v1.0.0 + 297 · Production Stable

Traceless Messenger.
Solana Wallet Built In.

Built for two kinds of users — people who treat privacy as a discipline (screenshot blocked, disappearing messages that actually disappear, locked attachments) and Solana digital-asset communities (non-custodial wallet, on-chain marketplace, revenue-sharing channels). Signal Protocol cryptography, on-device key custody, zero plaintext on the server.

Download for Android How It Works →
0
Plaintext on server
Independent audits
Pure
Dart Signal Protocol
AGPL
Client open source

Footprints in fresh snow vanish with the next gust of wind.
So should the trail of your messages, your files, your identity.

That's where the name comes from
🔒 X3DH Key Agreement RFC-aligned 🔄 Double Ratchet per-message forward secrecy 👥 Sender Key (Groups) O(1) fan-out 🎭 Sealed Sender 1:1 + groups 📞 P2P WebRTC + CallKit encrypted voice ◎ Solana Wallet built-in SLIP-0010 📁 Encrypted Files XSalsa20-Poly1305 ⏱ Disappearing messages bucketed TTL hint 🔒 X3DH Key Agreement RFC-aligned 🔄 Double Ratchet per-message forward secrecy 👥 Sender Key (Groups) O(1) fan-out 🎭 Sealed Sender 1:1 + groups 📞 P2P WebRTC + CallKit encrypted voice ◎ Solana Wallet built-in SLIP-0010 📁 Encrypted Files XSalsa20-Poly1305 ⏱ Disappearing messages bucketed TTL hint
Why SnowChat
Sovereignty is the
missing layer.

Centralized platforms keep failing in the same direction — your data leaked, your earnings deleted, your audience held hostage. SnowChat is the opposite premise: cryptographic control returned to whoever owns the message and whoever creates the value.

PRIVACY BREACH

Your data, their database

Major chat platforms keep getting breached — Discord 2024, Telegram metadata cooperation cases, repeated cloud-side leaks. As long as the server can read your message, someone else eventually will.

SnowChat answer · The server literally cannot read your messages
CREATOR REVOCATION

Royalties deleted overnight

Tensor removed creator royalties from its marketplace in 2024 — entire creator economies erased by a single platform decision. Whoever owns the venue owns the rules.

SnowChat answer · Creator royalties enforced on Solana, not by a platform policy
COMMUNITY CAPTURE

Audience held hostage

Build a community on someone else's chat server, get deplatformed, lose all of it. The channel is the asset; the host should not be allowed to repossess it.

SnowChat answer · Encrypted channels with portable identity — your community moves with you
Inside the App
A messenger that
looks like one.

No crypto jargon in your face. The complexity lives inside the protocol — the surface is just chat, wallet, and a built-in NFT marketplace. Below are unmodified captures from the production build.

SnowChat encrypted 1:1 chat with snowflake background and green message bubbles
Encrypted Chat
Only the two of you can read it
SnowChat channel member roster showing roles — owner crown, moderator shields, and regular members
Communities
Encrypted channels · roles + revenue
SnowChat Solana wallet showing balance, Receive Send Swap Market actions, and Solana token holding
Solana Wallet
SLIP-0010 · non-custodial
SnowChat on-chain NFT marketplace with Nomos and WarPlane collections and List your NFT button
On-Chain Marketplace
PDA escrow · creator royalty
End-to-End Encryption
Signal Protocol,
implemented from scratch.

SnowChat ships a clean-room Pure Dart implementation of the Signal Protocol — no platform channels, no opaque native blobs. Every cryptographic primitive is auditable Dart source.

🤝

X3DH Key Agreement

Extended Triple Diffie-Hellman bootstraps a new session. Pre-keys hosted server-side allow asynchronous first contact without ever revealing a long-term private key.

x25519 · ed25519
🔄

Double Ratchet

Every message advances both a DH ratchet and a chain ratchet. Past sessions cannot be decrypted from a future compromise; future sessions cannot be decrypted from a past one.

HKDF · HMAC-SHA256
👥

Sender Key (Groups)

Group messages encrypt once and fan out to N members in O(1). SKDM (Sender Key Distribution Messages) ride inline with each group message to prevent distribution loss.

Signal Hybrid · 5-generation cache
🎭

Sealed Sender

For 1:1 and group messages, the server stores no sender identifier on the row. Ownership verifiable via HMAC, but operator-side peek of "who sent what" is blocked at the DB layer.

senderId = NULL + senderHash
📁

File Encryption

Every file is sealed with XSalsa20-Poly1305 before upload. Filenames, mimetypes, and content all live inside the E2EE payload — the server only sees encrypted blobs and their size.

XSalsa20-Poly1305
🗃

Encrypted Session Store

The local Signal session database is sealed with a HKDF-derived key, kept in flutter_secure_storage (iOS Keychain / Android Keystore). No plaintext fallback. Ever.

