Frequently Asked Questions

Intro

What is Session?

Session is a private messaging app that protects your metadata, encrypts your communications, and makes sure your messaging activities leave no digital trail behind.

This content is hosted by YouTube.

By showing the external content you accept their Terms and Conditions.

Why is my Session not working?

Due to the privacy-focused nature of Session, we understand that many of our users choose not to enable auto-updates through the App or Play stores.

The most common solution to issues with Session is to make sure your app is running the latest version.

You can always find the latest version of Session here: https://getsession.org/download

Security

Is Session rolling its own cryptography?

No, Session does not roll its own cryptography. Session uses Libsodium, a highly tested, widely used, and highly-regarded crypto library.

Libsodium is completely open-source.

Why should I trust Session?

Conversations in Session are end-to-end encrypted, just as in most private messengers. However, when you use Session, the identities of the people communicating are also protected. Session keeps your communication private, secure, and anonymous.

When using Session, your messages are sent to their destinations through a decentralised onion routing network similar to Tor (with a few key differences), using a system we call onion requests. Onion requests protect user privacy by ensuring that no single server ever knows a message’s origin and destination. For more on this, check out What is an onion routing network? below. For more technical details, read our blog on onion requests.

Session’s code is open-source and can be independently audited at any time. Session is a project of the Oxen Privacy Tech Foundation, a not-for-profit organisation whose mission is to provide the world with better access to digital privacy technologies.

Session has also undergone a security audit by Quarkslab, the results of which can be found here.

What kind of encryption does Session use?

Session encrypts your messages using the Session Protocol, a cutting-edge end-to-end encryption protocol built on libsodium, a highly-audited and widely trusted cryptographic library.

A technical description of the Session Protocol can be found in our technical deep-dive blog.

Has Session undergone a security audit?

Session’s desktop, Android, and iOS clients have been audited by Quarkslab. The results of this audit can be found here.

If my phone is taken from me, can someone access my messages?

Session allows users to encrypt their local Session database with a PIN code. With this feature turned on, your messages cannot be accessed without knowing your PIN code.

What is a recovery phrase?

Because Session doesn’t have a central server storing information about your identity, restoring your account using the traditional username and password method is not possible. Your recovery phrase is a mnemonic seed which can be used to restore your existing Session ID to a new device. 

 

Make sure you store it in a safe place!

What are the best ways to safely store my Session ID recovery phrase?

Your recovery phrase is like the master key to your Session ID — it’s important to store it safely and securely, and to ensure that only you have access to it. Here are a few options for keeping your recovery phrase safe:

  • Write your recovery phrase on a piece of paper, then store it in a safe location.

  • Consider further securing your recovery phrase by splitting it into sections using a technique like Shamir’s Secret Sharing.

Remember — the order of the words in your recovery phrase is crucial. However you store it, ensure that you can reconstruct it in the same order in which it was provided.

How do I restore using my recovery phrase?

On Desktop 

        At the startup screen, click Sign In and then Restore From Recovery Phrase.

        Enter your recovery phrase into the text box, and select a new display name. 

        Your Session ID is recovered. 

On Mobile

        At the startup screen, tap Continue your Session. 

        Enter your recovery phrase into the text box. 

        Enter a new display name and tap Continue. 

        Select your preferred push notification setting and tap Continue.

        Your Session ID is recovered.

I restored using my recovery phrase but my contacts and messages are gone. What happened?

Your recovery phrase is not currently able to restore your contacts or messages. For your security, your contacts and messages are stored locally, so they cannot be retrieved once you have deleted them. 

Why doesn't Session have PFS?

Simply put, Session mitigates the same risks that PFS does in other ways.

Through fully anonymous account creation, onion routing, and metadata minimisation, Session provides just as effective protection in real-world scenarios as PFS does, and in some cases even better protection.

For more information check out our blog about the removal of PFS: https://getsession.org/session-protocol-explained

How do I perform a backup?

