TOX messengers on Windows and Android – serverless private messaging
THIS POST IS STILL UNDER CONSTRUCTION
Skip to go to QUICKSTART
or read on to understand the concepts of serverless private messaging..
With this post I am trying to put a complex subject into understandable terms. I hope I am succeeding.
If you are here you already know you want to try this. I am not going to try to convince you to do so. That is up to you.
Although I am trying to give you relevant information, which can help you to find your best solution.
TOX messaging summary:
- No registration of any personal data whatsoever
- No owner of the TOX network or apps. All free and open source.
- Encrypted with keys nobody but yourself and your messaging partner have when you give it to them.
- No servers to store messages
- No intermediary servers. Direct point-to-point message transmission
- Text messages with attached pictures and videos and phone and video calls
TOX ID and encryption
The TOX ID is your encrytion key. This is used to obfuscate (to make unreadable) your messages. So nobody other than those people who have the key can read the message. Even if somebody intercepts the messages between you and the recipient. Without the keys having the messages is useless.
So it is very important to make sure nobody unauthorised gets your TOX ID key. So be careful when transmitting it over unsafe links (phone, SMS) even those links that use encryption (Whatsapp, Signal, Threema, Telegram etc) where you can not be sure they could not decrypt that transmission and get your TOX ID key. (more on this under the serverless heading below)
The safest way is to transmit your TOX key via TOX messenger to a trusted TOX connection person, who can then pass it on to the recipient (you want to directly connect with). Of course the trusted intermediary would have to have a TOX connection with the ultimate recipient you seek to connect with directly.
Another way to connect with a future message partner is in person. Also viable could be to split the key in some pieces and send each piece via a different mode even over unsafe connections to get to the final recipient. You decide what you are comfortable with.
The final recipient once they have the key can then send you a friend request (described below), which you have to confirm. Then you can communicate. Even with phone and video calls.
What means serverless?
All the common messenger services (Whatsapp, Signal, Telegram, Threema etc) provide encryption and employ encryption keys to do that. These keys are initially generated when you connect with another person and transmitted via their respective servers. While we want to believe that that is safe I believe there is little technical difficulty to intercept these encryption keys and therefore have the ability to read your messages without your knowledge. Yes there are laws as a hurdle. It’s up to you if you want to trust this. Threema is a Swiss company under the strict privacy laws of Switzerland. Some prefer that over the others. I like serverless… read on.
Further with those well known messenger services the encrypted messages you send are (sometimes) kept on their servers. So that the recipient can retrieve them when they come back online. Yes convenient, but ……
And here we come to the major difference. The TOX network has no servers, that transmit or keep your messages or your encryption keys.
And the actual messages you send never go via any TOX network server. Messages go from one TOX message app to the other TOX message app. Direct connection from one phone or computer to another phone or computer. No messages held anywhere inbetween.
Therefore when the recipient is not connected to the internet and have their TOX app open your message cannot be sent. It is only sent when both of your apps on your devices are online and connected to the internet.
You could possibly even further secure your communication with a private VPN or even via the TOR network, but this is too advanced for this post. And I might make another post about this.
I trust you can see, that this is a very good basis to preserve your privacy.
Quickstart:
There is no registration where you have to give your name of phone number or email address or any personal information. Just install app. Give the automatically generated TOX ID to your friend, connect and start communication in privacy.
There are a few different TOX capable apps for different OSs. These are the ones I favour.
WINDOWS:
- Download QTOX app – https://tox.chat/download.html
- Install on your computer.
- Open and follow the prompts.
- Get your own TOX ID (it is automatically generated at the time of setup of the app). Click on your name below “My Profile” at the top. Then your TOX ID will be displayed on the right.
- The Tox ID is unique to you. You will need to get this to the person you want to communicate with. For example face to face, on a piece of paper, on a phone call, via Whatsapp, Signal, Telegram, SMS. Whatever you feel safest with. So they can connect with you. Anyone having this key could intercept and decode your messages. So keep it safe.
- If you want to initiate to connect via TOX with another person you need to have their TOX ID
- Click the + at the bottom of your contact list and add their TOX ID.
- Write something relevant in the Message box
- Click “Send Friend Request”
- They will receive that request and they need to confirm it. Then you are connected and can communicate as with any other messenger. You can even do phone calls (and video calls), but I have not tried that. I can see no technical issue with that though.
Note: Only one of you needs to send friends request. When the other person accepts it you can communicate.
Another Windows TOX App is: utox – not as fancy and somewhat more technical.
Android:
- Get ATOX Messenger App from the Google Playstore
TIP: If you go to a place where it is unsure if you can use this. Make sure you open the App multiple time in the days before and go online. This may help with the ability to get it working in places with unfavourable conditions.