Session messenger is making a play for the position as the best secure messaging app. In this, it is going up against some intense competition from the likes of Signal and the other top apps we cover in our Best Secure and Encrypted Messaging Apps review. In this updated Session review, we'll look at Session's capabilities — both those active today and those comings soon.
Signal merits special mention in this Session review. That's because Session is a fork of Signal, meaning that much of the guts of Session originally came from Signal. This is excellent since Signal has long been considered the most secure of the secure messaging services. Thanks to the excellent end-to-end (E2E) encryption provided by the Signal Protocol, Signal is about as secure as a messenger app can be.
But Signal isn't as strong on privacy as it is on security. It collects some metadata and doesn't have a corporate sponsor like Facebook sucking up and monetizing that metadata. More importantly, Signal requires you to submit a phone number to create an account. Signal also relies on central servers to manage message flow and hold the metadata it does collect.
Because Session is a fork of Signal, it inherited Signal's strong security. From there, the Session team built an anonymized, decentralized system that provides superior privacy and anonymity for its users. Are you ready to learn more about this challenger for the throne of the best secure and private messenger app? Then let's dive in with this Session review.
Session messenger basics
Behind the scenes, Session is fundamentally different than most other secure messaging services. To make the rest of this Session review easier to understand, we need to go over some basics now.
Conversations in Session are secured using client-side E2E encryption. Only the sender and the recipient of a message can read it. But Session goes beyond providing message security. Session also protects the identities of its users. It makes your communications private and anonymous, as well as secure.
Session can do this because it connects users through a Tor-like network of thousands of Service Nodes. Service Nodes are servers that pass messages back and forth through the network as well as provide additional services. The onion request system that Session uses to protect messages ensures that no Service Node in the network ever knows both a message's origin (your IP address) and destination (the recipient's IP address). This allows you to hide your IP by default.
Session takes a number of additional steps to protect your identity:
- No phone number is required for registration (unlike what we found in our Signal review)
- No email is required for registration (unlike with Wire messenger)
- No geolocation data, device data, or metadata is collected
The Service Nodes are grouped together into swarms. Swarms provide redundancy to the network as well as temporary storage when messages cannot be delivered to their destination. Each Session client connects to a swarm to send and receive messages in real time, as well as to retrieve relevant messages that are stored in the swarm awaiting delivery.
You'll notice that we haven't talked about any kind of central server here. The Session network is decentralized, with no single point of failure, and no main server for bad guys to hack. Session moves messages using an onion routing system.
In an onion routing system, messages are surrounded by multiple layers of encryption and pass through multiple nodes in the system. Each node decrypts a layer of encryption before passing the message along. Because of the way the messages are encrypted, no node can know both the origin of the message and its destination. Additionally, your IP address is never visible at the destination, meaning whoever you are conversing with has no way to identify you when you use Session. The Session service should prove to be very resilient, and continue functioning even as individual Service Nodes join or leave the network.
Session's onion routing system runs on the Oxen Service Node network. This network (formerly known as Lokinet) also serves as part of the infrastructure for the $OXEN cryptocurrency. You can learn more about OXEN at the Oxen.io website.
While Session now handles basic messaging functions very well, it doesn't have some of the features that competitors like Signal or Telegram do.
That said, it does now support voice and video calls, among other things.
That's what you need to know to understand how Session works. background information, we're now ready to talk intelligently about Session.
Here are the pros and cons that we identified in this Session review:
+ Pros
- End-to-end (E2E) encryption secures text and voice messages as well as attachments
- Encryption: Session Protocol
- Does not require telephone number or email address to sign up
- Open source
- Onion routing system provides decentralization and anonymity
- Does not log IP Addresses or metadata
- Encrypted closed groups and open groups
- Successfully completed security code audit of Desktop, Android, and iOS apps
– Cons
- Does not support 2FA (two factor authentication)
- Redesigned multi-device syncing
- Perfect Forward Secrecy removed
Important: The fact that Session doesn't collect metadata is a huge plus. We consider the metadata issue to be the Achilles heel of many secure messaging services and secure email services. Even the most popular secure email services, such as ProtonMail, do not have a good solution to the metadata problem.
