How it works
SimpleX replaces the conventional user account with a network of one-way message queues. To start a conversation, one party hands the other a single-use invitation link or QR code; both clients then post messages into queues hosted on relay servers that neither side controls. Each conversation lives on different servers, so no relay can stitch together a contact graph. Messages are end-to-end encrypted with a Double Ratchet adapted from Signal, and a recent post-quantum layer is added on top for forward-secret hybrid encryption. The clients run on iOS, Android, Linux, macOS, Windows and as a terminal binary. Operators who do not want to depend on the public servers can self-host both the SMP messaging relay and the XFTP file-transfer relay from the upstream Haskell repository.
KYC & privacy
There is nothing to KYC. Account creation asks for no phone number, no email, no captcha and no random ID — the local profile name and avatar never leave the device. The relay servers see only opaque queue identifiers and padded ciphertext; addresses, contact names and message content stay on the endpoints. The official server list is reachable over Tor, and the Android and desktop clients can be configured to use only .onion hosts. Trail of Bits has now reviewed both the implementation (2022) and the cryptographic protocol design (2024); the published reports list a small number of medium-severity findings, all addressed in subsequent releases.
Strengths and limits
The defining strength is structural: with no user identifier of any kind, a subpoena to a relay returns queue traffic that cannot be tied to a person. Two independent Trail of Bits audits are unusual for a project this young, and the apps are reproducible from the public Haskell sources. The trade-offs are practical. The mental model — invite links, separate queues per contact, manual server selection — is heavier than Signal's. There is no phone-book discovery, so growing a network requires sharing links out of band. The desktop client is functional but visibly less polished than the mobile builds, group features are still maturing, and the project's company entity, Simplex Chat Ltd, is a small UK outfit relative to the threat models it invites. None of these are privacy regressions; they are the cost of doing without identifiers.
Verdict
SimpleX is the most ambitious anti-metadata messenger currently shipping, and its design choices have held up under external review. The friction is real — this is not a drop-in Signal replacement for a casual user — but for anyone whose threat model includes the contact graph itself, the trade is worth making. Grade: A (9.4/10). Trust: LEGIT.
SimpleX is the most ambitious anti-metadata messenger currently shipping, and its design choices have held up under external review. The friction is real, but for anyone whose threat model includes the contact graph itself, the trade is worth making. Grade: A (9.4/10). Trust: LEGIT.
