Apps
Q&A: How session plans to outpace Signal and Telegram
Join us for an exclusive interview with Session’s co-founder, Kee Jefferys. Explore how this app without phone numbers or central servers redefines privacy.
Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.
Earlier this week, we uncovered Session, the messaging app that doesn’t care who you are—literally. No phone numbers, no central servers, and onion routing baked in, Big Tech wouldn’t recognize you if it tried.
Oh, did I mention how they have already racked up over one million users without spending a single cent on advertising? Apparently, people value their privacy and want a product that delivers on that promise. Who would have thunk, right?
Now, we take the conversation further. In our exclusive Q&A, we sit down with Session’s co-founder, Kee Jefferys, to uncover the inspiration behind the app, the technology driving it, and the challenges they’ve faced.
From encryption details to navigating global regulations—this interview covers it all.
Is privacy-first messaging the future? Read the full Q&A to see how Session leads and their planned updates for privacy-focused users.
Start reading now
What inspired the creation of Session, and what problem does it aim to solve in the messaging space?
Session started as a proof-of-concept built on top of a decentralized network called the Loki Service Node Network. Back then, it was known as “Loki Messenger” (later rebranded to Session).
The idea was simple: we wanted to show developers what was possible on the decentralized network. A messaging app felt like the perfect example because if we could show people how to store and pass messages, that could be generalized to other applications and inspire creativity from developers to build their own projects.
What we didn’t expect was how quickly the community would latch onto Loki Messenger.
Almost from the moment we launched, people were asking for improvements and new features. They saw what we saw: Loki Messenger had something special, something other messaging apps didn’t offer.
There were three key things that set it apart:
- No Phone Numbers: You didn’t need a phone number to sign up. That simple change made messaging more private and anonymous.
- No Centralized Servers: By running on a decentralized network, there was no server collecting your data or creating a honeypot for hackers.
- Onion Routing Built-In: Onion routing hid users IP addresses and boosted privacy even further.
This was all packaged all of this into a cross-platform app that was easy to use, making privacy accessible to anyone.
Since the early days, Session has stayed focused on those principles and recently Session surpassed 1 million monthly active users.
What started as a proof-of-concept has grown into a privacy-first messaging platform that’s genuinely making a difference and that’s something I’m proud to have been involved in.
Can you explain the technical details of Session’s end-to-end encryption and how it stands out from other messaging apps?
Session uses multiple layers of encryption when sending and receiving messages. When a user creates a Session account, they generate a random Ed25519 public-private key pair.
The public key becomes the user’s Account ID, which can be shared out-of-band via a QR code or a 66-character string of numbers and letters. Once you have someone’s Account ID, you can sign and encrypt messages for that specific user.
To send a valid message in a one-on-one chat, the sender starts by creating the message. The message is signed using the sender’s Ed25519 private key, following the Ed25519 signature algorithm.
This step ensures the authenticity of the message. The sender’s Ed25519 public key and the digital signature are then appended to the message.
Next, the sender generates an ephemeral X25519 key pair. This temporary key pair, along with the recipient’s X25519 public key, is used to create a shared symmetric encryption key.
Using this key, the message is encrypted with the XSalsa20-Poly1305 algorithm, ensuring both confidentiality and integrity.
The encrypted message and related metadata, such as the recipient’s X25519 public key and the sender’s ephemeral X25519 public key, are packed into an envelope. This envelope is then encrypted again for secure delivery using Session’s onion routing protocol, Onion Requests.
The onion routing process involves encrypting the envelope three times—once for each hop in the network path. Each layer of encryption is based on symmetric keys derived from the Ed25519 keys of each hop and encrypted with either AES or XChaCha20-Poly1305.
The triple-encrypted envelope is sent to the first hop, and each subsequent hop removes a layer of encryption, revealing the next destination until the envelope reaches the recipient’s swarm. Once the envelope arrives at the recipient’s swarm, the recipient fetches and decrypts it to retrieve the message.
Session’s encryption protocol provides end-to-end encryption and a high level of metadata privacy for every message sent.
Despite the sophisticated technology behind the scenes, users don’t need to worry about the complexity. They can simply send and receive messages as they would with any other app, all while benefiting from Session’s high level of privacy and security.
What measures are in place to prevent vulnerabilities or backdoors in the encryption protocol?
Session is fully open-source. This includes all client applications, including Session iOS, Android, and Desktop, as well as all the software powering the decentralized network of nodes which stores and routes messages.
The source code is publicly available on GitHub at https://github.com/session-foundation
To implement a backdoor in the application, malicious developers would need to push code changes to these repositories and create a new release. Such changes would not go unnoticed by the Session community or its contributors.
If this were to happen, the repositories could easily be forked away from the malicious developer, and the application could be redeployed without the harmful code.
Session has also undergone independent third-party audits to ensure its security and integrity. One such audit was conducted by Quarkslab, with their findings made publicly available. You can review their report here:
This openness and transparency makes it difficult for a backdoor or vulnerability to make it into a release.
How does Session plan to generate revenue, and what business model is seen as sustainable for the platform?
The long-term model for Session’s sustainable development involves monetization through a premium version of Session, called Session Pro.
Session Pro will be a subscription service designed for power users, offering additional features in a manner similar to how Telegram Premium enhances the experience for Telegram users.
