Key Takeaways
- Session offers secure messaging by encrypting both messages and metadata.
- Session encrypts metadata, uses a decentralized network, and relies on user IDs instead of phone numbers.
- Session is easy to use with strong security features, but wide adoption may be hindered by the way users add contacts.
Pretty much everybody now uses some kind of chat app to talk to friends and family. However, most of them are inherently insecure, with only a few offering any real privacy. One exception is Session, a relatively obscure messaging app, which I took for a spin to see how I liked it.
I messed around with Session for a few days exchanging messages with some friends I roped into helping me. I like Session and the security behind it, though there are some issues. I think it will be a great fit for anybody that needs secure messaging.
Messaging and Security
SMS messages seem to have gone the way of the dodo, with most people these days texting via an app like Facebook Messenger or WhatsApp. These apps will often feature some kind of encryption which secure messages from being viewed by third parties. WhatsApp, for example, makes it clear that any texts you send are end-to-end encrypted.
However, these measures may encrypt your messages, but that’s not all you’re sending. When you send a message, you’re also transmitting data about yourself (your phone number, location, phone data) and receiving that information from your conversation partner. This information is called metadata and can be very revealing.
While encryption may protect the contents of what you’re sending, so nobody knows you’re meeting your buddy John for dinner tomorrow, anybody looking in will know that you texted John, at what time, and from where. They will also know the same about John. If you’re a broker harvesting data or a state actor looking to know more about people, this is valuable information.
What Sets Session Apart
To avoid this and create greater anonymity online, you need to encrypt metadata as well—you can’t get rid of it entirely as the app needs it to function. Enter Session, an app that claims to have solved this issue and encrypts both messages and metadata.
Session is the product of the Oxen Privacy Tech Foundation, an Australian organization dedicated to better privacy across the web. The foundation is a big fan of decentralized tech, and also supports related tech and even has its own blockchain.
Session comes with a pretty thorough whitepaper and “lightpaper” which summarizes it, but in short it does three things differently from most other messaging apps. It encrypts metadata, spreads data across a network of decentralized servers, and also eschews the use of phone numbers, relying on user IDs, instead.
Removing phone numbers from the equation means you’re a lot harder to identify, while using a decentralized network means you can’t be tracked too easily. Like it with the TOR network, individual servers (known as nodes) don’t know what lies beyond the next node they communicate with. This makes it so you can’t “follow” a user as they connect through the network—you can even see this in the app.
This setup is interesting as it spreads around the different points of failure for a secure network. Even if Session were forced to implement a backdoor, say, it still couldn’t track users. Even if the network was hacked, files would be encrypted. Though perfect security doesn’t exist, having all these processes working together minimizes the risk of a breach.
Using Session
The security seems tight, but that doesn’t guarantee that the Session app is something you want to use. After all, there are plenty of very secure apps that are so awful to use people would rather run the risk of surveillance.
Session is a very pleasant surprise. Though it’s not without fault, overall, I found it enjoyable to use, with the same level of usability as WhatsApp, without all the annoying social functionality.
Session comes with apps for both Android and iPhone, as well as desktop clients for all major OSes—they’re all on the download page. I mostly played around with it on my Android phone for this article.
Creating a Session Account
Once you have the app installed on your system and start it up, you need to create an account. Since Session doesn’t really need to know anything about you, this takes just a few seconds: just create a username and that’s it. Session will create your ID for you and you’re ready to go. It takes maybe five seconds in all.
That said, there’s an important step you should not skip and that is to save your recovery password. Session prompts you to do so, but won’t remind you a second time. You need this password if you want to gain access to your account from another device, so make sure to copy it and save it somewhere secure (I stored it in my password manager).
If you want to message somebody, just hit the “plus” sign at the bottom of the screen and pick the “new message” option.
You now need to enter your friend’s Session ID or, if you’re physically close to each other, use a QR code.
This is the one thing I don’t like about Session, as this is a cumbersome way to add people. I understand that this is the secure way to do it, but if I could find people through their username, this would be a lot easier. Still, you can always share the user ID through secure mail or something, if needs be.
Once you’re past this hurdle, that’s it, pretty much. Session behaves much like any other messaging app you’ve used. I really liked it as I had some chats with friends, or talked with my partner about the daily shopping.
You can mess around a little with settings, but don’t expect too much. The focus of the app is very much privacy so you don’t have the bells and whistles other apps have. You can send messages without being spied on, that’s it.
Should You Use Session?
I really liked Session. Not only is it a private way to send messages to people, it does so in an easy-to-use way. If you’re coming from another messaging app like WhatsApp or Signal, using Session will come naturally to you. The security and privacy stuff is all happening in the background.
That said, I do see some issues with wider adoption thanks to the way you add people. While not using phone numbers makes sense from a security perspective, for most people that’s how we get in contact with the people we know. Still, if you regularly text with somebody and are sharing sensitive information, I think Session is a great way to do so.
