Messaging the operator can’t read.

owned is a mobile-only, end-to-end encrypted messenger for sensitive personal communication between people who already know each other in real life.

  • Post-quantum hybrid
  • Forward-secret
  • Metadata-blind
  • Tor-only
  • No accounts
01

What it is

Two phones, an opaque relay between them, no plaintext anywhere off-device. You add a contact by scanning their QR in person — that’s the only step where you decide who to trust.

The relay only sees a per-install routing token and a padded envelope of a fixed size bucket. It does not know who you are, who you talk to, or what you say.

Text, photos and voice notes all flow through the same sealed envelope. Saved photos and your own albums stay inside the app under the same key — there is no “export to Photos” button by design.

02

Security properties

End-to-end encrypted

Only the two endpoints can read content. No server, ISP, or relay operator can.

Forward secrecy

Compromise of long-term keys does not compromise past messages.

Post-compromise security

A future compromise heals — messages sent after recovery are protected again.

Post-quantum hybrid

Handshake and ratchet combine classical X25519 with ML-KEM. Recorded ciphertext can’t be decrypted by a future quantum computer.

Sealed sender

The relay sees only a per-install token and a size-bucket — not the sender, recipient handle, or content.

Metadata minimisation

No directory linking handles to anything. No long-term registry of identities, recipient tokens, or device tokens.

Hardware-backed keys

Identity secrets are wrapped under the Secure Enclave and require Face ID / Touch ID to unwrap.

Per-bucket padding

Every wire envelope is padded to one of a small fixed set of size buckets — a network observer learns nothing from length.

Mnemonic root of trust

A 24-word recovery phrase you transcribe is the only path back to your identity. No escrow, no operator-mediated recovery.

Single active device

One identity, one device. Device migration is a sequential, end-to-end-encrypted handoff between your phones.

Biometric on every open

Face ID / Touch ID is required every time you open the app. A five-second grace from backgrounding allows silent re-entry; cold start always prompts.

Tor by default

The iOS app speaks to the relay over a hidden service via embedded Tor. Your IP never reaches the operator.

03

Roadmap

Headlines only — later milestones layer features on top without weakening V1’s security model.

  1. V1 shipped

    1:1 text messaging. Base function.

  2. V2 shipped

    Share profile (display name + picture) with verified contacts.

  3. V3 shipped

    Photo and voice messages on the existing 1:1 channel.

  4. V3.5 shipped

    In-app gallery with albums for sent and received photos.

  5. V3.7 next

    Support-the-project in-app payment.

  6. V4

    Group chats up to 20 members.

  7. V5

    Video messages.

  8. V6

    Opt-in encrypted cloud backup. Sealed on-device under a mnemonic-derived key; the cloud provider is a zero-knowledge blob host.

04

Public relay stats

Aggregate request counts only — no recipient, sender, or per-request-kind data is exposed publicly.

Messages last 30 days
Bytes in last 30 days
Bytes out last 30 days
Per-day breakdown
daterequestsbytes inbytes out