Messaging that doesn’t track you.

owned is a mobile-only, end-to-end encrypted messenger for sensitive personal communication between people who already know each other in real life.

Get notified about TestFlight Read the security model →
  • iOS Internal TestFlight
  • Public TestFlight opens soon
  • Android after iOS public release
Post-quantum hybrid
Recorded messages stay unreadable even against a future quantum computer.
Forward-secret
A stolen key tomorrow doesn’t unlock anything you sent today.
Metadata-blind
The server can’t see who’s talking to whom — only padded ciphertext.
Tor-only
Every request travels through a hidden service. Your IP stays off the relay.
No accounts
No phone number, no email, no username. You pair in person, that’s the directory.

Who it’s for

People you already know in real life.

Mainstream messengers harvest contact graphs, link your phone number to your real-world identity, and run analytics on who you talk to and when. owned doesn’t. No public discovery, no usernames to search, no friend suggestions, no “people you may know” — and no phone number, email, or account at all. You add a contact by scanning their QR code in person, or by holding the two phones together. From that moment the encryption is end-to-end between the two of you — never the operator, never the relay, never us. If you wouldn’t share a house key with the person face-to-face, owned won’t pretend you met online.

01

What it is

Two phones, an opaque relay between them, no plaintext anywhere off-device. You add a contact by scanning their QR in person — that’s the only step where you decide who to trust.

The relay only sees a per-install routing token and a padded envelope of a fixed size bucket. It does not know who you are, who you talk to, or what you say.

Text, photos and voice notes all flow through the same sealed envelope. Saved photos and your own albums stay inside the app under the same key — there is no “export to Photos” button by design.

02

Security properties

How a message travels
Your phone

Plaintext lives here. Keys live here.

Relay

Padded ciphertext + a routing token. No sender, no recipient handle, no content.

Their phone

Plaintext appears here. Keys live here.

The two endpoints know everything. The relay knows nothing it didn’t need to route the bytes.

End-to-end encrypted

Only the two endpoints can read content. No server, ISP, or relay operator can.

Forward secrecy

Compromise of long-term keys does not compromise past messages.

Post-compromise security

A future compromise heals — messages sent after recovery are protected again.

Post-quantum hybrid

Handshake and ratchet combine classical X25519 with ML-KEM. Recorded ciphertext can’t be decrypted by a future quantum computer.

Sealed sender

The relay sees only a per-install token and a size-bucket — not the sender, recipient handle, or content.

Metadata minimisation

No directory linking handles to anything. No long-term registry of identities, recipient tokens, or device tokens.

Hardware-backed keys

Identity secrets are wrapped under the Secure Enclave and require Face ID / Touch ID to unwrap.

Per-bucket padding

Every wire envelope is padded to one of a small fixed set of size buckets — a network observer learns nothing from length.

Mnemonic root of trust

A 24-word recovery phrase you transcribe is the only path back to your identity. No escrow, no operator-mediated recovery.

Single active device

One identity, one device. Device migration is a sequential, end-to-end-encrypted handoff between your phones.

Biometric on every open

Face ID / Touch ID is required every time you open the app. A five-second grace from backgrounding allows silent re-entry; cold start always prompts.

Tor by default

The iOS app speaks to the relay over a hidden service via embedded Tor. Your IP never reaches the operator.

Activity status

Contacts see an “inactive” tag when you’ve been away for a week. The relay records the day you last fetched — no finer, no online/offline timeline.

The summary above is the visual précis. For the threat model, cryptographic primitives, the exact bytes the relay sees, and the honest list of known gaps, read the full security model →

03

Roadmap

Headlines only — later milestones layer features on top without weakening V1’s security model.

Availability. iOS is the only platform under active development — currently in internal TestFlight, with external TestFlight opening once V6 (proximity pairing) lands. Android is planned for the future, after iOS is fully shipped and the security model has held up in real-world use. No Android timeline is committed.

    1. V1

      Base 1:1 text messaging

      shipped

      Two phones, one trusted contact each. End-to-end encrypted text under the full security model — PQ-hybrid handshake, sealed sender, ratchet, padding.

    2. V2

      Profile sharing

      shipped

      A display name and avatar shared with already-verified contacts. End-to-end encrypted to the recipient set; the relay never sees them in cleartext.

    3. V3

      Photos, voice notes, and in-app gallery

      shipped

      Photo and voice messages captured and encoded in-app. Built-in gallery with custom albums; nothing ever leaves the device unencrypted.

    4. V4

      Encrypted cloud backup

      shipped

      Opt-in. Sealed on-device under a mnemonic-derived key; the cloud provider sees only ciphertext. Pick any folder — iCloud Drive, Dropbox, Google Drive, OneDrive — and restore on a new phone by pointing owned at the same file.

    5. V5

      Delivery receipts and activity status

      shipped

      ✓ delivered to relay, ✓✓ delivered to device. Contacts silent on the relay for over a week show as “inactive” with a confirmation before media uploads. Relay records the day, not the time.

    6. V6

      Proximity pairing (Bluetooth)

      next

      Add a contact by holding the two phones together. Same trust gate as a QR scan: a mandatory mutual safety-code comparison after handshake.

    7. V7

      Support the project

      One-off in-app payment using unlinkable tokens — the relay can verify “this caller paid” without learning who they are. Establishes the payment infrastructure for V8 and V9.

    8. V8

      Group chats

      Up to 20 members. End-to-end encrypted under a group-suitable PQ ciphersuite; the relay can’t tell a group send from a 1:1.

    9. V9

      Video messages

      Video on the 1:1 channel (and groups, once V8 has shipped). Captured and encoded in-app, sealed-sender envelope shape.

04

Public relay stats

Aggregate request counts only — no recipient, sender, or per-request-kind data is exposed publicly.

Messages last 30 days
Bytes in last 30 days
Bytes out last 30 days
Per-day breakdown
daterequestsbytes inbytes out