End-to-end encrypted messaging
on a relay you control.

No central server. No cloud vendor. No data collection. The code is yours to audit, the relay is yours to run.

Download alpha APK See how it works

⚠ Pre-release alpha. Cryptography not yet independently audited. Not recommended for high-stakes use.

How it works

🔐

1. Keys stay on your phone

When you install Kobra Messenger, it generates a Curve25519 keypair directly on your device, protected by the Android KeyStore (StrongBox / TEE when available). Private keys never leave your phone.

🤝

2. Add contacts by QR

Scan your friend's QR code in person (or share it via any trusted channel). Kobra uses X3DH — the same asynchronous key agreement as Signal — to establish a forward-secret session.

📬

3. Ciphertext via a relay you run

Messages are encrypted with the Double Ratchet and AES-256-GCM before touching the network. They travel through a relay you self-host — it sees opaque bytes addressed to anonymous hashes. Nothing more.

What your relay can see (and what it cannot)

✓ It sees

  • Opaque ciphertext bytes passing between inboxes
  • Pseudonymous inbox IDs (SHA-256(public_key))
  • IP addresses of connected clients (your VPS provider sees this anyway)
  • Connection timing and packet volume

✗ It cannot see

  • Message content (encrypted end-to-end)
  • Human identities (there is no phone number, email, or username)
  • Your contact list
  • Message metadata (TTL, type — they travel inside the ciphertext)
  • Your private keys

If a relay operator wanted to target a specific person, they would need to compromise both the relay and that person's phone. Running your own relay means you are the only operator — so this threat reduces to someone compromising your phone directly, which is no worse than using any other messaging app.

What's in the app today

  • Hardware-backed identity keys (StrongBox / TEE)
  • PIN unlock with Argon2id hashing (64 MiB / 3 iters)
  • Biometric unlock for daily convenience
  • Weekly PIN re-authentication to catch forgotten PINs
  • Duress PIN that silently wipes everything
  • FLAG_SECURE — no screenshots, no recents preview
  • Disappearing messages (per contact, 1 min → 1 week)
  • Wizz alerts with 60-second anti-spam cooldown
  • QR-based contact exchange, no server lookup
  • Push notifications with optional content hiding
  • SQLCipher-encrypted local database
  • No ads, no tracking, no telemetry

Self-host in 10 minutes

The relay is a 150-line Node.js server you can read in five minutes. Three ways to deploy it:

Docker + Caddy

One command brings up the relay and an auto-TLS reverse proxy.

cd relay
docker compose up -d

Bare-metal installer

For Raspberry Pi OS or Ubuntu VPS. Readable and auditable (--check for dry-run).

sudo ./install.sh your-domain.com

Manual

If you prefer full control. Node.js 18+, 150 LOC to read, no magic.

cd relay
npm install
npm start

Recommended hosts: Hetzner CX22 (€4.51/month, France or Germany), OVH VPS Starter (€3.50/month, France), or your own Raspberry Pi 4 at home. Full operator guide on GitHub.

Download

Current version: 0.4.1-alpha

📦
Direct APK
Signed release build — coming soon
Google Play
Internal Testing — coming soon
</>
Build from source
Android Studio + ./gradlew

Kobra Messenger is an independent project by BlackBeardAI. It has not yet been audited by a third-party security firm. Until that happens, use it for learning, testing, and low-stakes conversations. If your life or safety depends on a secure channel, rely on battle-tested tools (Signal, Wire) until Kobra completes its audit roadmap.

Support the project

Kobra Messenger is funded by donations. No ads, no investors, no data sale.

What donations go toward