SecretBox · Keychain
🛡
Three independent security audits passed (C-1~3, H-1~4, N-1~7)

Including small-subgroup attack defense, session-store plaintext fallback removal, AI prompt injection hardening, and Safety Number verification. External third-party audit slated as a follow-up.

SnowChat privacy settings showing Screenshot Protection toggled Always on
Defense in depth

Screenshot Protection — Always on.

Both Android FLAG_SECURE and iOS background-snapshot blocking are active by default. Screenshots, screen recordings, and the iOS app-switcher snapshot all render black for any view that contains private data.

iOS is best-effort — Apple does not allow third-party apps to fully block screen captures the way Android can. And no software setting can prevent a second device pointed at your phone. We tell you the limits instead of pretending they don't exist.

⚠ Out-of-band photos with another camera cannot be prevented — that's a hardware limit, not a software bypass.
Zero-Knowledge Verification
What the server can and cannot see
Aspect Server knows Server does NOT know
Text messages Ciphertext only — cannot decrypt Plaintext content
File body XSalsa20-Poly1305 ciphertext blob Original file, filename, mimetype
File decryption key fileKey lives inside the E2EE payload
Session store SecretBox-encrypted on disk
Disappearing TTL Bucketed hint (e.g. <5m) Precise expiration timestamp
Sealed sender ID (1:1, group) HMAC ownership token only Plain sender userId at the DB row
Group name Ciphertext blob (Phase 8.8 GMK) Plaintext group name
For privacy-paranoid users
Anti-Forensic
by design.

Cryptography is the floor, not the ceiling. SnowChat layers user-controlled deletion, OS-level capture blocking, and platform-level forensic resistance on top of the Signal Protocol — so the message disappears even when the device is lost, someone tries to screenshot, or the recipient tries to exfiltrate the file.

Disappearing Messages

Per-thread TTL (5 minutes, 1 hour, 1 day, 7 days, custom). Both sides delete on the same wall clock — the server only sees a coarse bucket hint, never the precise expiration. Disappears means gone from disk, not just hidden from the UI.

Bucketed TTL · dual-side sync
📎

Locked Attachments

Files sent inside a disappearing thread cannot be downloaded, saved to gallery, shared, or forwarded. The viewer renders inside SnowChat's process and deletes the decrypted blob when the TTL expires. PDFs use an in-app PDFKit viewer instead of routing through external apps.

In-app viewer · no Save/Share
🚫

Screenshot Protection

Always on. Android FLAG_SECURE blocks both manual screenshots and the recent-apps thumbnail. iOS background-snapshot blocking renders the chat black in the app switcher. Settings setting visible to the user — no hidden toggles.

FLAG_SECURE · iOS snapshot block
🎭

Sealed Sender

The server doesn't store sender identity at the row level. senderId = NULL, ownership verified via HMAC. Operator-side "who sent what" peek blocked at the DB layer; full forensic delivery-token transition planned (see roadmap).

senderId NULL · HMAC ownership
🔑

Recovery Phrase Only

No phone number. No email. No PII at registration. Your identity is a 24-word BIP-39 phrase derived locally — recoverable on any device, untraceable from any account directory. Server has nothing to hand over to a directory subpoena.

BIP-39 · 24 words · zero PII

No Cloud Backup

Android allowBackup="false" and fullBackupContent="false" opt the app out of Google Drive backup entirely. iOS Keychain entries marked non-syncable. Lose your phone — lose your messages. Lose your recovery phrase — lose your wallet. There is no copy on someone else's server.

Android backup off · iOS Keychain local
Communities
Communities
held by their members.

SnowChat channels aren't just group chats — they're communities you can build, govern, and earn from. Members gather over Sender Key group encryption (O(1) fan-out, server sees only ciphertext), govern through cryptographically-signed roles (the platform can't reassign anyone), and share in on-chain marketplace revenue (50% of fees flow back to the channel). The platform is the relay; the members hold the keys.

📣

Sender Key Fan-Out

Encrypt a group message once, server delivers it to N members in O(1). Signal Hybrid pattern with inline SKDM (Sender Key Distribution Message) prevents key distribution loss when new members join mid-conversation.

Sender Key · SKDM inline
🔐

Encrypted Group Names

The group's display name is sealed with a Group Metadata Key (GMK) shared only among members. The server stores the encrypted blob — operators see encryptedName: xKj9..., not "TEST CHANNEL".

Phase 8.8 · GMK rotation
👑

Role-Based Permissions

Owner, Moderator, Member. Role transitions are signed by the existing owner and enforced cryptographically — the server can't grant or revoke roles, only relay the signed transitions. Moderation lives with the community, not the host.

Ed25519 signed roles

Built-In Revenue

Channels that host NFT listings earn 50% of every marketplace fee — split on-chain by a PDA program, not by a platform policy. A creator economy that survives the platform owner because the rule lives on Solana.

PDA fee split · 50/50
Solana Wallet
A real wallet,
inside your messenger.