All subscriptions to Session Pro subscriptions flow back into the Session ecosystem. These payments will help sustain and grow the Session Node network, ensuring its scalability and reliability as Session’s user base continues to expand.
Importantly, Session will always maintain a free version that ensures the same high level of privacy for all users. This commitment to privacy-first messaging remains central to Session’s mission.
What strategies are being used to attract new users and grow the user base?
All of Session’s growth so far has been entirely organic, driven largely by recommendations from influential privacy experts. I believe this growth will accelerate as Session continues to position itself as a more secure alternative to WhatsApp, Telegram, and Signal. The teams
working on Session have deep connections in the NGO space and among privacy thought leaders, who will continue advocating for Session as the app grows and improves its underlying features.
There’s still work to be done on the technical side to improve user retention.
Over the next 6–12 months, the focus will be on key areas like enhancing group functionality, increasing speed and reliability, and making onboarding as seamless as possible. This includes ensuring that users can easily connect with friends and family and invite new people to join the app.
By addressing these technical challenges while maintaining strong advocacy in the privacy space, Session is well-positioned to continue its upward trajectory as a leading privacy-focused messaging platform.
The regulatory landscape around private messaging is still emerging, and different countries are taking different approaches to regulating end-to-end encryption and data privacy.
Session recently announced that stewardship of the project would be moving outside of Australia, from the original steward of the project (the OPTF) to the Session Technology Foundation, a Swiss-based foundation dedicated to promoting digital innovation and digital rights.
This move was largely in response to recent legislation and pressure from Australian regulators, which have made it increasingly difficult for Session to operate out of Australia while maintaining the privacy and security guarantees it offers its users.
Unlike Australia, Switzerland has strong constitutional protections preserving privacy and a long history of supporting pro-privacy applications like ProtonMail, Threema, and Nym.
What challenges has Session faced regarding government requests for user data or backdoors, and how has the company responded?
By design, the companies and individuals involved in the development of Session have no privileged access to user data.
End-to-end encrypted messages are stored and routed through a network of over 2,100 community-operated nodes. This approach is fundamentally different from other messaging platforms.
Historically, this design has meant that when data requests are received, there is no information available to share with the requesting party. The OPTF, the previous steward of the Session project, published regular transparency reports to support this fact, which can be viewed here.
As the Session Technology Foundation takes over stewardship, it will continue this tradition, with transparency reports published here: https://session.foundation/transparency-reports
None of the companies or individuals involved in the development of Session have received requests to implement backdoors into the application.
The transfer of stewardship to the Swiss-based Session Technology Foundation is a proactive step to ensure that Session can continue protecting its users’ privacy and security.
What new features or functionalities can users expect in the next 6-12 months?
The current Session roadmap focuses on overhauling key features to enhance reliability and usability across the application. Here are the main areas of focus:
Groups: Since their release in 2022, groups have faced several challenges.
Users have reported occasionally losing access to groups when underlying encryption keys are rotated, which occurs when members are removed from a group.
Additionally, messages may be lost when users join a group or remain offline for more than 14 days. To address these issues, the architecture of groups is being fully redesigned to make them more persistent on the node network and improve reliability during encryption key rotations.
As part of this overhaul, several usability enhancements are also being implemented, including support for multiple administrators in groups, a new group invite system, and improved push notification support.
These changes aim to make groups both more reliable and user-friendly.
Onboarding: Non-technical users have sometimes struggled with Session’s onboarding process.
Historically, Session introduced complex private key management concepts, such as mnemonic seed phrases, early in the onboarding experience. This complexity often led to frustration and abandonment during sign-up.
A recent update simplified the onboarding process by deferring these advanced concepts until after account creation. This change has improved retention during onboarding.
However, there’s still room for improvement.
Future plans will likely involve integrating passkeys to further lower the barriers to entry and simplifying the process of inviting new users by leveraging deeplinks.
Onion Routing: Shortly after Session was released, Onion Requests were introduced as a simplified implementation of an Onion Routing protocol.
While effective for basic needs, Onion Requests are non-streaming HTTP based protocol, and are inherently slower and less capable than more advanced protocols.
Messages typically take 1–3 seconds to send, while file uploads and downloads can take significantly longer. Additionally, Onion Requests impose a 10 MB cap on files, limiting Session’s functionality for larger file transfers.
To overcome these limitations, the Session team has been developing Lokinet, a more advanced onion routing protocol. Lokinet supports stream-based connections and is built on UDP, allowing for faster and more flexible performance.
Lokinet is currently undergoing a full refactor and is nearing maturity. Internal testing shows that Lokinet is 3–10 times faster than Onion Requests, meaning message delivery and file transfer times could be drastically improved once implemented. Moreover, Lokinet does not impose the same file size limitations, paving the way for much larger file uploads on Session.
A big thanks to the Session co-founder Kee Jefferys and the rest of the team for taking the time to pull back the curtain on what makes their app tick—and why privacy matters more than ever.
If you’re ready to take your messaging game up a notch (or ten), you can download Session for free on the App Store or Google Play, and it’s also available for PC, Mac, and Linux. Go check it out and see what true privacy feels like.
How do you feel about the potential updates and developments mentioned by Session’s co-founder? Share your insights in the comments below.
Mason Pelt
December 19, 2024 at 11:00 am
This is good!