Is XChat Safe? A Security Review for Everyday Users

Elon Musk’s XChat launches on April 23, 2026. It promises end-to-end encryption, no ads, and no tracking. But is it actually safe?

The short answer: XChat is probably safe for everyday chats. It’s not the right tool for high-stakes secrets yet. Here’s why.

This review covers what we know so far from public sources and the Apple App Store listing. It will be updated after launch with hands-on testing.

The 60-second version

Here’s the quick version if you don’t want to read the whole thing:

• Good: End-to-end encryption on by default. Built in Rust (a safer language). No ads or tracking in the app.
• Unknown: The encryption protocol hasn’t been published or audited.
• Concerning: XChat may collect metadata (contact info, search history, identifiers) per Apple’s App Store disclosure.
• Verdict: Fine for daily life. For journalists, activists, and whistleblowers, use Signal instead.

Now the full breakdown.

What XChat claims

X Corp markets XChat with three main privacy promises:

• End-to-end encryption for all messages and calls
• No ads inside the app
• No tracking of user behavior

These are meaningful claims. Most messaging apps don’t offer all three. But “claims” and “proof” are different things.

Let’s look at each one.

Is the encryption real?

Yes, as far as we can tell.

XChat uses end-to-end encryption by default. This means your messages are scrambled on your device before they leave. Only the recipient’s device can unscramble them. Not X Corp. Not its servers. Not law enforcement with a warrant to X’s servers.

This is a big deal. Telegram doesn’t do this by default. iMessage only does it between Apple devices. XChat does it for every chat, every time.

But here’s the catch. The exact encryption protocol hasn’t been published. No outside security researcher has audited it.

That’s a problem.

Why the audit matters

Signal Protocol — used by Signal and WhatsApp — has been audited multiple times since 2014. Cryptography researchers have tried to break it. None have found serious flaws.

XChat’s protocol is new. No audits have been done. We don’t know:

• How keys are exchanged between devices
• How forward secrecy works (protecting past messages if a key leaks)
• How the app handles key verification (preventing man-in-the-middle attacks)
• What happens when you log in from a new device

These are the exact questions security researchers ask. Without answers, “we use end-to-end encryption” is a claim, not a proof.

This doesn’t mean XChat is broken. It means we can’t verify it yet. For most users, that’s probably fine. For users with real threat models, it’s not.

The metadata problem

Encryption protects message content. It doesn’t protect metadata.

Metadata is the data about your data:

• Who you message
• When you message them
• How often
• From what location
• How long your calls last

Apps can see all of this even when they can’t read messages.

Now here’s where XChat gets messy.

Per Apple’s App Store data disclosure, XChat may collect:

• User identifiers (account IDs)
• Contact info (email, phone if provided)
• Search history within the app
• Diagnostic data (crash reports, performance)
• Device info (model, OS version)

This data may be linked to your identity per Apple’s disclosure.

X Corp says it doesn’t use message data for ads. But that’s not the same as saying it doesn’t collect metadata.

For comparison:

• Signal collects almost nothing — not even your contact list
• WhatsApp collects contact info and metadata but not messages
• Telegram collects contact info, IP addresses, and more
• XChat appears to land somewhere in the middle

This isn’t a dealbreaker for most people. But it’s worth knowing.

Rust: a real security win

Most messaging apps are written in C, C++, or Objective-C. These languages are fast but prone to memory bugs. Memory bugs can lead to serious security issues — things like buffer overflows and use-after-free attacks.

XChat is built in Rust. Rust is designed to prevent most memory bugs at compile time. You literally can’t ship a Rust app with certain classes of vulnerabilities.

This is a genuine security advantage. It doesn’t mean XChat is unhackable. But a whole category of common attacks is much harder.

Signal is written in Java (Android) and Swift (iOS), both safer than C but less safe than Rust. WhatsApp is C++. iMessage is a mix. By programming language choice alone, XChat has a leg up.

The screenshot blocking feature

XChat claims to block screenshots of chats inside the app. This is a privacy feature iMessage doesn’t have.

