Session Messenger Review – Not Yet Ready for Prime Time
Signal is generally considered the most secure of the secure messaging services. End-to-end encrypted (a.k.a. E2E encrypted or E2EE) and capturing almost no metadata, Signal has been about as secure and private as it is possible to get.
Session messenger basicsBehind the scenes, Session is fundamentally different than most other secure messaging services. To make the rest of this Session review easier to understand, we need to go over some basics now. Conversations in Session are secured using client-side E2E encryption. Only the sender and the recipient of a message can read it. But Session goes beyond providing message security. Session also protects the identities of its users. It makes your communications private and anonymous, as well as secure. Session can do this because it connects users through a Tor-like network of thousands of Service Nodes. Service Nodes are servers that pass messages back and forth through the network as well as provide additional services. The onion request system that Session uses to protect messages ensures that no Service Node in the network ever knows both a message’s origin (your IP address) and destination (the recipient’s IP address). Session takes a number of additional steps to protect your identity:
- No phone number is required for registration (unlike with Signal)
- No email is required for registration (unlike with Wire)
- No geolocation data, device data, or metadata is collected
Session pros & cons
- End-to-end (E2E) encryption secures text and voice messages as well as attachments
- Encryption algorithms: Signal protocol, with Perfect Forward Secrecy (PFS)
- Does not require telephone number or email address to sign up
- Open source
- Log in simultaneously with multiple devices
- Does not log IP Addresses or metadata
- Encrypted closed groups (max of 10 people) and open groups (no limit to size)
- Does not support 2FA (two factor authentication)
- Very new with onion routing protocol still under development
- Can be buggy and unreliable
Session feature summaryHere are features you’ll want to consider when evaluating Session:
- It uses the excellent Signal encryption protocol, on top of a distributed, anonymous, worldwide server network
- 100% open source code. (The code is available on GitHub.)
- Clients for Android, iOS, macOS, Windows, Linux
- The system is still under heavy development
Session company informationSession is a project of the Loki Foundation. The Loki Foundation is a registered charitable foundation based in Victoria, Australia. The foundation states that their purpose is to, “…build open-source, metadata-free communications tools and apps that defend privacy in the digital world.”
Where is your Session data stored?Messages that are sent to you are actually sent to your swarm. The messages are temporarily stored on multiple Service Nodes within the swarm to provide redundancy. Once your device picks up the messages from the swarm, they are automatically deleted from the Service Nodes that were temporarily storing them. Note that this is not the same as a peer-to-peer architecture. Per the Session FAQ,
Session clients do not act as nodes on the network, and do not relay or store messages for the network. Session’s network architecture is closer to a client-server model, where the Session application acts as the client and the Service Node swarm acts as the server. Session’s client-server architecture allows for easier asynchronous messaging (messaging when one party is offline) and onion routing-based IP address obfuscation, relative to peer-to-peer network architectures.Note: Session’s strong approach to not collecting metadata is a huge plus. I consider the metadata issue to be the Achilles heel of many secure email services. Even the most popular secure email services, such as ProtonMail, do not have a good solution to the metadata problem.
Third-party testing and audits of SessionSession is very new and is still rolling out its onion request system. As a result, they have not had any third-party testing or auditing done yet. According to the Session FAQ, that could change in the near future:
Session is in the process of arranging a full third-party code audit. This audit will provide independent verification around Session’s security, privacy and anonymity. Session is fully open-source, so if you’re interested and have the technical know-how, we encourage you to take a look at our codebase for your own peace of mind; however, we don’t recommend using Session in cases where proven and independently verified security is required.
Session hands-on testingFor this Session review, I installed the Android app, along with the Windows and Linux desktop clients.
Session Android appI downloaded the Session Android app from the Google Play store. At that time the app had 406 reviews, and was rated 4.0 out of 5 stars (on the Apple App Store, Session Messenger had 59 reviews with a 4.4 out of 5 stars rating). Launching Session highlighted one of the key differences between it and Signal: no need to enter a phone number or email address. Instead, Session gives you the opportunity to create an account by generating a Session ID, or of signing in to an existing account (by entering an existing Session ID). A Session ID is a unique address people can use to contact you on Session. As Session explains, the reason using a Session ID is better than using a phone number of email address is, “Your Session ID is totally private, anonymous, and has no connection to your real identity.” Signal and other messaging apps that identify you with a phone number cannot give you this anonymity. Once you create a Session ID, Session will ask you to pick your display name, and tell Session how to handle push notifications. And once that’s all done, Session will show you your Recovery Phrase and give you the opportunity to store it somewhere safe. A Recovery Phrase is a string of words that you can enter to recover your account if you lose the Session ID, or change to a new device. To restore your Session ID, launch Session and tap Continue your Session. Session will give you the opportunity to enter your Recovery Phrase and get back to where you were when you last used that Session ID. With all that out of the way, you are finally ready to start working with Session.
