder to find contacts and share IDs.
  • Protocol: Session dropped PFS and cryptographic deniability to use its own protocol, focusing on privacy. Signal still keeps these strong encryption features, giving better protection against key compromise that could expose past messages.
  • Usability & Reliability: Signal is seen as more reliable and well-developed because of its central system and longer time in the market. On the other hand, Session has had some issues with reliability.

Session vs. Wire

Wire, especially its free personal version, has end-to-end encryption but is quite different from Session.

  • Architecture: Wire uses a centralized architecture.
  • Identity: Wire requires an email address or phone number for registration, linking the account to an external identifier, unlike Session.
  • Protocol & Metadata: Wire uses the Proteus protocol, which is an earlier version of the Signal Protocol and does include perfect forward secrecy. But Wire admits it collects more metadata than Signal, especially about contact lists, to make it easier to sync across devices. Session is focused on collecting less metadata.
  • Audits & Focus: Both have been independently reviewed. Wire is putting more effort into working with businesses, which could affect how they support and develop their free personal service in the future.

Session vs. Threema

Threema is another privacy-focused messenger often compared to Session.

  • Identity & Cost: Threema gives you a random Threema ID, so you don’t need to use your phone number or email, though you can link your account if you want. On the other hand, Threema is a paid app, while Session is free.
  • Architecture & Open Source: Threema has centralized servers and, before December 2020, its client code wasn’t completely open source. On the other hand, Session is decentralized and its clients are open source. Both apps are based in strong privacy-friendly places, with Session being backed by a Swiss foundation and Threema also being from Switzerland.
  • Protocol: Threema implements PFS, unlike Session.

Session vs. Telegram

Telegram is really popular, but it has a unique take on privacy and security.

Identity & E2EE: To use Telegram, you need a phone number. Of course, you can always use a service like TextVerified, but still. It’s important to note that end-to-end encryption (E2EE) isn’t automatic for regular chats; it’s only available for ‘Secret Chats’ and voice calls. Regular cloud chats are only encrypted between the client and server, so Telegram can see your messages. On the other hand, Session provides E2EE for all messages right away.

  • Architecture & Code: Telegram uses centralized servers, and its server-side code is closed source. Session is decentralized with open-source clients.
  • Metadata & Protocol: Telegram collects significant metadata, especially for non-secret chats, and uses its custom MTProto protocol, which has faced scrutiny. Session aims for minimal metadata via its architecture and Session Protocol.
  • Cybercrime Use: Telegram is heavily utilized by cybercriminals due to its features (channels, bots, ease of use) and large user base. Session’s use is comparatively niche.

Positioning and Trade-offs: This comparison shows how Session stands out in the secure messaging world. Its approach includes decentralization, mandatory onion routing, and not using any traditional identifiers, making it one of the more private options available. But this comes with some trade-offs; it doesn’t follow some common cryptographic guidelines, which might make it less user-friendly. Users need to handle complex Session IDs and recovery phrases, which can be a hassle.

Choosing between Session and options like Signal really depends on what each user cares about. Someone worried about metadata tracking or needing to communicate in areas with heavy censorship might prefer Session’s privacy features, even if it’s not as user-friendly. On the other hand, if a user is more focused on the long-term security of their messages or wants an easier experience, they might lean towards Signal, which has a solid reputation and requires a phone number. Ultimately, which one is better varies based on individual needs.

User Experience and Known Issues

Session has some great privacy features, but its user experience suffers from reliability problems and usability issues, which could make it harder for more people to use it.

Reliability and Performance Concerns: Numerous user reviews and reports across platforms (Android, iOS, Desktop) highlight recurring problems with core messaging functionality:

  • Notifications: People often say that notifications are slow, unreliable, or sometimes don’t show up at all, especially in group chats. This can be a big problem for quick communication since you might miss messages unless you’re constantly checking the app. The developers recommend turning on Fast Mode, which uses Google or Apple’s push services but comes with some privacy concerns. Still, many users find that it doesn’t really fix the problem.
  • Message Syncing and Sending: People are having trouble with messages getting stuck on ‘sending’ for a long time, not syncing right on different devices, or showing up in the wrong order. There have also been complaints about voice messages not sending or loading properly. I have not yet experienced such issues, but if you read some of the forums, it appears to be happening to some. 
  • General Stability: Some users report the app becoming unresponsive or crashing, particularly when handling multiple chats or during specific operations like calls.

