Raven is a serverless peer-to-peer messenger. No account, no phone number, no email. Your identity is a key that never leaves your device. Powered by ATSAM, a layered security protocol covering every path a message takes: offline Bluetooth mesh and an encrypted peer-to-peer internet bridge, with no central server. Post-quantum hybrid pairing, private peer discovery, live device verification, and optional Vault Mode for sensitive text. Free for everyone.
Raven is powered by ATSAM, a layered security protocol that protects every path a message can travel: offline Bluetooth mesh, the bridge handoff between mesh and internet, and the peer-to-peer internet bridge. No central server sits in the middle. Each layer has a precise job, and each layer makes only the security claim it can defend.
The Double Ratchet derives a fresh encryption key for each message and erases the old one. If your phone is compromised tomorrow, yesterday's messages stay secret. Every conversation heals itself with the next handshake, what cryptographers call post-compromise security.
End-to-end encryption only works if you're talking to the right person. Raven now derives a 60-digit Safety Number from your two identity keys, read it aloud, scan the QR, or compare in person. If the numbers match, no man-in-the-middle is possible, even if the carrier, the ISP, and the relay node all collude.
Every message and reaction is sealed on your device with AES-256-GCM keys derived from the X3DH handshake. Whatever path the envelope takes, whether peer, relay, or 5-hop bridge, only ciphertext travels.
When the network's gone, Raven hands the same encrypted envelope to a peer-to-peer BLE mesh. Relay devices forward bytes they can't read, can't modify, and can't impersonate. Everything is end-to-end encrypted before they ever touch a relay.
Identity, signing, and ratchet keys live in iOS Keychain, hardware-bound to your device. They don't appear in iCloud backups, can't be cloned with the rest of your phone's data, and we cannot extract them even under legal order.
No phone numbers. No email. No address books uploaded. No accounts and no central server to hold a contact graph. Your identity is a key on your device. Push notifications carry no message content, only a wake-up. The local database is sealed with SQLCipher (AES-256).
Private one-to-one and group chats. No feed, no ads, no algorithm. Every message is wrapped in the same end-to-end encrypted envelope, and it all works when you have no signal.
Bluetooth Low Energy carries encrypted chats and receipts across up to 5+ hops. Neighbours become the network. No internet, no cell, no problem.
Hide chats, photos, and files behind Face ID. Vaulted content is double-encrypted with a key that never touches the network, even App Lock alone won't unseal it.
Open the app and you're in: an Ed25519 key is generated on-device and becomes your identity. No sign-up, no phone number, no email, nothing to remember. Add contacts by scanning a QR code in person.
When peers aren't in Bluetooth range, Raven connects them over a peer-to-peer libp2p network: DHT discovery, Circuit Relay v2, hole-punching. No central server in the path, so there's nothing to subpoena, breach, or bill you for.
Every feature is free, forever. No subscription, no tiers, no "upgrade to unlock." With no servers to run, there's no bill to pass on to you.
Smart-reply suggestions and Apple Translation run entirely on the device using Foundation Models. No prompts, transcripts, or contact data ever leave the phone.
A serious messenger needs serious accountability. Below is the honest scoreboard, including the items every security reviewer asks about, with the version they ship in.
Forward secrecy and post-compromise security on every 1:1 conversation, on internet AND mesh. The leak of any one key never reveals past or future messages.
SHA-512-derived 60-digit fingerprints, comparable in person, by voice, or QR. A simple, in-person way to detect machine-in-the-middle attacks before they happen.
Identity, signing, ratchet keys never leave the device. No iCloud backup. Court-resistant.
Authenticated encryption + sender authentication on every envelope. Replay nonce + sliding-window dedup on every relay.
Inner ChaCha20-Poly1305 wrapped in outer AES-256-GCM with a key-committing HMAC tag, both ciphers must fail before plaintext leaks. (Inner/outer keys are independent; commitment defeats Salamander-class multi-key attacks.)
There is no login and no password to authenticate. Your identity is an on-device Ed25519 + X25519 keypair generated on first launch. There is no credential database to breach because there are no accounts.
