factually

Keep Factually independent

Whether you agree or disagree with our analysis, these conversations matter for democracy. We don't take money from political groups - even a $5 donation helps us keep it that way.

Loading...Time left: ...
Loading...Goal: $500

Fact check: Does session messenger have vulnerabilities?

Checked on August 25, 2025

1. Summary of the results

Based on the analyses provided, Session Messenger has been subject to security scrutiny with mixed findings. The messenger has undergone professional security evaluation, with Quarkslab completing a security audit that found the app to be secure [1]. However, several specific vulnerabilities and security concerns have been identified and debated.

Key security concerns identified include:

  • Insufficient entropy in Ed25519 keys [2]
  • In-band negotiation for message signatures [2]
  • Using public keys as AES-GCM keys [2]
  • Removal of Perfect Forward Secrecy (PFS), making users vulnerable to Key Compromise Impersonation (KCI) attacks [2]
  • Use of SHA1PRNG for generating secure random numbers on Android, which is considered insecure [2]

The Session development team has actively responded to these security claims, stating that they are "incorrect or misleading" and providing detailed explanations to refute the allegations [2]. The app maintains several strong security features including end-to-end encryption, onion routing, decentralized architecture, and metadata resistance [3] [1] [4].

2. Missing context/alternative viewpoints

The original question lacks important context about the ongoing debate between security researchers and the Session development team. While vulnerabilities have been claimed, Session's team has provided technical rebuttals to these claims [2].

Alternative perspectives include:

  • Privacy advocates and the Session team benefit from maintaining confidence in the platform's security, as their reputation and user adoption depend on perceived security strength
  • Security researchers and competitors may benefit from highlighting vulnerabilities, as this can drive users toward alternative messaging platforms or enhance the researchers' professional standing
  • The app is still under development and may not be fully secure [1], suggesting that some issues may be developmental rather than fundamental flaws

Additional context missing from the original question:

  • Session has completed professional security audits [1]
  • The platform uses innovative privacy features like decentralized networks and anonymous sign-up processes [4] [5]
  • Some privacy concerns exist regarding the use of Google servers for notifications [1]

3. Potential misinformation/bias in the original statement

The original question "does session messenger have vulnerabilities?" appears neutral but lacks specificity about the nature, severity, or current status of any vulnerabilities. This framing could lead to:

  • Oversimplification of complex security debates between researchers and developers
  • Failure to distinguish between alleged vulnerabilities and confirmed security flaws
  • Missing the important context that the Session team has disputed many security claims [2]

The question also doesn't acknowledge that all software has some level of vulnerability risk, and the more relevant question might be about the severity and response to identified issues rather than their mere existence.

Want to dive deeper?
What encryption protocol does Session Messenger use?
Have there been any reported data breaches involving Session Messenger?
How does Session Messenger handle user metadata and privacy?
What are the potential consequences of a Session Messenger security vulnerability?
How does Session Messenger compare to other secure messaging apps in terms of security?
About
Blog
Contact
FAQ
Terms
Privacy
Manage data