Because Session is a fork of Signal, it inherited Signal’s strong security. From there, the Session team built an anonymized, decentralized system that provides superior privacy and anonymity for its users. Are you ready to learn more about this challenger for the throne of the best secure and private messenger app? Then let’s dive in with this Session review.
Session messenger basics.
Behind the scenes, Session is fundamentally different than most other secure messaging services. To make the rest of this Session review easier to understand, we need to go over some basics now.
Conversations in Session are secured using client-side E2E encryption. Only the sender and the recipient of a message can read it. But Session goes beyond providing message security. Session also protects the identities of its users. It makes your communications private and anonymous, as well as secure.
Session can do this because it connects users through a Tor-like network of thousands of Service Nodes. Service Nodes are servers that pass messages back and forth through the network as well as provide additional services. The onion request system that Session uses to protect messages ensures that no Service Node in the network ever knows both a message’s origin (your IP address) and destination (the recipient’s IP address). This allows you to hide your IP by default.
Session takes a number of additional steps to protect your identity:
No phone number is required for registration
No email is required for registration
No geolocation data, device data, or metadata is collected
The Service Nodes are grouped together into swarms. Swarms provide redundancy to the network as well as temporary storage when messages cannot be delivered to their destination. Each Session client connects to a swarm to send and receive messages in real time, as well as to retrieve relevant messages that are stored in the swarm awaiting delivery.
You’ll notice that we haven’t talked about any kind of central server here. The Session network is decentralized, with no single point of failure, and no main server for bad guys to hack. Session moves messages using an onion routing system.
In an onion routing system, messages are surrounded by multiple layers of encryption and pass through multiple nodes in the system. Each node decrypts a layer of encryption before passing the message along. Because of the way the messages are encrypted, no node can know both the origin of the message and its destination. Additionally, your IP address is never visible at the destination, meaning whoever you are conversing with has no way to identify you when you use Session. The Session service should prove to be very resilient, and continue functioning even as individual Service Nodes join or leave the network.
Session’s onion routing system runs on the Oxen Service Node network. This network (formerly known as Lokinet) also serves as part of the infrastructure for the $OXEN cryptocurrency. You can learn more about OXEN at the Oxen.io website.
While Session now handles basic messaging functions very well, it doesn’t have some of the features that competitors like Signal or Telegram do. It does not yet do voice or video calls, among other things. If you need those specific capabilities, you may want to look at a different messenger app.
Here are the pros and cons that we identified in this Session review:
+ Pros
End-to-end (E2E) encryption secures text and voice messages as well as attachments
Encryption: Session Protocol
Does not require telephone number or email address to sign up
Open source
Onion routing system provides decentralization and anonymity
Does not log IP Addresses or metadata
Encrypted closed groups (now up to 100 people) and open groups (no limit to size)
Successfully completed security code audit of Desktop, Android, and iOS apps
– Cons
Does not support 2FA (two factor authentication)
Redesigned multi-device syncing (early beta)
Perfect Forward Secrecy removed
Important: The fact that Session doesn’t collect metadata is a huge plus. We consider the metadata issue to be the Achilles heel of many secure messaging services and secure email services. Even the most popular secure email services, such as ProtonMail, do not have a good solution to the metadata problem.
Now we’ll examine the key features of Session messenger.
Session feature summary.
Here are features you’ll want to consider when evaluating Session:
It uses the Signal-inspired Session Protocol, on top of a distributed onion routing system for anonymous, decentralized communication.
100% open-source code (The code is available on GitHub).
Clients for Android, iOS, macOS, Windows, Linux.
The system is much more stable after several months of redesign and refactoring.
Session company information.
Session is a project of the Loki Foundation. The Loki Foundation (registered as LAG Foundation, LTD) is a registered charitable foundation based in Victoria, Australia. The foundation states that their purpose is to, “…build open-source, metadata-free communications tools and apps that defend privacy in the digital world.”
Note: Loki products are changing their name to Oxen. There will likely be an extended period of time when Loki and Oxen are used interchangeably.
Where is your Session data stored?
Messages that are sent to you are actually sent to your swarm. The messages are temporarily stored on multiple Service Nodes within the swarm to provide redundancy. Once your device picks up the messages from the swarm, they are automatically deleted from the Service Nodes that were temporarily storing them.
Note: This is not the same as a peer-to-peer architecture. Per the Session FAQ here,
Session clients do not act as nodes on the network, and do not relay or store messages for the network. Session’s network architecture is closer to a client-server model, where the Session application acts as the client and the Service Node swarm acts as the server. Session’s client-server architecture allows for easier asynchronous messaging (messaging when one party is offline) and onion routing-based IP address obfuscation, relative to peer-to-peer network architectures.
Third-party testing and audits of Session.