Hides sender identity from the relay layer. A relay learns only that an encrypted envelope is in transit, never who sent it. X25519 ephemeral + AES-GCM seals the inner envelope to the recipient's identity key.
Opt-in passphrase-sealed backup (PBKDF2-SHA256 600 000 iterations + AES-256-GCM) of identity + ratchet state. Lose your phone, keep your messages, without ever shipping the recovery passphrase off your device.
Your identity keypair rotates automatically every 180 days. Each transition certificate is signed by BOTH the old AND the new key, so peers who only see the new key can still prove provenance back to the old one. The certificate chain is locally verifiable forward and backward.
Anyone can rebuild the App Store binary from public sources and verify it byte-for-byte against the published manifest (source SHA-256 + Mach-O SHA-256 + bundle SHA-256). The build that runs on your phone is the build we publish.
Sensitive byte buffers (chain keys, ratchet roots, in-flight plaintext) live in SecretKey, mlock'd so the OS can't write them to swap, then triple-zeroised on deinit (0x00 / 0xFF / 0x00) to defeat optimiser-eliding writes.
An online RAVEN device can opt in to act as a cipher-text relay for nearby offline neighbours over BLE. Only the recipient hint and an opaque ciphertext blob cross the gateway, never the plaintext or the original sender. Token-bucket rate limiting + replay-nonce dedup; deactivates automatically when the phone gets hot, low on battery, or backgrounded.
Every new conversation now negotiates a hybrid key using X25519 + Apple's native CryptoKit.MLKEM768 (FIPS 203). Today's encrypted messages stay safe even if a future quantum computer breaks classical crypto. Layered over an HKDF key tree (per-peer chain) and a transcript-bound root key. RAVEN is the first consumer messenger to ship ML-KEM-768 on Apple's first-party crypto rather than a third-party C lib.
Round-26 in-house red-team closed eight findings in one release: forced plaintext-downgrade defense (split .suspectedLegacy vs .legacyClient so only RECEIVED legacy frames authorise downgrade); TOFU sender-id forging defense (verify the signer key matches the out-of-band-pinned identity key before learning a peer's userId); gateway-beacon forging defense (Ed25519-sign every beacon + TOFU-pin the signer); Bonjour fingerprint tracking defense (rotate MPC displayName per session, drop the static fp from discoveryInfo); routing-sinkhole resistance (the "claimed-recipient ⇒ 100% forward" boost is gated on a verified-trust check).
HMAC-SHA-256 of every userId truncated to 96 bits, populated on every outbound envelope. Rogue mesh relays see opaque 24-hex tokens instead of the raw key-derived userId, so an envelope on the wire can't be correlated back to a stable identity. The raw userId is stripped from envelopes in strict mode.
iPhone generates a 32-byte AES key in its own Keychain (no access group), ships it to the paired Watch over WCSession updateApplicationContext, and writes only ChaChaPoly-sealed key bytes to the shared App Group file. iCloud backup extraction yields ciphertext; the wrap key is process-isolated.
Passphrase-loss users can now recover their identity keys by collecting three encrypted shares from five trusted contacts. Shares are split via Shamir-over-GF(2⁸) and individually wrapped per-contact with ECIES (X25519 + HKDF + ChaChaPoly) so only the intended contact can hold their share. No copy of the recovery key ever leaves your devices. (Feldman VSS verifiability lands in v2.1.)
Attachments travel the same serverless paths as text. A random AES-256-GCM content key encrypts the bytes, the key rides inside a Noise-sealed bundle, and the media moves over the BLE mesh or the libp2p bridge. No upload, no cloud storage, no server ever holds the file.
The Shamir-over-GF(2⁸) + per-contact ECIES (X25519 + HKDF + ChaChaPoly) recovery primitive is live in v2.0. A passphrase-loss user can already restore from three trusted contacts via the in-app contact picker. v2.1 adds Feldman verifiable secret sharing so a malicious contact handing back a corrupt share is detected at reconstruction time, not at "your account is gone" time.