The Session team knows about some of these problems and is working on fixing them. They’ve made updates like the ‘Groups v2’ to make messaging and syncing better. Still, the ongoing complaints show there are more issues to tackle. Groups v2 was enabled on March 20.

Usability Friction: Besides being reliable, some design choices in Session’s privacy model make it a bit tricky to use:

  • Session ID Exchange: The necessity of sharing the long, random Session ID through an external channel to initiate contact is less convenient than the automatic contact discovery offered by phone number-based apps.
  • Recovery Phrase Management: The critical importance of the recovery phrase places a significant burden on the user. Loss of the phrase means permanent loss of the account identity and potentially contacts/history, with no alternative recovery method.
  • Potential Slowness: The nature of onion routing, involving multiple hops through the decentralized network, can inherently introduce latency compared to direct client-server communication, potentially contributing to slower message delivery or file transfer speeds reported by some users.

Interface: The user interface is generally functional and straightforward, but may lack the polish and advanced features found in more mainstream applications.

Those ongoing issues with reliability and ease of use probably make it hard for most people to start using Session. Sure, privacy-focused folks or those who really need to stay anonymous, like journalists or activists in tough spots, might deal with these problems because of the privacy features Session offers. But regular users will likely stick with simpler and more reliable apps like Signal or WhatsApp. This situation limits how widely Session can grow, even though it has solid privacy protections. The tech behind Session’s system and its onion routing is important for keeping things private, but it also adds to the issues with performance and reliability. Making smooth, real-time communication work over a distributed network is just a lot trickier than running servers in one place. So, the privacy perks come with some real downsides for everyday users.

Final Thoughts: Session’s Place in the Secure Messaging Landscape

Session Private Messenger stands out in the secure messaging scene, though it does spark some debate. Its main strength is its strong focus on keeping user identities anonymous and minimizing data collection. Instead of using phone numbers or emails, it gives users Session IDs. It relies on a decentralized network for sending messages and keeps things more secure with onion routing to hide IP addresses. This setup offers solid protection against surveillance and linking identities, which is a big plus for many.

But it’s not without its downsides. One key issue is that it sacrifices Perfect Forward Secrecy (PFS) and strong cryptographic deniability, which means if someone cracks its long-term keys, they could read past messages. The developers argue that they made this choice to keep things simple and decentralized, but it does leave users at some risk. Also, there are known issues like unreliable notifications, syncing problems, and slow performance, likely due to its complex system. The app’s security audit from 2021 is getting old, especially with ongoing changes in their technology, raising doubts about how secure it really is right now.

Additionally, the anonymity that helps users can also attract bad actors, which has hurt its reputation.

In the end, Session serves as an interesting example of the push and pull between wanting complete privacy and the need for reliable, user-friendly communication tools. While it offers strong protections against some threats, users have to give up some cryptographic strength and usability. So, anyone thinking about using Session should really weigh their specific needs and risks before diving in.

  • Session may be suitable for: Users whose primary threat is pervasive metadata surveillance, censorship, or the need for strong anonymity detached from real-world identifiers (e.g., journalists communicating with sensitive sources in hostile environments, activists organizing under surveillance, whistleblowers). These users must be willing to tolerate potential reliability issues and understand the implications of the lack of PFS.
  • Alternatives may be preferable for: Users whose primary concern is the compromise of long-term keys revealing past conversations, those who prioritize proven cryptographic standards like PFS, or those who require maximum reliability and usability for general communication. For these users, applications like Signal (balancing strong crypto with usability, despite phone number requirement) or potentially Threema (paid, PFS, no phone number needed) might be better choices.

The shift to the Session Network and Session Token adds a new layer of complexity. For Session to succeed, it needs to build a sustainable business model while keeping its privacy promises and fixing its reliability issues. This will be key for its future and for moving beyond its current niche. Users should consider the privacy perks along with the known risks and usability concerns, keeping their own security needs in mind.

As usual:

Sigmund Brandstaetter
I love writing about all things Cybersecurity and I also do maintain a Youtube Channel.
Buy Me a Coffee

Sign up for more like this.

Enter your email
Subscribe