Although backups are a planned feature of Session, they have not been implemented yet.

Privacy

How does Session protect my identity?

You don’t need a mobile number or an email to make an account with Session. Your display name can be your real name, an alias, or anything else you like.

Session does not collect any geolocation data, metadata, or any other data about the device or network you are using. At launch, Session used proxy routing to ensure nobody can see who you’re messaging or the contents of those messages. Shortly after launch, Session moved to our onion routing system, which we call onion requests, for additional privacy protection. For more on Session’s secure message routing, check out What is an onion routing network? and What is proxy routing?

Is my IP address being revealed when I use Session?

In messaging apps, metadata is the information created when you send a message — everything about the message besides the actual contents of the message itself. This can include information like your IP address, the IP addresses of your contacts, who your messages are sent to, and the time and date that messages are sent.

It’s impossible for Session to track users’ IP addresses because the app uses onion requests to send messages. Because Session doesn’t use central servers to route messages from person to person, we don’t know when you send messages, or who you send them to. Session lets you send messages — not metadata.

How do push notifications work on mobile platforms? Are there any privacy compromises?

Android

Session’s Android client has two options for notifications: background polling (slow mode), and Firebase Cloud Messaging (fast mode). 

If you choose slow mode, the Session application runs in the background and periodically polls its swarm (see What is a swarm) for new messages. If a new message is found, it is presented to you as a local notification on your device.

If you choose fast mode, Session will use Google’s FCM push notification service to deliver push notifications to your device. This requires that your device IP address and unique push notification token are exposed to a Google operated push notification server. Additionally, you will expose your Session ID and unique push notification token to an OPTF operated push notification server, for the purpose of providing the actual notifications to the Google FCM server.

These exposures are fairly minimal, Google will likely already know your device’s IP address through telemetry data or other applications on your device using push notifications. Registration of your Session ID and unique push notification token to the OPTF push notification server is necessary for detection and signaling of new messages and is low impact as registration occurs using onion requests meaning your Session ID and push notification token are never tied to any real world identifier (such as your IP address).

When using fast mode neither Google nor the OPTF can see the contents of your messages, who you’re talking to, or exactly when messages are sent or received. 

iOS

Session’s iOS client has two options for notifications: background polling (slow mode), and Apple Push Notification Service (APNs) (fast mode). 

If you choose slow mode, the Session application runs in the background and periodically polls its swarm (see What is a swarm) for new messages. If a new message is found, it is presented to you as a notification on your device.

If you choose fast mode, Session will use APNs push notification service to deliver push notifications to your device. This requires your device IP address and unique push notification token are exposed to an Apple operated push notification server. Additionally, you will expose your Session ID and unique push notification token to an OPTF operated push notification server, for the purpose of providing notifications to the APNs server.

These exposures are fairly minimal, because Apple will likely already know your device’s IP address through telemetry data or other applications on your device using push notifications. Registration of your Session ID and unique push notification token to the OPTF push notification server is necessary for detection and signaling of new messages and is low impact as registration occurs using onion requests meaning your Session ID and push notification token are never tied to any real world identifier (such as your IP address). 

When using fast mode neither Apple nor the OPTF can see the contents of your messages, who you’re talking to, or exactly when messages are sent or received.

Can you list Session on F-Droid?

Session now has an F-Droid repo for everyone who wants to avoid the Google Play Store.

Simply head to this address on an Android device with F-Droid installed to add the repo.

Does Session strip metadata from my attachments?

Session uses onion routing to hide your IP address when uploading or downloading attachments from the Oxen File Server. In future, you will also be able to configure the Session app to use a custom file server, such as a self-hosted server or VPS (Virtual Private Server), if you would prefer not to use a file server hosted by the OPTF.

For metadata contained within the files themselves, all attachments stored on server are encrypted and can only be decrypted by your chat partner(s) — so the Oxen File Server cannot see any metadata about files you send on Session. Currently, EXIF metadata is stripped when sending a file (except videos) sent from Desktop. If you want to make sure your chat partner cannot see metadata about a file, we recommend stripping the metadata before sending them the file — check out our how-to article here.

