Messaging that doesn’t track you.

owned is a mobile-only, end-to-end encrypted messenger for sensitive personal communication between people who already know each other in real life.

Join the TestFlight beta Become an Android tester Read the security model →
Post-quantum hybrid
Recorded messages stay unreadable even against a future quantum computer.
Forward-secret
A stolen key tomorrow doesn’t unlock anything you sent today.
Metadata-blind
The server can’t see who’s talking to whom — only padded ciphertext.
Tor-only
Every request travels through a hidden service. Your IP stays off the relay.
No accounts
No phone number, no email, no username. You pair in person, that’s the directory.

Who it’s for

People you already know in real life.

Mainstream messengers harvest contact graphs, link your phone number to your real-world identity, and run analytics on who you talk to and when. owned doesn’t. No public discovery, no usernames to search, no friend suggestions, no “people you may know” — and no phone number, email, or account at all. You add a contact by scanning their QR code in person, or by holding the two phones together. From that moment the encryption is end-to-end between the two of you — never the operator, never the relay, never us. If you wouldn’t share a house key with the person face-to-face, owned won’t pretend you met online.

01

What it is

Two phones, an opaque relay between them, no plaintext anywhere off-device. You add a contact by scanning their QR in person — that’s the only step where you decide who to trust.

The relay only sees a per-install routing token and a padded envelope of a fixed size bucket. It does not know who you are, who you talk to, or what you say.

Text, photos and voice notes all flow through the same sealed envelope. Saved photos and your own albums stay inside the app under the same key — there is no “export to Photos” button by design.

02

Security properties

How a message travels
Your phone

Plaintext lives here. Keys live here.

Relay

Padded ciphertext + a routing token. No sender, no recipient handle, no content.

Their phone

Plaintext appears here. Keys live here.

The two endpoints know everything. The relay knows nothing it didn’t need to route the bytes.

End-to-end encrypted

Only the two endpoints can read content. No server, ISP, or relay operator can.

Forward secrecy

Compromise of long-term keys does not compromise past messages.

Post-compromise security

A future compromise heals — messages sent after recovery are protected again.

Post-quantum hybrid

Handshake and ratchet combine classical X25519 with ML-KEM. Recorded ciphertext can’t be decrypted by a future quantum computer.

Sealed sender

The relay sees only a per-install token and a size-bucket — not the sender, recipient handle, or content.

Metadata minimisation

No directory linking handles to anything. No long-term registry of identities, recipient tokens, or device tokens.

Hardware-backed keys

Identity secrets are wrapped under the Secure Enclave and require Face ID / Touch ID to unwrap.

Per-bucket padding

Every wire envelope is padded to one of a small fixed set of size buckets — a network observer learns nothing from length.

Mnemonic root of trust

A 24-word recovery phrase you transcribe is the only path back to your identity. No escrow, no operator-mediated recovery.

Single active device

One identity, one device. Device migration is a sequential, end-to-end-encrypted handoff between your phones.

Biometric on every open

Face ID / Touch ID is required every time you open the app. A five-second grace from backgrounding allows silent re-entry; cold start always prompts.

Tor by default

The iOS app speaks to the relay over a hidden service via embedded Tor. Your IP never reaches the operator.

Activity status

Contacts see an “inactive” tag when you’ve been away for a week. The relay records the day you last fetched — no finer, no online/offline timeline.

The summary above is the visual précis. For the threat model, cryptographic primitives, the exact bytes the relay sees, and the honest list of known gaps, read the full security model →

03

Roadmap

Headlines only — later milestones layer features on top without weakening V1’s security model.

Availability. iOS is in public TestFlight with V1–V10 shipped. Android has the same V1–V10 shipped and is in internal testing — including in-app photos, voice notes, gallery, encrypted cloud backup, and cross-platform BLE proximity pairing. Want to help shake out the Android build before a public test track opens? Email to be added to the internal track.

  1. V1

    Base 1:1 text messaging

    iOS Android

    Two phones, one trusted contact each. End-to-end encrypted text under the full security model — PQ-hybrid handshake, sealed sender, ratchet, padding.

  2. V2

    Profile sharing

    iOS Android

    A display name and avatar shared with already-verified contacts. End-to-end encrypted to the recipient set; the relay never sees them in cleartext.

