Messaging that doesn’t track you.

owned is a mobile-only, end-to-end encrypted messenger for sensitive personal communication between people who already know each other in real life.

Join the TestFlight beta Read the security model →
  • iOS Public TestFlight — join now
  • Android internal testing
Post-quantum hybrid
Recorded messages stay unreadable even against a future quantum computer.
Forward-secret
A stolen key tomorrow doesn’t unlock anything you sent today.
Metadata-blind
The server can’t see who’s talking to whom — only padded ciphertext.
Tor-only
Every request travels through a hidden service. Your IP stays off the relay.
No accounts
No phone number, no email, no username. You pair in person, that’s the directory.

Who it’s for

People you already know in real life.

Mainstream messengers harvest contact graphs, link your phone number to your real-world identity, and run analytics on who you talk to and when. owned doesn’t. No public discovery, no usernames to search, no friend suggestions, no “people you may know” — and no phone number, email, or account at all. You add a contact by scanning their QR code in person, or by holding the two phones together. From that moment the encryption is end-to-end between the two of you — never the operator, never the relay, never us. If you wouldn’t share a house key with the person face-to-face, owned won’t pretend you met online.

01

What it is

Two phones, an opaque relay between them, no plaintext anywhere off-device. You add a contact by scanning their QR in person — that’s the only step where you decide who to trust.

The relay only sees a per-install routing token and a padded envelope of a fixed size bucket. It does not know who you are, who you talk to, or what you say.

Text, photos and voice notes all flow through the same sealed envelope. Saved photos and your own albums stay inside the app under the same key — there is no “export to Photos” button by design.

02

Security properties

How a message travels
Your phone

Plaintext lives here. Keys live here.

Relay

Padded ciphertext + a routing token. No sender, no recipient handle, no content.

Their phone

Plaintext appears here. Keys live here.

The two endpoints know everything. The relay knows nothing it didn’t need to route the bytes.

End-to-end encrypted

Only the two endpoints can read content. No server, ISP, or relay operator can.

Forward secrecy

Compromise of long-term keys does not compromise past messages.

Post-compromise security

A future compromise heals — messages sent after recovery are protected again.

Post-quantum hybrid

Handshake and ratchet combine classical X25519 with ML-KEM. Recorded ciphertext can’t be decrypted by a future quantum computer.

Sealed sender

The relay sees only a per-install token and a size-bucket — not the sender, recipient handle, or content.

Metadata minimisation

No directory linking handles to anything. No long-term registry of identities, recipient tokens, or device tokens.

Hardware-backed keys

Identity secrets are wrapped under the Secure Enclave and require Face ID / Touch ID to unwrap.

Per-bucket padding

Every wire envelope is padded to one of a small fixed set of size buckets — a network observer learns nothing from length.

Mnemonic root of trust

A 24-word recovery phrase you transcribe is the only path back to your identity. No escrow, no operator-mediated recovery.

Single active device

One identity, one device. Device migration is a sequential, end-to-end-encrypted handoff between your phones.

Biometric on every open

Face ID / Touch ID is required every time you open the app. A five-second grace from backgrounding allows silent re-entry; cold start always prompts.

Tor by default

The iOS app speaks to the relay over a hidden service via embedded Tor. Your IP never reaches the operator.

Activity status

Contacts see an “inactive” tag when you’ve been away for a week. The relay records the day you last fetched — no finer, no online/offline timeline.

The summary above is the visual précis. For the threat model, cryptographic primitives, the exact bytes the relay sees, and the honest list of known gaps, read the full security model →

03

Roadmap

Headlines only — later milestones layer features on top without weakening V1’s security model.

Availability. iOS is in public TestFlight with V1–V6 shipped. Android has V1, V2, V3 and V5 shipped — including in-app photos, voice notes, and gallery — and is in internal testing alongside iOS. V4 (cloud backup) and V6 (proximity pairing) are iOS-only for now and arrive on Android with the cross-platform milestones (V7+). No public Android timeline is committed.

    1. V1

      Base 1:1 text messaging

      iOS Android

      Two phones, one trusted contact each. End-to-end encrypted text under the full security model — PQ-hybrid handshake, sealed sender, ratchet, padding.

    2. V2

      Profile sharing

      iOS Android

      A display name and avatar shared with already-verified contacts. End-to-end encrypted to the recipient set; the relay never sees them in cleartext.

    3. V3

      Photos, voice notes, and in-app gallery

      iOS Android

      Photo and voice messages captured and encoded in-app. Built-in gallery with custom albums; nothing ever leaves the device unencrypted.

    4. V4

      Encrypted cloud backup

      iOS

      Opt-in. Sealed on-device under a mnemonic-derived key; the cloud provider sees only ciphertext. Pick any folder — iCloud Drive, Dropbox, Google Drive, OneDrive — and restore on a new phone by pointing owned at the same file.

    5. V5

      Delivery receipts and activity status

      iOS Android

      ✓ delivered to relay, ✓✓ delivered to device. Contacts silent on the relay for over a week show as “inactive” with a confirmation before media uploads. Relay records the day, not the time.

    6. V6

      Proximity pairing (Bluetooth)

      iOS

      Add a contact by holding the two phones together. Same trust gate as a QR scan: a mandatory mutual safety-code comparison after handshake.

    7. V7

      Cross-platform proximity pairing

      Brings the V6 proximity-pairing flow to Android and re-implements the iOS side over BLE GATT so an iPhone and an Android phone can pair by holding them together. Same mandatory mutual safety-code comparison as V6.

    8. V8

      Message reply (quote)

      Long-press a message to mark it as the target of a reply. The next outgoing message carries a structured reference (by stable message id, not a content snapshot) so the recipient renders the quoted original inline above the new bubble. Deleting the original on either side cleanly breaks the back-link.

    9. V9

      In-app camera (private gallery)

      A dedicated in-app camera path that writes photos straight into V3’s encrypted local gallery, bypassing the system Photos library. Keepsakes that never leave the encrypted store, even when they aren’t being sent to anyone.

    10. V10

      Stories

      Short-lived photo and short-video posts shared only with the user’s verified contacts. End-to-end encrypted under the same sealed-sender envelope shape and per-recipient encryption as V2 profile-shares. 24-hour expiry on every recipient device and any transient relay state.

    11. V11

      Support the project

      One-off in-app payment using unlinkable tokens — the relay can verify “this caller paid” without learning who they are. Establishes the payment infrastructure that V12, V13 and V14 reuse.

      Paid milestone

    12. V12

      Multi-chat

      Open more than one chat with the same contact, each with its own user-chosen topic label. Each topic chat is an independent end-to-end-encrypted session — its own PQXDH bootstrap, its own ratchet state. Paid on the initiator side only; recipients reply to whatever was opened without paying themselves.

      Paid milestone

    13. V13

      Group chats

      Up to 20 members. End-to-end encrypted under a group-suitable PQ ciphersuite; the relay can’t tell a group send from a 1:1.

      Paid milestone

    14. V14

      Video messages

      Video on the 1:1 channel (and groups, once V13 has shipped). Captured and encoded in-app, sealed-sender envelope shape.

      Paid milestone

04

Public relay stats

Aggregate user-content message counts (text + photo + voice) plus total bytes in/out. No recipient, sender, or per-kind breakdown is exposed publicly.

Messages last 30 days
Bytes in last 30 days
Bytes out last 30 days
Per-day breakdown
datemessagesbytes inbytes out