Friday was launch day. X dropped XChat, its standalone encrypted messaging app, into Apple's App Store for iPhone and iPad users on iOS 26. End-to-end encryption, screenshot blocking, disappearing messages, and a 481-member cap on group chats. That's the feature menu on the App Store listing. The marketing says "no tracking." Then came the privacy label, which security researcher Tommy Mysk screenshotted and posted within hours. The label discloses collection of contact information, identifiers, usage data, diagnostics. Not quite the same story.

Key Takeaways

AI-generated summary, reviewed by an editor. More on our AI guidelines.

What ships today

Version 11.85. 179.2 MB. iOS 26.0 or later, which quietly excludes a lot of older iPhones. No Android yet. The app ships in 46 languages and skips phone-number verification entirely. Sign in with your X handle and you're in.

Group chats are the headline feature. Nikita Bier, X's head of product, says the 481-member ceiling moves to 500 within weeks. After that? He's pointing at 1,000.

Part of the launch is also a cleanup. Communities is being shut down on May 6. Users have until May 30 to move conversations into XChat's new Groupchat Links format. X says Communities usage has been falling, and the company wants those users in XChat's private spaces instead.

Under the hood, XChat runs on Rust, with what X calls Bitcoin-style encryption. The tagline has been running for months across the listing and the company's own posts. Your encrypted chats deserve their own app.

Where the keys actually live

Read the fine print and the architecture starts wobbling. User's private encryption key? It sits on X's servers. Protection? A four-digit PIN. The company has said so on its own help pages, and admitted this design could allow "a malicious insider or X itself" to access conversations in certain scenarios.

Varun Badhwar, who runs Endor Labs as CEO and founder, called that admission remarkable. "It means the end-to-end encryption claim depends on X's policies, not on math," he told Forbes. Signal's standard is different. Keys stay on your phone. On XChat they don't. There's the tell.

Photos tell a similar story. According to reports, XChat isn't stripping metadata before images transmit, which means GPS coordinates and camera details travel along with the picture. Message body stays encrypted. Your location doesn't.

What security experts are saying

For Luke Dixon, the bigger exposure isn't message content at all. It's metadata. Dixon, who heads IT and data law at Freeths, put his concern plainly. "Metadata reveals who you are communicating with, when, and for how long." None of that sits under the encryption umbrella. From it, a social graph tumbles out without much effort.

Then there's everything else Apple's privacy card catalogs. Product-interaction records. Search history. Identifiers. The categories keep going, and the pile grows.

Netskope's global privacy officer, Neil Thacker, picked up another thread. XChat, he said, shares account, usage, and device data with service providers, partners, "and potentially advertisers." And X's wider privacy policy? It already lets third-party collaborators take that data and run with it unless users opt out. Those collaborators, Badhwar pointed out, can repurpose it for their own ends, AI training included. XChat sits in the same corporate envelope as Grok.

Europe won't wait long to weigh in. GDPR wants far more disclosure than X currently offers. Lawful basis. Retention periods. Third-party sharing. Each one has to be spelled out. And X has been here before. Earlier this year, Ireland's Data Protection Commission opened a case over user data being fed into Grok training. X backed down, agreeing to permanently halt that processing for EEA users.

The Signal comparison

Why does Signal still set the bar? Because the math is open, your keys live on your phone, and the company couldn't read your messages if a court demanded it. Badhwar wasn't diplomatic about the comparison. "XChat doesn't clear any of those three bars. WhatsApp has the Signal protocol but lives inside Meta's ad ecosystem. Signal has the Signal protocol and doesn't. XChat has neither."

What's his actual recommendation? Depends on the conversation. For casual chats with people already in your X graph, fine, use it. Probably no worse than SMS. For media and group threads, meaningfully better. But anything touching your business, your health, your family, or anywhere a lawyer might get involved? Don't. Not in v1. Not until the code goes open source and gets independently audited.

The super-app play

Musk's been talking about the "everything app" idea for years, and XChat is another brick in that wall. The logic runs something like this. Why let users slip out to WhatsApp or Signal when you can keep them chatting inside X, where Grok already lives and where peer-to-peer payments are supposedly on the roadmap? Day one, the messaging app inherits your entire X graph, so there's no cold-start hell of begging friends to install a new thing. Signal has been fighting that battle for a decade.

Here's what the trade actually looks like on the ground. No phone number, great. Your X handle becomes your messaging identity, fine. But the same company that's been logging your posts, your likes, and your block list for years now gets to see who you message, how often, and for how long. That's a lot of new signal fed into a graph that was already unusually rich. Whether you take the deal depends, in the end, on a pretty narrow question. Do you trust the four digits standing between X and your private key?

Frequently Asked Questions

When did XChat launch on iPhone?

XChat went live on Apple's App Store on Friday, April 24, 2026, for iPhone and iPad users running iOS 26 or later. The app had been in testing through Apple's TestFlight since 2025. Android has no confirmed release date.

Is XChat actually end-to-end encrypted?

Messages are end-to-end encrypted between sender and recipient. However, XChat stores each user's private encryption key on X's own servers, protected by a four-digit PIN. X has acknowledged on its help pages that this architecture could allow a malicious insider or the company itself to access conversations under certain conditions.

What data does XChat collect?

Apple's App Privacy card for XChat lists contact information, identifiers, usage data, diagnostics, product-interaction records, and search history. Image metadata including GPS coordinates reportedly is not stripped from photos before transmission. Security researchers have flagged the gap between the 'no tracking' marketing and the privacy label's disclosed categories.

How large can XChat group chats be?

XChat launched with a 481-member cap on group chats. Nikita Bier, X's head of product, said the limit will lift to 500 within weeks and 1,000 shortly after. The app also includes Groupchat Links, which let users share public join links. X is shutting down Communities on May 6 and steering users toward XChat groups.

How does XChat compare to Signal and WhatsApp?

Signal keeps private keys on the device and uses open-source code that has been independently audited. WhatsApp uses the Signal protocol but operates inside Meta's ad ecosystem. XChat keeps keys on X's servers, is not open source, and lives inside the same corporate infrastructure as Grok. Security experts recommend Signal for sensitive conversations.

AI-generated summary, reviewed by an editor. More on our AI guidelines.

Anthropic Adds Passport Checks to Claude After Privacy-Driven User Surge
Anthropic has begun asking some Claude users to verify their identity with a government photo ID and, in some cases, a live selfie, according to a new company help page that says the checks apply to s
The Implicator
Moltbook Was Broken, Fake, and Brilliant. Meta Paid Anyway.
On January 31, two days after Matt Schlicht's AI assistant finished building a social network for robots, security researchers at Wiz found the front door wide open. No locks. No alarms. 1.5 million A
The Implicator
Meta AI's Privacy Problem: Worse Than You Think
Meta just launched an AI that makes ChatGPT look like a privacy champion. The company's new Meta AI app climbed to #2 on iPhone's download charts, promising personalized conversations and advice. But
The Implicator

San Francisco

Editor-in-Chief and founder of Implicator.ai. Former ARD correspondent and senior broadcast journalist with 10+ years covering tech. Writes daily briefings on policy and market developments. Based in San Francisco. E-mail: [email protected]