X Chat Launch Explained: Features, Security & What It Means for You
When Elon Musk bought Twitter back in 2022 and started talking about turning it into a "super app," most people assumed it was the kind of ambitious vague talk that Silicon Valley billionaires love to throw around. Four years later, that vision is starting to look a lot more real.
XChat - X's standalone encrypted messaging app, officially dropped on the iOS App Store on April 24, 2026. And within hours of launch, it was already making headlines. Some of those headlines were about the exciting new features. Others... were about security researchers practically yelling from the rooftops.
So what is XChat, does it actually deliver on its promises, and should you trust it with your private conversations? Let's dig in.
A bit of backstory: How we got here
This isn't something that appeared out of thin air. Musk first announced XChat in June 2025, describing it as being built from scratch using the Rust programming language with what he called "Bitcoin-style encryption." (We'll come back to why that phrase made security experts do a double-take.)
Internal testing kicked off in May 2025. In November 2025, X replaced its old direct messages system with an early version of Chat, rolled out to iOS and web users. It wasn't perfect - there were platform outages, bugs, and critics pointing at obvious security holes. But the bones were there.
By March 2026, XChat entered public iOS beta. Then, on April 24, the standalone app went live on the App Store - filling up initial TestFlight capacity within two hours of the announcement. The appetite was clearly there.
So what exactly does XChat do?
Here's the short version: it's essentially WhatsApp, but built into X. The longer version is more interesting.
- End-to-end encryption: All messages encrypted by default (with caveats - read on)
- Disappearing messages: Self-destructs like Snapchat, but for your DMs
- Any file type: Documents, videos, audio - no restrictions on format
- Audio & video calls: No phone number required - just your X account
- Group chats: Up to 481 members, with joinable public links
- Grok AI built in: Long-press any message and ask Grok about it
- No ads, no tracking: That's the claim - the fine print tells a different story
- Screenshot blocking: Block screenshots entirely, or get notified of attempts
The no-phone-number requirement is a genuinely big deal. WhatsApp and Signal both require a phone number to sign up. XChat only needs your X account. For people who'd rather not hand over their digits to yet another app, that's a real point of difference.
The Grok integration is clever too - you can long-press any message and select "Ask Grok" for context or analysis. Though there's a notable asterisk on this: Grok processes an unencrypted copy of the selected message, creating an intentional gap in the encryption model. Something to keep in mind before you use it on anything sensitive.
The "everything app" angle
XChat doesn't exist in isolation. It's one piece of Musk's larger vision to turn X into a Western equivalent of WeChat, the Chinese super app where you message friends, pay bills, order food, and book doctor's appointments, all without leaving a single platform. X Money (with Visa integration) is already in the works, and XChat is clearly being positioned as the channel through which peer-to-peer payments could eventually flow.
X also replaced its Communities feature this week in favour of Groupchat Links, a move that funnels group interaction directly through XChat. Communities are out. Group chats are in. The strategy is becoming pretty clear.
CONTEXT: WHAT MUSK ACTUALLY SAID IN 2022
"The goal of Twitter DMs is to superset Signal." That was the ambition Musk stated shortly after buying the platform. Three and a half years later, XChat is the product of that promise though whether it actually surpasses Signal in security is a very different question.
Now for the part that should give you pause
Here's where things get uncomfortable. XChat launched with a lot of bold privacy marketing, "no tracking," "end-to-end encrypted," "your encrypted chats deserve their own app." Within hours of launch, security researchers had gone through the App Store privacy labels and the network traffic, and they didn't like what they found.
THE PIN PROBLEM
This is the big one. When you set up XChat, the app asks you to create a 4-digit PIN. This PIN is used to protect your private encryption key but that key is stored on X's own servers, not on your device.
Let that sink in for a second. A 4-digit PIN has exactly 10,000 possible combinations. Security researcher Mysk demonstrated that anyone with backend access could brute-force every possible combination in minutes. And once they have the PIN, they can decrypt your entire message history, past and future.
"If we judge XChat as an end-to-end encryption scheme, this seems like a pretty game-over type of vulnerability."
— Matthew Green, Cryptography Professor, Johns Hopkins University
Compare this to Signal, where your private key never leaves your device. Ever. The philosophical difference is enormous - Signal's security relies on mathematics. XChat's security, as one security engineer put it, relies on "X's policies, not on math."
