We’ve just released the version 4.1 – you can download the mobile apps via the links here: GitHub - simplex-chat/simplex-chat: SimpleX - the first messaging platform operating without user identifiers of any kind - 100% private by design! iOS and Android apps are released 📱!
We’ve also just received the draft of security audit report prepared by Trail of Bits – a US security consulting company that has many technology companies, several blockchain projects and government entities as its clients. The report is positive, there are some findings to fix/improve, but nothing critical. Most improvements will be released in 4.2 by the end of the month when we plan to publish the report as well.
See technical details and limitations here: simplex-chat/README.md at stable · simplex-chat/simplex-chat · GitHub
The most common questions
How can SimpleX deliver messages without user identifiers?
To deliver mesages, instead of user IDs used by all other platforms, SimpleX has pairwise identifiers for message queues, separate for each of your contacts. In the current version of the protocol each queue is used until the contact is deleted. Later this year we plan to add queue rotation to the client protocol, so that even conversations don’t have long term identifiers visible to the network. This design prevents leaking any users metadata on the application level.
How is it different from Matrix, Session, Ricochet, Cwtch, etc., that also don’t require user identites?
Although these platforms do not require a real identity, they do rely on anonymous user identities to deliver messages – it can be, for example, an identity key or a random number. Using a persistent user identity, even anonymous, creates a risk that users’ connection graph becomes known to the observers and/or service providers, and it can lead to de-anonymizing some users (e.g. by using ML to correlate the data from observed anonymous network with the existing public networks).
Even with the most private messengers built on top of Tor network, having a persistent identity means that if you talk to two different users via the same profile they can prove that they communicate with the same person, as they would use the same address to send messages.
With SimpleX there is no meta-data in common* between your conversations with different contacts within the same user profile - the quality that no other messaging platform has.
* on the application level, transport level metadata can be protected by using Tor – SimpleX apps support Tor via Orbot or any other SOCKS (or VPN) proxy.