Session is a private messaging app that prioritizes user privacy and security above all else. To ensure your online communications remain private, Session employs cutting-edge end-to-end encryption and metadata minimization.

When it comes to staying up-to-date with the latest version of Session, many users prefer not to enable auto-updates through the App or Play stores. Instead, you can manually check for updates on our website: https://getsession.org/download If you encounter any issues with Session, we have a comprehensive support portal available at: https://sessionapp.zendesk.com/hc/en-us

Security

At Session, we don't roll our own cryptography; instead, we rely on the highly-tested and widely-used Libsodium crypto library. This open-source library is maintained by a community of experts and ensures that our encryption methods are always up-to-date and secure. We're also working on Session Protocol V2, which will introduce post-quantum cryptography for added security.

All conversations in Session are end-to-end encrypted, ensuring that only the intended recipients can access your messages. Additionally, we protect user privacy by keeping identities anonymous and ensuring that no single server ever knows a message's origin or destination. This decentralized onion routing network is similar to Tor, but with some key differences. For more information on this technology, check out our blog post on onion requests.

Our code is open-source, allowing for independent auditing at any time. Session is stewarded by the Session Technology Foundation, which promotes digital rights and innovation. We've also undergone a security audit by Quarkslab, with the results available online.

Recovery Passwords

When you use Session, your messages are sent through our decentralized onion routing network using a system we call onion requests. This protects user privacy by ensuring that no single server ever knows a message's origin or destination. For more on this technology, check out our blog post on onion requests.

To restore your account on any device with Session installed, you'll need to use your recovery password. This password is like the master key to your Account ID – it's essential to store it safely and securely, and ensure that only you have access to it. You can store your recovery password in a few different ways, including writing it down and keeping it in a safe location or using Shamir's Secret Sharing technique.

Using Your Recovery Password

Once you've stored your recovery password safely, you can use it to restore your Session Account ID on any device with Session installed. This allows you to keep messaging with your contacts using the same Account ID, rather than having to create a new one. On Desktop, download and install Session on your new computer. Open the Session app, but instead of creating a new account, click "I have an account." Enter your recovery password and choose your display name if one had not been previously set.

On Mobile

At the startup screen, tap "Continue your Session." Enter your recovery phrase. Choose a new display name and tap "Continue." Select your preferred push notification setting and tap "Continue." Your Account ID is recovered.

When you restore using your recovery password, Session will retrieve any messages sent during the last 14 days. If your messages are not being restored, it's likely because they're more than 14 days old. Contacts and groups are managed by a configuration message that expires after 30 days. If none of your devices have been online for more than 30 days, you won't be able to recover your contacts.

Perfect Forward Secrecy

Session currently mitigates some of the same risks that PFS does, albeit in other ways. Through fully anonymous account creation, onion routing, and metadata minimization, Session provides strong protection in real-world scenarios. However, perfect forward secrecy will be re-implemented in Session Protocol V2, which is currently under development.

Privacy

One of the unique features of Session is its anonymous account creation process. You don't need a mobile number or email to make an account with Session. Your display name can be your real name, alias, or anything else you like.

Session does not collect any geolocation data, metadata, or any other data about the device or network you're using. At launch, Session used proxy routing to ensure nobody can see who you're messaging or the contents of those messages. Shortly after launch, we moved to an onion routing system, which is called onion requests, for additional privacy protection. For more on Session's secure message routing, check out our blog posts on onion requests and proxy routing.

In messaging apps, metadata refers to the information created when you send a message – everything about the message besides the actual contents of the message itself. This can include information like your IP address, the IP addresses of your contacts, who your messages are sent to, and the time and date that messages are sent. Session does not collect or store any metadata.