Calls

Does Session have calls?

Both voice calls and video calls are currently available as a beta feature in Session.

This content is hosted by YouTube.

By showing the external content you accept their Terms and Conditions.

Calls Tutorial

How do I enable calls?

Calls are currently a beta feature which is turned off by default. In order to opt-in, you'll have to enable calls in your app settings. Here is how you can do it:

  1. Open your app settings

  2. Tap or click on ‘Privacy’

  3. Enable the Voice and video calls option at the bottom of the menu

Are calls private?

Calls in Session are end-to-end encrypted and offer a good level of privacy. Unlike messages (which use onion-routed networking), the current implementation of calls uses peer-to-peer networking. This means your IP will be shared with your call partner as well as an OPTF operated STUN/TURN server. Although this is acceptable for most people, you should always make sure to assess your own personal situation to determine whether the risk of exposing your IP is worth it. If you're in an extremely high-risk situation, we do not recommend enabling peer-to-peer calls — onion-routed calls are on the way.

In order to prevent spam and protect privacy, you can only send and receive calls with people in your contacts list — not unknown Session IDs or people in your message requests.

How do I make a call?

Make a call by navigating to the chat screen and tapping on the 📞 icon.

Are there group calls?

Session hasn't got group call functionality just yet. Currently you can have a voice or video call between two people.

How do calls work?

All calls are made using the webRTC protocol and are end-to-end encrypted. Voice and video calls are facilitated through a peer-to-peer connection, meaning that you and your call partner share the data with each other directly as opposed to routing data through Session's decentralised network.

Why did my call fail?

In order for a call to succeed: both call participants need to enable calls in their settings; the call participants must be in each other's contacts lists. If these conditions aren't met, the call will fail.

Why haven't I received any calls?

If you're expecting a call, make sure you check to see if you have enabled calls in your app settings.

If you are using Slow Mode notifications, you will also need to have Session open and in the foreground in order to successfully receive a call — otherwise you will not get a notification someone is ringing you.

Can I leave a voicemail?

If a call is unsuccessful there is no default voicemail prompt. However, you always have the option to send a voice memo/audio message directly to another user.

This content is hosted by YouTube.

By showing the external content you accept their Terms and Conditions.

Voice Message Video

Australia

Does the Australian government's anti-encryption stance pose a risk to Session?

We don’t believe it does. From the very beginning of Session, and Oxen, we have been ready for regulatory hostility. Being built in Australia, one of the Five-Eyes intelligence alliance countries, meant accepting that hostile regulation was likely to come. But there’s a pretty simple reason as to why we chose to build here anyway: running from legislators isn’t a solution. 

Rather than set up shop in Switzerland and hope that the regulatory environment never changes, we focused on developing technology that could be resistant to surveillance by governments (and everyone else too)

Decentralisation and metadata minimisation are the core of that ideal. The Session team is based in Australia, but Session has infrastructure all around the world. Over 1,500 community operated servers are currently routing Session messages for over 150,000 users, and the minimal amount of data that flows through them are inaccessible to the Session Team — we can’t be compelled to hand over information that we don’t have.

What will Session do if compelled by a court to reveal user identities?

As Session is a project of the Oxen Privacy Tech Foundation, court orders in situations such as this would be targeted at the Foundation.

The OPTF would comply with lawful court orders. However, the OPTF could not reveal user identities; the Foundation simply does not have access to the data required to do so. Session ID creation does not use or require email addresses or phone numbers. Session IDs (which are public keys) are recorded, but there is no link between a public key and a person’s real identity, and due to Session’s decentralised network, there’s also no way to link a Session ID to a specific IP address.

The most the OPTF could provide, if compelled to do so, would be tangential information such as access logs for the getsession.org website or statistics collected by the Apple App Store or Google Play Store.

How does the Assistance and Access Bill affect Session?