How it works: when someone tries to screenshot a chat, XChat shows a blank or warning screen. Similar to how some banking apps block screenshots of account screens.

Caveat: Screenshot blocking doesn’t stop someone from taking a photo of the screen with another device. It also doesn’t work if someone screen-records before opening XChat. It’s a speed bump, not a wall.

Still, it’s more privacy control than most apps offer.

Disappearing messages

XChat supports disappearing messages that vanish after 5 minutes, according to the App Store listing.

This is useful for:

• Sharing passwords temporarily
• Quick location shares
• Conversations you don’t want saved

Signal and Telegram offer similar features with more custom timing (seconds to days). XChat’s 5-minute default is shorter than most.

One concern: disappearing messages don’t protect against screen recording or a motivated attacker. They’re for low-threat privacy, not high-threat security.

The X account problem

To use XChat, you need an X (Twitter) account. This has security implications.

If your X account is hacked, your XChat could be too. An attacker with access to your X login may be able to log into XChat on their device.

How XChat handles account recovery and device registration isn’t clear yet. Signal, for comparison, has a well-documented “Safety Number” system to verify when someone logs in on a new device. We don’t know XChat’s equivalent.

Also remember: X has had security issues. In 2025, X reportedly had a major data breach affecting 200 million records. Your XChat security depends in part on X’s security.

The “Bitcoin-style encryption” claim

Musk has called XChat’s encryption “Bitcoin-style.” This phrase has raised eyebrows among security experts.

Bitcoin and messaging use encryption very differently. Bitcoin uses cryptography to sign transactions, not to encrypt private conversations. Saying an app uses “Bitcoin-style encryption” isn’t meaningful on its own.

It’s probably just marketing language. But it doesn’t help XChat’s credibility with people who know cryptography.

The real test: publish the protocol. Let outside experts examine it. Until then, “Bitcoin-style” is just words.

Who XChat is safe enough for

Based on what we know today:

For the second group, the answer stays Signal. It has audited encryption, minimal metadata collection, and a non-profit structure. XChat may get there eventually, but it’s not there yet.

Open questions we’ll answer after launch

Once XChat launches, we’ll test and update this review to cover:

• Does XChat actually prevent screenshots reliably?
• How does it handle multiple devices per account?
• What happens if you lose your phone and need to recover?
• How are encryption keys verified between contacts?
• Does the app leak any data to X Corp servers when sending messages?
• What does the protocol look like when analyzed with network tools?

These answers will shape the real security picture.

The honest bottom line

XChat is a reasonable choice for everyday privacy. It’s better than default Telegram. It’s comparable to WhatsApp for basics. It’s weaker than Signal for serious security.

The biggest risk isn’t the encryption — it’s the unknowns. X Corp is a young company in the messaging space. Their track record on privacy is short. Their encryption hasn’t been audited. Their metadata practices aren’t fully clear.

For most people, these unknowns don’t matter. You’ll use XChat to message friends. It’ll be fine.

For the small number of people with real security needs, wait. Let security researchers look at XChat. Let audits happen. Let time tell us if the promises hold up.

In the meantime, we’ll keep testing and updating this review.

Sources

This article draws on public reporting, the Apple App Store listing, and general cryptography principles. Key sources:

• XChat launch date and features overview — Business Today, April 2026
• XChat built in Rust with Bitcoin-style encryption — TweakTown, April 2026
• XChat privacy claims vs reality analysis — AtomicMail, 2026
• XChat App Store data disclosure and privacy claims — AlternativeTo, April 2026
• XChat disappearing messages and App Store listing details — BigGo Finance, April 2026
• XChat security concerns and threat-actor discussion — SOCRadar, April 2026
• X Corp 200M data breach context — Techpoint Africa, 2025
• Signal Protocol and encryption standards — NetCrook, 2024

All claims about XChat’s encryption and data practices are based on public sources as of April 17, 2026. This review will be updated after XChat’s public launch on April 23, 2026 with hands-on testing.

Related reading

• What is XChat? A complete guide
• XChat vs Signal: Which is actually more private?
• XChat vs WhatsApp
• How to download XChat