Working with SessionAt first, Session will seem pretty dead. That’s because you still need to connect with people. While a service like Signal can scan your phone’s contact list looking for phone numbers that are registered as Signal users, Session needs you to tell it who to connect to. You do that by creating a New Session. A New Session is a chat session that you initiate by entering the Session ID of the person you want to chat with. How do you know the Session ID of the person you want to chat with? You either get them to give it to you, or you scan a QR code that contains their Session ID. Unless you happen to be physically located in the same place, thereby able to pass the Session ID or display the QR code directly, one of you will need to share your Session ID to the other to get this thing started. Once you enter someone’s Session ID, you can send them a message. Once they accept it, you can freely exchange messages like any other chat app. Tapping the icon for a contact opens your ongoing chat session with that contact. Beyond basic chatting, Session has a number of additional useful features. Here are some of them:
- Encrypted groups – Create small closed groups (10 people or less) or huge open groups (no size limit).
- Voice messages – Create and share encrypted voice messages.
- Attachments – Message attachments are encrypted too.
- Safety Numbers – Verify that you are communicating with the device you expect to be talking to by comparing safety numbers.
Session Desktop clientsI installed the Session Desktop client on both Windows and Linux machines.
Session Windows DesktopDownloading and installing the Sessions Windows Desktop client used the standard “install a Windows app” process.
Session Linux DesktopThe Session Linux Desktop comes as an AppImage. If you don’t know how to work with this portable Linux file package, click this link for a short video tutorial.
Running and configuring Session DesktopOnce you’ve got the desktop downloaded and installed, you need to fire it up. You’ll want to connect your desktop client to your mobile device. You can do this by selecting Sign In, instead of Create Account, then selecting Link Device to Existing Session ID and following the instructions. The Session desktop apps I tested for this review were easy to use to get going and use.
SupportSession’s support area reminds me a lot of Keybase. There’s an FAQ page, and a blog, rather than a regular Support page like you would find for a paid product. The FAQ is pretty useful, although a little sparse (not surprising for a product that is still under heavy development). If you have questions that the FAQ can’t answer, the company does offer email support and social media contacts. They also have links where you can report bugs and look for solutions. But those all take you to GitHub pages where you can look at the code and check existing issues pages. This is okay for hardcore techies, but is likely to freak out some regular users.
How secure and private is Session?Once Session is completed and fully developed, it should be super secure, extremely private, anonymous, and generally excellent. However, the product isn’t there yet. The onion request system is not yet functional, causing Session to use proxy servers as workarounds. Until onion requests are fully implemented, and the promised third-party test results are published, we won’t really know how secure and private Session will turn out to be.
Concerns about Australia and data securityOn the topics of privacy and the security of your data, we must discuss where Session is based. As noted above, Session is based in Australia. Unfortunately, Australia is not a very good privacy jurisdiction for a few reasons. As we recently discussed in our guide on the best VPNs for Australia, the country passed a law to undermine encryption and data security in 2018. Here’s a quick overview of this law:
The Australian Parliament passed a contentious encryption bill on Thursday to require technology companies to provide law enforcement and security agencies with access to encrypted communications. Privacy advocates, technology companies and other businesses had strongly opposed the bill, but Prime Minister Scott Morrison’s government said it was needed to thwart criminals and terrorists who use encrypted messaging programs to communicate.In privacy circles, the “Assistance and Access Bill” is sometimes called the “encryption-busting law” or the “anti-encryption law” because of what it allows. This law would fundamentally affect businesses that provide encrypted communication services, including Session, VPN services, and other privacy-focused business. The Loki Foundation that is behind Session addressed this thorny issue in a blog post:
Obviously, we were terrified when we first saw this bill. The potential for the project to be entirely undermined by this legislation did not go unnoticed. We had begun to consider how we might set up failsafes to allow people to catch bad code being injected into our codebase, or to pay someone external to Loki to do regular inspections of our binaries that we release and ensure they are not leaking extra information or mismatching the codebase in some way. If we were to be issued a TCN [Technical Capability Notice], we would not be able to tell anyone about it. If we set up some sort of canary system, we could be imprisoned. So whatever failsafe we did set up would have to be external to Loki, and would have to be regularly auditing us to make sure we haven’t been compromised before a TCN was issued.Ultimately, the Loki Foundation believes they can still operate a secure messenger service in this perilous legal environment. Their blog post on the topic really goes deep into technical and legal details, which you can investigate if you have the time and inclination. So is your data safe and secure with Session messenger? I have my doubts after researching the Assistance and Access bill, but you can come to your own conclusions.
Other privacy concerns with AustraliaIt’s also worth noting that the anti-encryption legislation is not the only privacy issue that plagues Australia. Consider this:
- Mandatory data retention – In 2017, Australia implemented a mandatory data retention framework. This forces all internet providers and telephone companies to store connection data for government agencies for a full two years.
- Five Eyes – We have also noted before that Australia is a member of the Five Eyes surveillance alliance. This alliance works together to collect and share mass surveillance data.