SnowChat ships with a non-custodial Solana wallet derived from your recovery phrase via SLIP-0010 — the same hierarchical-deterministic standard hardware wallets use. Send, receive, and trade without leaving the chat.

1:1 Transfers

Send SOL or SPL tokens to any contact directly inside the chat. The transaction is signed locally — the server never sees a private key.

SLIP-0010 · BigInt lamports
🏪

On-chain Marketplace

NFT listings and trades settled by a PDA-based on-chain program (Tensor-style escrow → PDA refactor). No off-chain custodian — the protocol enforces the swap.

Solana PDA · Anchor
🎨

Community Fee Share

50% of every marketplace fee flows back to the community channel that hosted the listing. Built into the program, not a policy the platform can revoke.

On-chain rule · 50/50 split
🔑

Recovery Phrase Only

No phone number. No email. No PII. Your identity is your recovery phrase — recoverable on any device, untraceable from any account directory.

BIP-39 · 24 words
Voice & Video
P2P-first calls,
encrypted end to end.

Voice calls use WebRTC peer-to-peer with native CallKit (iOS) / ConnectionService (Android) integration. Signaling is sealed and ephemeral; the audio stream is SRTP between devices. TURN relay via Cloudflare is fallback-only.

📞

Native CallKit Integration

iOS PushKit + CallKit so incoming calls ring through the system UI even on a locked phone. On Android, a Self-Managed Telecom ConnectionService bypasses the keyguard for the same experience.

🔐

Sealed Signaling

Call invite, answer, ICE candidates all travel through the same Sealed Sender envelope as messages. The server doesn't see who is calling whom at the DB-row level.

🎙

Voice Messages

One-tap voice notes recorded as WAV (PCM 16 kHz) and end-to-end encrypted alongside text and files. Playback inside the chat with TTL countdown for disappearing audio.

For Organizations
Your Server.
Your SnowChat.

SnowChat ships as a single Docker Compose stack — server, Postgres, Redis. Deploy it inside your organization's perimeter and your messenger never crosses it. Government agencies, regulated industries, security-conscious enterprises — your data stays on your hardware, under your audit, with your branding.

🏛

Your Server, Your Data

Deploy the full SnowChat stack on your own Docker / Kubernetes / bare-metal infrastructure. Server, Postgres, Redis — all isolated within your network. No data leaves your perimeter, ever. Air-gapped environments supported.

Docker Compose · K8s manifest available
🎨

White-Label Branding

Custom domain, logo, app icon, in-app strings, app store listing. Rebrand SnowChat as your organization's official messenger. Fork the AGPL-3.0 client and ship as your own — or we handle the build pipeline for you.

Custom domain · Custom build
📋

Audit + Compliance

Full source access (client already public on GitHub under AGPL-3.0, server licensed separately for on-premise). Internal audit documentation, security review support, custom SLA available. Three internal cryptographic audits already passed.

Source disclosure · Custom SLA
Enterprise inquiry
Install
Get SnowChat
on your phone.

Android: direct APK download (V1 production-signed). iOS: TestFlight beta — request access by email while public TestFlight is being set up.

Android
Available
v1.0.0+297 · arm64-v8a · versionCode 2297 · ~82 MB

Direct APK install. Modern Android (Galaxy S10+, Pixel 3+, equivalent). Requires "Install unknown apps" enabled for the source browser. Signed with the V1 production keystore — upgrades from previous V1 builds install in place; older signing keys require uninstall first.

Download APK All Releases Install Guide
Hosted on GitHub Releases · SHA-256 · 0539e57442aa23be011c5f4c2014be6e99930c4746b0a56598d0c68242cd52a1
iOS
TestFlight · Invite Only
v1.0.0+297 · iPhone · TestFlight Beta

Public TestFlight is being staged. To join the closed beta right now, email the address below — include the Apple ID (email) you want added as a tester. Invites are sent manually within 24 hours.

Install Guide · No tech skills needed

iPhone — via TestFlight

5 steps

✓ TestFlight is Apple's own app for trying apps before they reach the App Store — free and completely safe.

1
Open the App Store and install TestFlight (the blue paper-plane icon, made by Apple). It's free.
2
On your iPhone, open the invite email we sent and tap "View in TestFlight" (or "Start Testing").
3
TestFlight opens — tap INSTALL next to SnowChat.
4
SnowChat now sits on your home screen like any other app. Tap to open it.
5
When a new version is ready, open TestFlight and tap UPDATE.
No email yet? Check your spam folder, and make sure you sent us the exact Apple ID email you actually use on your iPhone.

Android — direct APK

3 steps

✓ Signed with the V1 production key. Existing users upgrade in place — no data loss.

1
Tap Download APK above and save it to your phone.
2
When asked, allow your browser to install unknown apps — Android walks you straight to the setting.
3
Open the downloaded file, tap Install, and you're done.
Tip: If an older SnowChat was signed with a different key, uninstall it first, then install this one.

Try it.
Tell us what could be better.

Email
GitHub github.com/kennss/SnowChat-Client ↗