The OnionEnvelope primitive (Sphinx-style layered ChaChaPoly) is implemented and tested in isolation. v2.1 wires it into MeshGatewayService so multi-hop bridge deliveries no longer expose the recipient hint to the gateway or any single mesh hop.
v2.0 shipped the ML-KEM-768 key-agreement half via Apple's native CryptoKit.MLKEM768. Every new pair now negotiates a hybrid X25519 + ML-KEM-768 root. v2.1 adds the matching ML-DSA-65 signing half via the new CryptoKit.MLDSA65 API so identity assertions are hybrid post-quantum on BOTH agreement AND signatures. Both the classical key and the PQ key must fall before an attacker reads anything.
Bind every newly-paired device to a per-install Apple App Attest assertion so peers can refuse pair requests from cloned / jailbroken / re-signed binaries. Defeats the "attacker forks the IPA and pretends to be the user" identity-takeover vector.
User-selectable TTL (1 hour, 1 day, 1 week) per conversation. Relay-side aging (no plaintext to delete, but ciphertext envelopes are aged out of relay buffers) plus client-side enforcement (decrypted messages are zeroised from local storage). Honours the Signal-class "after-the-fact deletion can't bring back what was screenshotted" caveat in the UI.
Per-group symmetric keys give us today's correctness; Messaging Layer Security gives us proven-secure, scalable group ratcheting. Migration target: v2.1.
Cure53 / Trail of Bits / NCC Group-tier engagement against the cryptographic core. Full report published in the open. "Designed to be reviewed" is not the same as "audited", we know.
The X3DH / Double Ratchet implementation, the mesh envelope, the BLE protocol layer, and the libp2p bridge, released under an audit-friendly license. Application code follows in stages.
Traffic-analysis is a real attack on BLE mesh. Constant-rate padding + decoy envelopes at the radio layer to flatten the "who-talks-to-whom" pattern.
Domain fronting + pluggable transports (obfs4 / Snowflake-style) so Raven keeps connecting in Iran, China, Russia, and any future filtered network, without leaking that you're using Raven.
App-layer authentication already neutralises pairing-level attacks (we sign every envelope; relays can't downgrade us). Protocol-level mitigations (encrypted pairing, MITM-resistant GATT verification) tracked publicly in the security audit.
Trust in a messenger is earned by what you ship and what you admit. So, plainly: we are not yet open-source, we have not yet been audited, and our group protocol is not yet MLS. Each of those has a target version above and a public commitment. If we miss a date, we'll say why. We'd rather you believe a roadmap we deliver than a marketing claim we can't back up.
The same Swift codebase ships natively on iPhone, iPad, Mac, and Apple Watch. No Electron, no shim, full background BLE on every Apple platform. Windows and Android clients in active development for Q4 2026.
Swift + SwiftUI, Liquid Glass UI, CoreBluetooth peripheral and central running concurrently for full mesh participation in foreground and background.
NavigationSplitView shell with a capsule sidebar, ⌘-shortcuts everywhere, and a LaunchAgent companion that keeps mesh delivery alive while the window is closed.
Read DMs, react, reply by dictation or Scribble, and ship voice notes, all through the paired iPhone. Watch can't be a real BLE mesh peer (a watchOS API limit, not a roadmap item), so mesh traffic still flows through the phone.
Every message, whether a DM or a group message, is wrapped in the same signed envelope. The router picks the cheapest path that's actually working, and none of them route through a server we run.
When both peers are online, Raven connects them directly over libp2p: Kademlia DHT discovery, Circuit Relay v2 with hole-punching for NAT traversal, Noise-encrypted streams. No central server sits in the path.
Peer-to-peer BLE GATT writes between devices that see each other. Multipeer Connectivity adds a Wi-Fi/AWDL fast lane in the same room.
Store-and-forward across multi-hop relays. A neighbour holds your encrypted envelope until it meets a node that can finish delivery, back online or in range of the recipient.
Crypto primitives, mesh routing, and the message envelope format are documented in full. Researchers, security teams, and serious users can request review access to the security-critical sources, we'd rather you check than take our word for it.