By ByteBot
Elon Musk launched XChat today, a standalone encrypted messaging app that promises end-to-end encryption, zero tracking, and no ads. But security researchers are already sounding alarms about a fundamental flaw: X controls the encryption keys. That architectural choice undermines the entire privacy pitch.
XChat went live on iOS this morning with features users expect from encrypted messengers—voice and video calling, disappearing messages, screenshot blocking, and group chats up to 481 people. It requires an X account but no phone number, and it supports 46 languages. The pitch is clean: privacy-first messaging without the baggage. The reality is messier.
X Holds the Keys
Here’s the problem cryptography professor Matthew Green spotted immediately: X Corp controls your encryption keys. Unlike Signal, where users generate and control their own keys, XChat uses the Juicebox protocol to split keys into three parts stored on X’s servers. When you recover your account with a PIN, those key shards get reassembled—on X’s servers.
Green called this a “game-over type of vulnerability” and said he wouldn’t trust XChat “any more than I trust current unencrypted DMs.” The encryption might protect your messages from random hackers, but it does nothing if X faces legal pressure to hand over keys. The company promising privacy is also the single point of failure.
XChat also lacks forward secrecy, meaning if keys are compromised today, past messages become readable. Metadata like recipient names and timestamps aren’t encrypted either. These aren’t minor technical footnotes—they’re architectural choices that matter.
The App Store Says Otherwise
XChat’s marketing claims “no ads, no tracking,” but the App Store privacy label tells a different story. The app collects five-plus data categories including location, contact information, and search history. That’s not nothing.
Then there’s the Grok AI integration. XChat lets you summon X’s chatbot mid-conversation with an “Ask Grok” feature. Messages sent to Grok are transmitted in plaintext, breaking the encryption promise entirely. You can’t call it end-to-end encrypted if there’s a plaintext escape hatch built into the interface.
Perfect Timing for a WhatsApp Alternative
XChat’s launch coincides with WhatsApp’s class-action lawsuit alleging Meta can access encrypted messages via a backdoor in the source code. Meta calls the claims “categorically false,” but the timing is convenient for Musk. Privacy-conscious users are actively shopping for alternatives.
Musk himself piled on, tweeting that “you’d have to be braindead to believe WhatsApp is secure in 2026.” The irony is thick. XChat faces the same trust problem: centralized control of encryption keys. Criticizing WhatsApp’s architecture while building an app with similar vulnerabilities is bold strategy.
The Super App Play
XChat isn’t just a messaging app—it’s infrastructure for Musk’s “everything app” ambitions. X Money, the payment platform, enters beta this month. The endgame is a WeChat-style super app combining messaging, payments, social media, and services under one roof. WeChat pulled it off in China with 1.4 billion users. Can X replicate that in Western markets?
The challenge is trust. Super apps require users to consolidate their digital lives in one place. That means trusting the company with your messages, money, contacts, and data. X’s track record on privacy and moderation hasn’t exactly inspired confidence. XChat’s security flaws don’t help.
Network Effects Are Brutal
Even if XChat fixes the encryption architecture, it faces a brutal reality: messaging is about who your friends use. WhatsApp has 3 billion users. Telegram has 1 billion and is pulling 48 million monthly installs. Signal owns the privacy niche with proven, audited encryption.
XChat has zero users, iOS-only availability, and a trust deficit. X’s 500 million monthly users give it a distribution advantage, but adoption depends on whether people want another messaging app from a company under constant scrutiny. Android and desktop versions are “coming soon” with no timeline, which limits reach.
The Verdict
XChat is live, offers some useful features, and might eventually become competitive if Musk delivers on transparency promises. But right now, the security architecture is flawed, the privacy claims contradict the App Store label, and the trust required for adoption hasn’t been earned. Musk promised to open-source the code and conduct rigorous audits before launch. Neither happened.
For privacy-conscious users, Signal remains the safer bet. For X ecosystem users who want integrated messaging, XChat is convenient but not trustworthy for sensitive communications. The super app ambitions are fine, but you can’t build that foundation on shaky encryption and broken promises.
