Messaging the operator can’t read.

owned is a mobile-only, end-to-end encrypted messenger for sensitive personal communication between people who already know each other in real life.

Get notified about TestFlight How it works ↓
Post-quantum hybrid
Recorded messages stay unreadable even against a future quantum computer.
Forward-secret
A stolen key tomorrow doesn’t unlock anything you sent today.
Metadata-blind
The server can’t see who’s talking to whom — only padded ciphertext.
Tor-only
Every request travels through a hidden service. Your IP stays off the relay.
No accounts
No phone number, no email, no username. You pair in person, that’s the directory.

Who it’s for

People you already know in real life.

owned has no public discovery, no usernames to share, no friend suggestions, no “people you may know.” You add a contact by scanning their QR code in person, or by holding the two phones together. From that moment on the encryption is end-to-end between the two of you — never the operator, never the relay, never us. If you wouldn’t share a house key with the person face-to-face, owned won’t pretend you met online.

01

What it is

Two phones, an opaque relay between them, no plaintext anywhere off-device. You add a contact by scanning their QR in person — that’s the only step where you decide who to trust.

The relay only sees a per-install routing token and a padded envelope of a fixed size bucket. It does not know who you are, who you talk to, or what you say.

Text, photos and voice notes all flow through the same sealed envelope. Saved photos and your own albums stay inside the app under the same key — there is no “export to Photos” button by design.

02

Security properties

End-to-end encrypted

Only the two endpoints can read content. No server, ISP, or relay operator can.

Forward secrecy

Compromise of long-term keys does not compromise past messages.

Post-compromise security

A future compromise heals — messages sent after recovery are protected again.

Post-quantum hybrid

Handshake and ratchet combine classical X25519 with ML-KEM. Recorded ciphertext can’t be decrypted by a future quantum computer.

Sealed sender

The relay sees only a per-install token and a size-bucket — not the sender, recipient handle, or content.

Metadata minimisation

No directory linking handles to anything. No long-term registry of identities, recipient tokens, or device tokens.

Hardware-backed keys

Identity secrets are wrapped under the Secure Enclave and require Face ID / Touch ID to unwrap.

Per-bucket padding

Every wire envelope is padded to one of a small fixed set of size buckets — a network observer learns nothing from length.

Mnemonic root of trust

A 24-word recovery phrase you transcribe is the only path back to your identity. No escrow, no operator-mediated recovery.

Single active device

One identity, one device. Device migration is a sequential, end-to-end-encrypted handoff between your phones.

Biometric on every open

Face ID / Touch ID is required every time you open the app. A five-second grace from backgrounding allows silent re-entry; cold start always prompts.

Tor by default

The iOS app speaks to the relay over a hidden service via embedded Tor. Your IP never reaches the operator.

Activity status

Contacts see an “inactive” tag when you’ve been away for a week. The relay records the day you last fetched — no finer, no online/offline timeline.

03

Roadmap

Headlines only — later milestones layer features on top without weakening V1’s security model.

Availability. iOS is the only platform under active development — currently in internal TestFlight, with external TestFlight opening once V6 (proximity pairing) lands. Android is planned for the future, after iOS is fully shipped and the security model has held up in real-world use. No Android timeline is committed.

  1. V1 shipped

    1:1 text messaging. Base function.

  2. V2 shipped

    Share profile (display name + picture) with verified contacts.

  3. V3 shipped

    Photo and voice messages on the existing 1:1 channel, plus the in-app gallery with custom albums for sent and received photos.

  4. V4 shipped

    Opt-in encrypted cloud backup. Sealed on-device under a mnemonic-derived key; the cloud provider sees only ciphertext. Pick any folder — iCloud Drive, Dropbox, Google Drive, OneDrive — and restore on a new phone by pointing owned at the same file in Files.

  5. V5 shipped

    Delivery receipts (✓ / ✓✓) and activity status. The relay records only the day you last fetched; contacts inactive for over a week show as “inactive” with a confirmation before media uploads.

  6. V6 next

    Proximity pairing over Bluetooth. Add a contact by holding the two phones together — same trust gate as the QR scan via a mandatory mutual safety-code comparison.

  7. V7

    Support-the-project in-app payment. Establishes the unlinkable-token payment infrastructure used by the later paid milestones.

  8. V8

    Group chats up to 20 members.

  9. V9

    Video messages.

04

Public relay stats

Aggregate request counts only — no recipient, sender, or per-request-kind data is exposed publicly.

Messages last 30 days
Bytes in last 30 days
Bytes out last 30 days
Per-day breakdown
daterequestsbytes inbytes out