Session is an end to end encrypted messenger that focuses on anonymity and the prevention of metadata collection. I’ve been trying it out over the past week in my quest to eventually collect every private messenger out there and I have some thoughts on it.
First impressions of the app were great. It’s easy to use but not overly simplified. It feels about on par with Signal, which makes sense because Session was forked from Signal once upon a time (though you’d have a hard time telling that today).
Setup was super easy and straightforward. Right off the bat Session gives you a long random hex string which acts as your ID – no personal data required. When you give this ID to someone, they can send you a message which will come to you as a message request that you can accept or decline. Once a message request is accepted, both users will become contacts and exchange display names and profile pictures.
Session also gives you a recovery phrase of 15 or so random words which is how you can login on a new device. Logging in on my laptop after getting set up on my phone was easy and straightforward. Being signed in on multiple devices works, but there are quirks like receiving notifications on other devices when you’re active on a different one. Each session from what I can tell is completely unaware of other sessions and I’ll have more to say on that later.
How it Works
Session has a super detailed FAQ which you should definitely browse through if you’re interested in all of the particulars.
The gist is that your traffic is routed through a series of nodes on its way to its destination (like the Tor network). Each node also temporarily stores the messages for a predetermined range of Session IDs for retrieval by the recipients. Several nodes store messages for each range of Session IDs for redundancy. Session seems to be really proud of this setup since it’s what lets them advertise their resistance to metadata collection.
That’s how it works, but how well does it work?
Sending and receiving messages has been reliable, at least for me. But there’s other rough edges. One person in one of my groups is completely unable to send or receive media on their phone, but can on their desktop client. Speaking of the desktop client, it just recently got an update that makes it impossible to launch both for me and one of my contacts. All the security and privacy in the world doesn’t mean much if your messenger fails you when you need it.
I’m by no means a security expert, but something about the way Session is setup slightly worries me. Remember when I said that each of your sessions appears to be unaware of the others? Pretty much every other messenger I’ve tried has a way of viewing your active sessions and terminating ones that are inactive or that you no longer trust. If I’m understanding everything correctly, if someone were to get a hold of your recovery phrase or a device of yours that you didn’t secure with a PIN then your account may as well be permanently compromised. There’s no changing your recovery phrase or remotely logging out a session. You’d have to create a fresh ID and somehow let your contacts know that your old ID has been compromised.
One thing I do understand about security is that it’s all about threat models. For some, the extra anonymity and metadata protection offered by Session will be worth potential downsides like the one above. I suspect that for most, however, perceived account security and recoverability matters far more than anonymity.
Take a look at Matrix for example. Again I don’t know much about Matrix’s or Session’s account security on a technical level, but to me the perceived account security on Matrix feels stronger. If someone somehow breaks into my account, I’ll be alerted and will still have to manually verify the new session before they can do anything with any of my encrypted conversations. If I lose a device or it gets stolen, I can easily unverify that device’s session. To me, that reassurance is more valuable than total anonymity and possibly even protection from metadata harvesting.
It might’ve sounded like I was pretty hard on Session towards the end there, but overall I still think it’s a pretty capable messenger for the right people. It’s just not for everybody and there’s lots of good competition in the private messenger space right now. I think most people would be better served by something like Signal, Matrix, or XMPP despite the various shortcomings of each of those platforms because Session just doesn’t cater to the average threat model.