The Assistance and Access bill (also known as TOLA) was introduced in 2018 with the intention of allowing the federal government to compel Australian entities to give them backdoors into encryption protocols. The scope of TOLA extends far beyond encryption, but the bill has clauses that prevent the government from asking an application developer to insert a “systemic weakness” into their application. Our analysis of this provision indicates that any backdoor which would violate user privacy in Session would be beyond the scope of the Assistance and Access legislation. 

As the entire Session codebase is open-source, authorities or malicious actors from any jurisdiction could create modified Session clients themselves, which could undermine user privacy. As the Assistance and Access bill does not allow the government to force us to push out a ‘systemic’ vulnerability, or prevent us from fixing such vulnerabilities, any modified client would not be pushed through the App Store or other official download channels. Instead, the attacker would need some method to directly inject the modified client onto a specific user’s device, something which we are not capable of doing.

Session’s developers do not have control over the Oxen Service Node network, the network used to route and store user encrypted messages. So long as associated codebases and software releases maintain integrity, we do not and will not have access to any privileged information which may undermine user privacy. And because our platform is open-source, anyone can independently verify that such integrity is maintained.

For a more in-depth overview of our perspective on the risks posed by TOLA, read our blog on the issue.

How does the Identify and Disrupt Bill affect Session?

The Identify and Disrupt Bill was introduced at the end of 2020, adding three new classes of warrant for investigating online activity. While we staunchly oppose this expansion of the Australian government’s surveillance mandate, we don’t believe that the powers granted by this bill provide a threat to Session. 

The bill has a focus on targeting individuals through their devices, accounts, and network activity. The dangers posed by this to Session are limited due to the following reasons

  • Session allows individuals to encrypt their local Session database with a PIN code, dampening the danger of device access compromising their Session instance

  • The Session team has no ability to access the accounts of Session users, as well as no ability to provide that access to authorities if requested

  • Session is built to minimise metadata leakage. Monitoring the network activity of an individual using Session would provide almost no information to authorities

  • Session is and will always be open source. Any changes to these key defenses would be public and visible to everyone

The Identify and Disrupt Bill provides no ability for the Australian government to force the Session team to modify Session to weaken the privacy and security of its users

Contacts

How do I add a contact?

On Android or iOS, tap the green plus button at the bottom of the main Messages screen, then tap the chat bubble icon that appears above the plus button. Paste or type your contact’s Session ID into the Session ID field, tap Next, then send your contact a message. Easy as that!

On desktop platforms, click New Session on the main Messages screen, paste or type your contact’s Session ID into the Session ID field, click Next, then send your contact a message. 

Note: on desktop, you can also add a contact by clicking Add Contact in the Contacts section of the app.

How do I know if the person I am talking to is the person I want to talk to?

One challenge with truly anonymous communications systems like Session is that sometimes you do need to verify the identity of the person you’re talking to! In cases like these, it’s best to use a secure secondary channel of communication to confirm with the other person that you’re both who you say you are.

How do I delete a contact?

On mobile, you can delete a contact by swiping left on the contact in the conversation list, and then pressing Delete. 

On desktop, you can delete a contact by right clicking on the contact in the conversation list, and then clicking Delete Contact.

Messaging

What is a Service Node?

Service Nodes are the community-operated nodes which make up the Oxen Network. There are currently over 1,000 nodes in the network. These Service Nodes are responsible for storing and routing your Session messages. You can read more about Service Nodes over at Service Node documentation.

Where are my messages being stored?

When you send a message, it is sent to your recipient’s swarm. A swarm is a group of Oxen Service Nodes tasked with temporarily storing messages for retrieval by the recipient at a later point.

Are my messages stored on a blockchain?

No, your messages are not stored on a blockchain. Messages are stored by swarms, and are deleted after a fixed amount of time (called the “time-to-live”, or TTL).

All of your messages are encrypted, and can only be decrypted using the private key which is stored locally on your device.