Now we'll examine the key features of Session messenger.
Session feature summary
Here are features you'll want to consider when evaluating Session:
- It uses the Signal-inspired Session Protocol, on top of a distributed onion routing system for anonymous, decentralized communication
- 100% open source code. (The code is available on GitHub.)
- Clients for Android, iOS, macOS, Windows, Linux
- The system is much more stable after several months of redesign and refactoring
Session company information
Session is a project of the Session Technology Foundation. While Session was originally based in Victoria, Australia, the team took steps to move to a more privacy-friendly jurisdiction in 2024.
Session formally changed jurisdictions to Switzerland in November 2024, where it continues to operate today. We discussed this change in our news article about Session moving to Swtizerland.
Where is your Session data stored?
Messages that are sent to you are actually sent to your swarm. The messages are temporarily stored on multiple Service Nodes within the swarm to provide redundancy. Once your device picks up the messages from the swarm, they are automatically deleted from the Service Nodes that were temporarily storing them.
Note: This is not the same as a peer-to-peer architecture. Per the Session FAQ here,
Session clients do not act as nodes on the network, and do not relay or store messages for the network. Session’s network architecture is closer to a client-server model, where the Session application acts as the client and the Service Node swarm acts as the server. Session’s client-server architecture allows for easier asynchronous messaging (messaging when one party is offline) and onion routing-based IP address obfuscation, relative to peer-to-peer network architectures.
Third-party testing and audits of Session
Session now uses its onion routing network. Last year they commissioned a security audit of the Session Desktop, Android and iOS apps by Quarkslab. That audit is now complete and provides good news for Session and its users. The audit report concludes in part with the following:
Oxen Session really improves Signal privacy and resilience by using an overlay network to the existent end-to-end encryption instant messaging solution. The onion-routing mechanisms make use of Oxen’s Snodes to store and exchange messages, however, there are some other centralized standard web services that are still used through the overlay network (for the push service and to deliver attachments files). All major concerns have quickly been fixed.
Quarkslab Oxen Session Audit, Technical Report
Session is now suitable for use in cases where proven and independently verified security is a prerequisite.
Session hands-on testing
For this update of the Session review, I installed the Android app, along with the Windows desktop client.
Session Android app
I downloaded the Session Android app from the Google Play store. At that time the app had 1149 reviews and was rated 3.9 out of 5 stars (on the Apple App Store, Session Messenger had 120 reviews with a 4.4 out of 5 stars rating).
Launching Session highlighted one of the key differences between it and Signal: no need to enter a phone number or email address. Instead, Session gives you the opportunity to create an account by generating a Session ID, or by signing in to an existing account (by entering an existing Session ID).
A Session ID is a unique address people can use to contact you on Session. As Session explains, the reason using a Session ID is better than using a phone number or email address is, “Your Session ID is totally private, anonymous, and has no connection to your real identity.” Signal and other messaging apps that identify you with a phone number cannot give you this anonymity.
Once you create a Session ID, Session will ask you to pick your display name, and tell Session how to handle push notifications. And once that's all done, Session will show you your Recovery Phrase and give you the opportunity to store it somewhere safe.
A Recovery Phrase is a string of words that you can enter to recover your account if you lose the Session ID, or change to a new device. To restore your Session ID, launch Session and tap Continue your Session. Session will give you the opportunity to enter your Recovery Phrase and get back to where you were when you last used that Session ID.
With all that out of the way, you are finally ready to start working with Session.
Working with Session
At first, Session will seem pretty dead. That's because you still need to connect with people. While a service like Signal, you can scan your phone's contact list looking for phone numbers that are registered as Signal users, Session needs you to tell it who to connect to. You do that by creating a New Session. A New Session is a chat session that you initiate by entering the Session ID of the person you want to chat with.
How do you know the Session ID of the person you want to chat with? You either get them to give it to you, or you scan a QR code that contains their Session ID. Unless you happen to be physically located in the same place, thereby able to pass the Session ID or display the QR code directly, one of you will need to share your Session ID with the other to get this thing started. You'll need to use a different communication medium (another secure messenger app, perhaps) to make this happen.