Session now uses its onion routing network. Last year they commissioned a security audit of the Session Desktop, Android and iOS apps by Quarkslab. That audit is now complete and provides good news for Session and its users. The audit report concludes in part with the following:
Oxen Session really improves Signal privacy and resilience by using an overlay network to the existent end-to-end encryption instant messaging solution. The onion-routing mechanisms make use of Oxen’s Snodes to store and exchange messages. However, there are some other centralized standard web services that are still used through the overlay network (for the push service and to deliver attachments files). All major concerns have quickly been fixed.
Quarkslab Oxen Session Audit, Technical Report
Session is now suitable for use in cases where proven and independently verified security is a prerequisite.
How secure and private is the Session?
Once the Session is completed and fully developed, it should be super secure, extremely private, anonymous, and generally excellent. However, it is unclear how far close to complete the product really is.
The onion routing system is now functional, which is a big boost for security and privacy. And the Quarkslab security audit shows that the Desktop, Android, and iOS apps are all secure.
Concerns about Australia and data security.
On the topics of privacy and the security of your data, we must discuss where Session is based. As noted above, Session is based in Australia. Unfortunately, Australia is not a perfect privacy jurisdiction for a few reasons.
As we recently discussed in our guide on the best VPNs for Australia, the country passed a law to undermine encryption and data security in 2018. Here’s a quick overview of this law:
The Australian Parliament passed a contentious encryption bill on Thursday to require technology companies to provide law enforcement and security agencies with access to encrypted communications. Privacy advocates, technology companies and other businesses had strongly opposed the bill, but Prime Minister Scott Morrison’s government said it was needed to thwart criminals and terrorists who use encrypted messaging programs to communicate.
In privacy circles, the “Assistance and Access Bill” is sometimes called the “encryption-busting law” or the “anti-encryption law” because of what it allows. This law would fundamentally affect businesses that provide encrypted communication services, including Session, VPN services, and other privacy-focused businesses. This topic continues to garner criticism from privacy advocates around the world.
In taking a page out of the Australia playbook, US regulators have also proposed forcing tech companies to break encryption, thereby facilitating surveillance.
The Loki Foundation that is behind Session addressed this thorny issue in a blog post:
Obviously, we were terrified when we first saw this bill. The potential for the project to be entirely undermined by this legislation did not go unnoticed. We had begun to consider how we might set up failsafes to allow people to catch bad code being injected into our codebase, or to pay someone external to Loki to do regular inspections of our binaries that we release and ensure they are not leaking extra information or mismatching the codebase in some way. If we were to be issued a TCN [Technical Capability Notice], we would not be able to tell anyone about it. If we set up some sort of canary system, we could be imprisoned. So, whatever failsafe we did set up would have to be external to Loki, and would have to be regularly auditing us to make sure we haven’t been compromised before a TCN was issued.
Ultimately, the Loki Foundation believes they can still operate a secure messenger service in this perilous legal environment. Their blog post on the topic really goes deep into technical and legal details, which you can investigate if you have the time and inclination. In addition, they address the issue in the FAQ topic titled,” Does the Australian government’s anti-encryption stance pose a risk to Session?” as well as in this update to their original blog post.
So, is your data safe and secure with Session messenger?
I have my doubts after researching the Telecommunications and Other Legal Amendment (Assistance and Access) Bill 2018, commonly known as the AA bill or TOLA, but you can come to your own conclusions.
Other privacy concerns with Australia.
It’s also worth noting that the anti-encryption legislation is not the only privacy issue that plagues Australia. Consider this:
Mandatory data retention – In 2017, Australia implemented a mandatory data retention framework. This forces all internet providers and telephone companies to store connection data for government agencies for a full two years.
Five Eyes – We have also noted before that Australia is a member of the Five Eyes surveillance alliance. This alliance works together to collect and share mass surveillance data.
And if you think that various agencies are not exploiting these laws to collect data on Australians, think again. Here is a recent headline from The Guardian:
Session Messenger FAQ.
Here are a few questions that came up frequently during the research and writing of this update.
Is Session messenger safe?
The recently completed security audit by Quarkslab has confirmed what we long believed: the Session is secure. But the actions of the Australian government to get around privacy protections on pretty much any app or service (not just Session) makes us feel that your privacy can’t be guaranteed if you use Session.
What is the Session protocol?
The Session protocol is a new messaging protocol developed by Session. Switching from the Signal protocol to the Session protocol keeps the security of the latter while providing privacy/anonymity and decentralization features. The result is a protocol that works well with Session’s unique architecture.
Session review conclusion.
Session is a promising product, but it comes with Pros and Cons. Once complete, it should be just as secure as Signal, even more private than Signal, and anonymous as well. But there are still lingering concerns about Australia, data privacy, and the Loki Foundation’s ability to keep user data secure in this environment.
Last edited by a moderator:
