factually

Has Session Messenger undergone independent security audits or third-party reviews?

Checked on December 10, 2025
Disclaimer: Factually can make mistakes. Please verify important information or breaking news. Learn more.
CyberInsider
Quarkslab
Protectstar
Medium
Searched for:
"Session Messenger security audit December 2025"
"Session Messenger third-party review"
Found 20 sources

Executive summary

Session has undergone at least one formal third‑party code audit: Quarkslab audited Session’s Android, iOS, and Desktop clients (audit announced April 29, 2021 and discussed repeatedly by Session and Quarkslab) and Session’s own materials and multiple third‑party writeups cite that audit [1] [2] [3]. Sources also show ongoing scrutiny, feature updates (PFS, device management) and public responses to criticism, but available sources do not mention other named independent audits beyond Quarkslab unless in community reporting [4] [5].

1. The formal audit everyone cites — Quarkslab’s 2021 review

Session publicly states it completed a full code audit of its desktop, Android and iOS clients by Quarkslab; Session’s announcement and its FAQ point users to that Quarkslab report and describe the audit as having “verified” the codebase [1] [3]. Quarkslab’s own blog explains Oxen commissioned the audit in March 2020, that the assessment covered the three platforms over roughly 42 days of work and that important findings were patched during the process [2].

2. What the Quarkslab audit actually covers and how Session frames it

Session and Quarkslab present the audit as a code and design review: the report analysed implementation, architecture and how functionality ties to security, giving “peace of mind” about the codebase at that time [1] [2]. Session’s FAQ and security pages state the audit confirms their clients were audited and that Session is open source and can be audited again by others [3] [6].

3. Independent reporting and community reaction: praise and continuing critique

Third‑party reviews and guides — from PCMag, Privacy Guides, Protectstar, and independent blogs — repeatedly note the Quarkslab audit as a key, independent check on Session’s claims and have generally concluded Session offers strong privacy properties compared with mainstream messengers [7] [5] [8]. At the same time, cryptography bloggers and others continued to raise substantive technical criticisms (e.g., about Perfect Forward Secrecy and key‑generation entropy), prompting Session to publish responses and to undertake protocol work [5] [9] [10].

4. Follow‑up work, fixes, and protocol upgrades

Sources show Session did not rest on the 2021 audit alone: it publicly responded to findings (for example, acknowledging Quarkslab identified Ed25519 key entropy issues) and later engineering work has targeted missing features such as PFS and device management; privacy‑community reporting in late 2025 described re‑introduction of PFS and post‑quantum experimentation as part of Session Protocol V2 development [9] [4] [10]. CyberInsider and others note Session’s roadmap and transparency reporting as ongoing accountability mechanisms [11] [12].

5. What’s missing from the public record in these sources

Available sources do not mention a second, named external audit that fully replaces or supersedes the 2021 Quarkslab assessment; community and press coverage refer to continuous review, community scrutiny, and protocol redesigns but do not provide evidence of a separate, completed formal third‑party audit after Quarkslab [1] [3] [2]. If you need evidence of more recent formal audits, the current reporting does not list them explicitly [4] [11].

6. How to interpret “independent” and what to look for next

Quarkslab’s work is a legitimate, named third‑party audit and is repeatedly cited by Session and by external reviewers as such [2] [1]. But independence is not a binary label: the audit was commissioned by Oxen/Session’s ecosystem and reported publicly; community reviewers and security researchers continued to raise issues after the audit, prompting fixes and protocol redesign — an expected cycle in secure software [2] [5] [9]. For higher assurance, look for: (a) a publicly released, post‑2021 audit report by an independent firm; (b) reproducible results from external researchers; and (c) documentation showing Quarkslab’s remediation verification or follow‑up testing — none of which are clearly documented in the sources provided [1] [2] [4].

7. Bottom line for prospective users and auditors

Session has been independently reviewed — Quarkslab audited Session’s major clients in 2021 and that audit is the central third‑party verification cited across Session’s documentation and independent reviews [1] [2] [3]. The project remains open source and subject to community scrutiny, and the team has publicly engaged with criticism and implemented protocol updates like PFS and planned Session Protocol V2 work [9] [4] [10]. If you need a messenger with multiple, recent formal audits from different firms or a publicly released post‑2021 audit, that is not shown in the available reporting and would require direct confirmation from Session or newer audit disclosures [1] [3].

Sources referenced: Session announcements and FAQ [1] [3] [6], Quarkslab blog/report summary [2], community/press coverage and technical commentary [5] [4] [10] [9] [11], PCMag and other reviews [7] [8].

Want to dive deeper?
What independent security audits has Session Messenger published and when?
Have third-party security firms issued penetration test reports on Session Messenger?
Does Session Messenger use open-source cryptography for external review?
How does Session Messenger's threat model compare to Signal and Wire?
Are there known security vulnerabilities or CVEs reported for Session Messenger?
About
Blog
Contact
FAQ
Terms
Privacy
Manage data