How do Session ID usernames work?

Session usernames are permanent alphanumeric names that can be purchased using the anonymous Oxen cryptocurrency and attached to a Session ID. If you have a Session username attached to your Session ID, others will be able to add you on Session using that name, instead of having to use your full Session ID. Usernames make adding contacts quick and convenient.

How are Session ID usernames different to Session nicknames?

Session ID usernames are permanent names which can be purchased and attached to a Session ID. Once purchased and linked, you can give others your Session ID username and they can add you on Session using that name — much more convenient than dealing with a long, complicated Session ID.

Session nicknames are the names you can set for yourself in Session when you create a Session ID. Nicknames can be changed at any time, but you can’t use a nickname to add someone on Session.

Can I share attachments with my contacts?

Session can send files, images and other attachments up to 10MB in both person-to-person conversations and group chats. By default, Session uses the Oxen File Server for attachment sending and storage. The Oxen File Server is an open-source file server run by the Oxen Privacy Tech Foundation — the creators of Session. When you send an attachment, the file is symmetrically encrypted on the device and then sent to the Oxen File Server. To send the attachment to a friend, Session sends them an encrypted message containing the link, plus the decryption key for the file. This ensures that the Oxen File Server can never see the contents of files being uploaded to it.

What is a swarm?

A swarm is a collection of 5 – 7 Service Nodes which are responsible for the storage of messages for a predefined range of Session IDs. Swarms ensure that your messages are replicated across multiple servers on the network so that if one Service Node goes offline, your messages are not lost. Swarms make Session’s decentralised network backend much more robust and fault-tolerant.

Groups

What are groups?

Groups are fully end-to-end encrypted group chats. Up to 100 people can participate in a group chat. Group messages are stored on Session’s decentralised network, without using any central server(s).

What are communities, and how do they compare with groups?

The short answer: communities are not as private as person-to-person messages or groups.

The long answer: communities are large public channels where Session users can congregate and discuss anything they want. Communities, unlike other services in Session, are self-hosted and thus not fully decentralised. Someone has to run a server which stores the community’s message history. Additionally, because community servers can serve thousands of users, messages are only encrypted in transit to the server rather than being fully end-to-end encrypted.

For smaller group chats with a higher degree of privacy, users are encouraged to use groups.

This content is hosted by YouTube.

By showing the external content you accept their Terms and Conditions.

Join Communities Video

Onion Routing

What is an onion routing network?

An onion routing network is a network of nodes over which users can send anonymous encrypted messages. Onion networks encrypt messages with multiple layers of encryption, then send them through a number of nodes. Each node ‘unwraps’ (decrypts) a layer of encryption, meaning that no single node ever knows both the destination and origin of the message. Session uses onion routing to ensure that a server which receives a message never knows the IP address of the sender.

Session’s onion routing system, known as onion requests, uses Oxen‘s network of Oxen Service Nodes, which also power the $OXEN cryptocurrency. Check out Oxen.io to find more information on the tech behind Session’s onion routing.

What is proxy routing, and how is it different from onion routing?

Proxy routing was an interim routing solution which Session used at launch while we worked to implement onion requests. When proxy routing was in use, instead of connecting directly to an Oxen Service Node to send or receive messages, Session clients connected to a service node which then connects to a second service node on behalf of the Session client. The first service node then sends or requests messages from the second node on behalf of the mobile device.

This proxy routing system ensured that the client device’s IP address was never known by the service node which fetches or sends the messages. However, proxy routing did provide weaker privacy than the onion request system Session now uses. Proxy routing still provided a high level of security for minimising metadata leakage in the interim. The proxy routing system has now been replaced by onion requests.

What is Lokinet?

Lokinet is a powerful onion router that is fast enough to handle real-time voice communications, making it a crucial part of our plan to add real-time end-to-end encrypted voice calls to Session without relying on central servers.

When will Lokinet be implemented?