Once you enter someone's Session ID, you can send them a message. Once they accept it, you can freely exchange messages like any other chat app.
Tapping the icon for a contact opens your ongoing chat session with that contact.
Beyond basic chatting, Session has a number of additional useful features. Here are some of them:
- Encrypted groups – Create closed groups (up to 10 people previously; now up to 100) or huge open groups (no size limit).
- Voice messages – Create and share encrypted voice messages.
- Attachments – Message attachments are encrypted too.
- Safety Numbers – Verify that you are communicating with the device you expect to be talking to by comparing safety numbers.
- Video and Voice calls – This is a relatively new feature that puts Session on par with Telegram and Signal.
Session Desktop clients
We installed the Session Desktop client on our Windows 10 test machine.
Session Windows Desktop
Downloading and installing the Sessions Windows Desktop client follows the standard “install a Windows app” process.
Note: If you want to use the Session Linux Desktop, you'll need to install it as an AppImage. If you don't know how to work with this portable Linux file package, click this link for a short video tutorial.
Running and configuring Session Desktop
Once you've got the desktop downloaded and installed, you need to fire it up. You'll want to connect your desktop client to your mobile device. You can do this by selecting Sign In, instead of Create Account, then selecting Link Device to Existing Session ID and following the instructions. The Session desktop apps I tested for this review were easy to use to get going and use.
Note: Once you get the desktop app up and running, you will need to enter your contacts again. That's because Session multidevice isn't ready yet.
With the volume of changes coming out of the Session team, it can be hard to keep track of all the feature changes. If you intend to use this product, we suggest that you make time to check the Session blog to keep up with the ever-improving feature set of Session.
Support
Session's support area reminds me a lot of Keybase. There's an FAQ page, and the blog that I just mentioned, rather than a regular Support page like you would find for a paid product. The FAQ is pretty useful, although a little sparse (not surprising for a product that is still under heavy development).
If you have questions that the FAQ can't answer, the company does offer email support and social media contacts. They also have links where you can report bugs and look for solutions. But those all take you to GitHub pages where you can look at the code and check existing issues pages. This is okay for techies, but it's likely to confuse some regular users.
How secure and private is Session?
Once Session is completed and fully developed, it should be super secure, extremely private, anonymous, and generally excellent. However, it is unclear how far close to complete the product really is.
The onion routing system is now functional, which is a big boost for security and privacy. And the Quarkslab security audit shows that the Desktop, Android, and iOS apps are all secure.
Session business features
Like its ancestor, Signal, Session doesn't have any business-specific features or versions at this time. If you are looking for business features, check out our Wire review.
Session prices
Session is free and open source software. There is no charge for using Session and as far as I can tell, no plans to charge for the product in the future.
This is similar to what we noted in the Signal review.
Session Messenger FAQ
Here are a few questions that came up frequently during the research and writing of this update.
Is Session messenger safe?
The completed security audit by Quarkslab has confirmed what we long believed: Session is secure. Additionally, Session is now based in Switzerland, which is a privacy-friendly jurisdiction.
What is the Session protocol?
The Session protocol is a new messaging protocol developed by Session. Switching from the Signal protocol to the Session protocol keeps the security of the latter while providing privacy/anonymity and decentralization features. The result is a protocol that works well with Session's unique architecture.
Session review conclusion
Session is a promising product, but it comes with Pros and Cons. Once complete, it should be just as secure as Signal, even more private than Signal, and anonymous as well.
Based on the testing I did for this updated review, I am very impressed with the technical side of this project. The onion routing system is up and running, and the refactored apps work well. I haven't run into any errors or been disconnected from the other party, as happened frequently during our initial test phase. It will be nice when the multidevice feature is out of beta, but that's not a deal breaker. Functionally, Session seems ready for regular use.
Is Session right for you?
Session works and works well. But if you want privacy in addition to security, you should probably look elsewhere. Here are some more secure messenger reviews.
This Session messenger review was last updated on December 2, 2024.
Leave a Reply