  3. V3

    Photos, voice notes, and in-app gallery

    iOS Android

    Photo and voice messages captured and encoded in-app. Built-in gallery with custom albums; nothing ever leaves the device unencrypted.

  4. V4

    Encrypted cloud backup

    iOS Android

    Opt-in. Sealed on-device under a mnemonic-derived key; the cloud provider sees only ciphertext. Pick any folder — iCloud Drive, Dropbox, Google Drive, OneDrive — and restore on a new phone by pointing owned at the same file.

  5. V5

    Delivery receipts and activity status

    iOS Android

    ✓ delivered to relay, ✓✓ delivered to device. Contacts silent on the relay for over a week show as “inactive” with a confirmation before media uploads. Relay records the day, not the time.

  6. V6

    Proximity pairing (Bluetooth)

    iOS Android

    Add a contact by holding the two phones together. Same trust gate as a QR scan: a mandatory mutual safety-code comparison after handshake.

  7. V7

    Cross-platform proximity pairing

    iOS Android

    Same single BLE GATT service spoken on iPhone and Android — iPhone↔iPhone, Android↔Android, and iPhone↔Android all pair via the same wire shape. Same mandatory mutual safety-code comparison as V6.

  8. V8

    Message reply (quote)

    iOS Android

    Long-press a message to mark it as the target of a reply. The next outgoing message carries a structured reference (by stable message id, not a content snapshot) so the recipient renders the quoted original inline above the new bubble. Deleting the original on either side cleanly breaks the back-link.

  9. V9

    In-app camera (private gallery)

    iOS Android

    A dedicated in-app camera — photos and video — that writes straight into the encrypted local gallery, bypassing the system Photos library. Each item is sealed in its own file under a mnemonic-derived key, and gallery media can be sent into a chat without ever touching the system Photos library. Keepsakes that never leave the encrypted store, even when they aren’t being sent to anyone.

  10. V10

    Stories

    iOS Android

    Short-lived photo and short-video posts shared only with the user’s verified contacts. End-to-end encrypted under the same sealed-sender envelope shape and per-recipient encryption as V2 profile-shares. 24-hour expiry on every recipient device and any transient relay state.

  11. V12

    Emoji reactions

    iOS Android

    React to a message with a single emoji as a quick answer — a checkmark to confirm, a question mark to query — or insert emoji into typed text. The emoji set is bundled in the app and rendered on-device: picking or sending a reaction makes no network request and contacts no third party, so it carries no tracking.

  12. V13

    GIF support

    iOS Android

    Send animated GIFs and short clips. owned embeds no third-party search SDK and hosts no catalogue — you import a clip straight from a file on your device, or paste a link and owned fetches it for you over Tor so the source site never sees you. Clips are sent end-to-end encrypted and kept in an encrypted on-device library.

  13. V11

    Photo and voice replies

    Extends V8’s message reply so the reply itself can be a photo or a voice message, not only text. Reuses V3’s media payloads and V8’s by-stable-id reference — no new envelope shape.

  14. V14

    Multi-chat

    Open more than one chat with the same contact, each with its own user-chosen topic label. Each topic chat is an independent end-to-end-encrypted session — its own PQXDH bootstrap, its own ratchet state. Free for both sides.

  15. V15

    Support the project

    One-off in-app payment using unlinkable tokens — the relay can verify “this caller paid” without learning who they are. Establishes the payment infrastructure that V16 and V17 reuse.

    Paid milestone

  16. V16

    Group chats

    Up to 20 members. End-to-end encrypted under a group-suitable PQ ciphersuite; the relay can’t tell a group send from a 1:1.

    Paid milestone

  17. V17

    Video messages

    Video on the 1:1 channel (and groups, once V16 has shipped). Captured and encoded in-app, sealed-sender envelope shape.

    Paid milestone

04

Public relay stats

Aggregate user-content message counts (text + photo + voice) plus total bytes in/out. No recipient, sender, or per-kind breakdown is exposed publicly.

Messages last 30 days
Bytes in last 30 days
Bytes out last 30 days
Per-day breakdown
datemessagesbytes inbytes out