The Session team is hard at work fixing bugs and shoring up core messaging functionality, but once the app is working reliably, we’ll be moving on to Lokinet integration to bring voice calling functionality to Session. We’ll keep the community updated on our progress, so be sure to follow our Twitter to stay up to date!

Does Session work when I'm using a VPN?

Yes! There is no reason that Session shouldn’t work when you are using a VPN. The only difference is that your VPN provider would contact the Service Node network instead of your client connecting directly.

Contact/Support

How can I get help with my Session app?

Got questions, running into an issue, tearing your hair out? You can visit our help centre to find the solution. If that doesn't cut it you can also contact us in the official Session Feedback community (join the Session Community in Session).

How can I report a bug or issue?

You can hop into the official Session community (join the Session Community in Session).

If you are technically minded, you can submit an 'issue' in our official Github repository.

Alternatively, you can submit a ticket in our help centre to reach out to our support team. 

For the best possible troubleshooting, you can include a debug log from your Session app. You can do this by going to the Settings menu on your device and tapping/clicking 'Debug Log' to generate a log. This will create a log file that you can share with our team in the ticket that you open.

This content is hosted by YouTube.

By showing the external content you accept their Terms and Conditions.

Report Bug Video

How do I give feedback or suggestions?

We welcome community feedback and feature suggestions!

You can hop into the official Session community (join the Session Community in Session).

Alternatively, you can submit a ticket in our help centre to reach out to our support team. 

How do I download beta versions of Session?

To join a beta branch, check out the instructions for your device below:

Android:

  • Head to the

    Play Store

    and install Session normally

  • After installing Session, under “Join the beta,” tap Join and then follow the prompts

You can also join from this web page if you are signed into your Google account in your browser.

Note: if ‘Join the beta’ section does not appear, try restarting the Play Store app on your device

or

Download and install any available pre-release APK here.

iOS:

To join the beta on iOS, follow these steps:

  • Install TestFlight on your device

  • Opt-in to testing our beta release

    here

  • Tap Install or Update

or

  • Download and sideload the pre-release IPA here.

Desktop

To join the beta on desktop, simply download the relevant executable file from the pre-release here.

Note: It is not currently possible to downgrade versions from the beta branch to an older official version. If your device encounters issues with the beta version, you may need to wait for the next official release or un-install and restore using your recovery phrase. Restoring will result in the loss of messaging content that is older than 14 days.

Session Token

What is Oxen?

Oxen is the token which currently secures the decentralised network powering Session. This network is known as the Oxen Network. Oxen tokens are used to reward our community for running high quality servers. They must also be acquired and ‘locked up’ to run a server, increasing the surveillance-resistance and security of the network by making it difficult for any one person or group to run a large portion of the network.

What is Session Token?

Session Token is a new token which will secure the new Session Network. Coming later this year, this upgrade will: - Create clarity and transparency by uniting the ecosystem under the Session brand - Make it much, much easier for people to run servers in the network - Unlock new utility for network operators

Will this affect the security of the app in any way?

No.

The Session Network will provide the same security to Session Users as the old Oxen Network.

How will this change affect me?

Session users won’t be affected by the transition. The changes will be handled by the community of server-operators powering Session’s decentralised network. All of the usual Session functionality will be exactly the same.

Why does Session use cryptocurrency?

Session uses cryptocurrency to provide Sybil resistance to the decentralised network of servers known as the Session Network. For more information check out our blog: https://getsession.org/how-session-protects-your-anonymity-with-blockchain-and-crypto

Do I need to use Session Token to use Session?

Nope, Session will always remain free to use. In the future we plan to add premium features that provide additional functionality, and access to these features will be purchasable using either Session Token or traditional payment methods. Note that Session is operated by a registered non-profit, and all revenue generated ‘Session Pro’ is allocated to operational costs or as rewards for network operators.

Join the movement to keep the internet private!

Chat with like-minded individuals in the Session Community.

Friends don’t let friends use compromised messengers.

Sign up to the mailing list and start taking action!