Encryption was the easy part
AES-GCM is not where messengers fail. The cipher is the solved part — decades of scrutiny, a known-answer test you can run on your own phone. What actually leaks lives in the margins around the ciphertext: the shape of your traffic that a relay still sees even when it can’t read a byte, and the device in someone’s hand when the math has already done its job. Two things shipped to close those margins. Neither is magic, and we’ll name where each one ends.
What a deaf relay still sees — and how we shrink it
Our relay is deaf: opaque blocks, timestamps, nothing else — no sender, no recipient, no key. But “nothing it can read” is not “nothing it can watch.” A block still has a size, a time, and an address it lands at. Each of those is a thread an adversary can pull:
- Size is the strongest fingerprint of a single conversation. So every block is now padded to a fixed size — the relay sees a handful of buckets, never the true length.
- A fixed address turns one timing slip into your whole history. So a conversation’s address is no longer a stable handle: it is re-derived on a ~15-minute clock, and each conversation’s rotation is phase-shifted by its own shared key — so the relay can’t even batch your chats together by the moment they roll over.
- Send timing is the last thread. A high-risk mode sends on a fixed cadence and fills the gaps with decoy frames, so when you actually send is hidden in constant-rate noise. Each identity also rides its own Tor circuit, so your personas don’t reveal that they share a phone.
Where it ends, plainly: a global passive adversary who watches both ends of a Tor circuit at once can still attempt timing correlation — the hard limit of every low-latency anonymity network. The cadence mode raises that bar; nothing erases it. The full accounting is in the whitepaper.
When they take the phone
Encryption assumes the attacker is on the wire. Sometimes the attacker is in the room, holding your phone, telling you to open it. Cryptography alone has no answer to that — so we give you a choice about what they see:
- A decoy. You can set a second password that opens a separate, empty profile — the one you reveal under pressure. Your real profile stays hidden in the same encrypted store, and on disk the two are indistinguishable: no flag, no extra file, nothing that proves a hidden profile exists at all. It’s the hidden-volume idea VeraCrypt made famous, for your messages. You unlock with your real password as always; the decoy password shows the fake.
- A panic lock. One tap disarms biometrics and re-locks the app, so a finger held to the sensor opens nothing — only a secret does, and a secret you can refuse or give as the decoy. Set biometrics up from the decoy, and they can only ever open the decoy.
- Nothing to grab off the screen. Screenshots, screen recording, and the “recent apps” thumbnail are blocked — the chat can’t be captured from outside the app.
And the limit we won’t paper over: this protects what’s inside, not the fact that YGOOW is on your phone. We hide your content and your metadata; we do not hide the app. A decoy you could be proven to be hiding would be worse than none — so the one thing it cannot do is exactly the thing we say it cannot. The reasoning is in the trust model.
Why both, and why now
The thread that runs through twenty years of this — forced backdoors, trojaned clients, faked certificates — is that the pressure rarely lands on the cipher. It lands on the operator, on the network’s shadow, on the person. The deaf relay removed the operator as a point of pressure. These two close the next two doors: the shadow your traffic casts, and the moment someone takes the device.
You don’t have to take our word for any of it. The cryptography is written out primitive by primitive in the whitepaper, the app re-runs the same known-answer vectors on your phone, and how you choose protection per conversation is laid out in choosing your protection.
Your key, your rules — everything else is redacted.