X ADMITS IT ITSELF
Here's the remarkable part: X's own support page acknowledges that the current design could allow "a malicious insider or X itself" to compromise encrypted conversations. That's not a bug report from a security researcher, that's the company admitting it in their documentation. Varun Badhwar, CEO of Endor Labs, called this "remarkable."
THE CERTIFICATE PINNING GAP
Research duo Musk also found that the iOS app doesn't implement certificate pinning meaning they were able to intercept and decrypt the app's network traffic during testing. This potentially allows X to reconstruct users' private keys, directly contradicting the core promise of end-to-end encryption.
NO FORWARD SECRECY
XChat also lacks what's called "forward secrecy" , a feature that generates a fresh encryption key for every single message. Without it, if your private key is ever compromised, every message you've ever sent or received can be decrypted retroactively. Signal has had forward secrecy for over a decade. XChat doesn't have it at all.
THE METADATA ISSUE
Even if the message content were perfectly encrypted, the metadata who you're talking to, when, and for how long is a treasure trove in itself. Luke Dixon, an IT and data law expert, put it plainly: "Metadata reveals who you are communicating with, when, and for how long." None of that sits under XChat's encryption umbrella. From metadata alone, a detailed social graph can be constructed with minimal effort.
WHAT ABOUT THOSE PHOTOS YOU SEND?
There are also reports that XChat doesn't strip metadata from images before transmitting them. That means when you send a photo, your GPS coordinates and camera details travel along with it even though the message body itself is encrypted. Your location might be exposed even when your words aren't.
SECURITY RESEARCHER VERDICT
Matthew Garrett, a well-respected open-source security expert: "If everyone involved is fully trustworthy, the X implementation is technically worse than Signal. And even if they were fully trustworthy to start with, they could stop being trustworthy and compromise trust in multiple ways."
The code is also not open source - unlike Signal, which publishes everything for independent verification. X says it plans to open-source the implementation eventually. Plans about tomorrow don't protect you today.
How does it stack up?
Feature XChat Signal WhatsApp
- End-to-end encryption Partial Yes Yes
- Keys stored on device No - on servers Yes Yes
- Forward secrecy No Yes Yes
- Open source Not yet Fully No
- No phone number needed Yes No No
- Disappearing messages Yes Yes Yes
- Independent security audit None yet Yes Limited
- Ads / tracking Claimed none None Data to Meta
So should you use it?
That depends entirely on what you need it for. Here's a realistic breakdown:
Probably fine for
- Casual conversations
- Group chats with communities
- Sharing memes and GIFs
- Connecting with X followers
- General file sharing
Avoid for
- Sensitive personal matters
- Journalist source protection
- Activist or legal comms
- Medical or financial details
- Anything needing real E2E
Watch out for
- GPS in photo metadata
- Grok reading your messages
- That 4-digit PIN trap
- No Android app yet
- Privacy label disclosures
The bigger picture
It's easy to dunk on XChat for its security gaps and to be clear, those gaps are real and serious. But it's also worth recognising what this represents in the longer arc of social media.
For years, Twitter/X was a broadcast platform. You tweeted at the world. Now Musk is trying to make it a place where you also talk to people privately, pay friends money, and eventually do much more. The ambition is genuinely interesting. Whether the execution is trustworthy enough to earn that place in your life is a different question and right now, the honest answer is "not quite yet."
The tech is promising. A Rust-based architecture, Libsodium cryptographic primitives, no phone number requirement these are good foundations. But foundations aren't a house. Until X gets an independent security audit, makes the code open source, moves encryption keys off their servers, and adds forward secrecy, it's hard to call this a serious privacy-first platform.
As security researcher Matthew Garrett summed it up: the entire thing currently sits in "trust us, bro" territory. And for a messaging app that's asking you to share your private thoughts? That's a bar that needs to be cleared with math, not marketing copy.
Bottom line: XChat is a genuinely interesting product launch - feature-rich, nicely designed, and part of an ambitious super-app strategy. But if real privacy matters to you, stick with Signal for sensitive conversations while XChat matures. Come back in six months, see if they've published that audit, open-sourced the code, and fixed the PIN situation. That's when it'll be worth a proper second look.