On Friday afternoon, X officially launched XChat, the company’s proprietary chat app. Unlike other chat app options like WhatsApp, Telegram or Signal, you need an X account to use XChat, which limits the user base to a specific social media platform. X users with a large enough social circle on the platform may find this new app useful, but XChat comes with some security contraindications that all new users should be aware of.
XChat is the standard chat application for X users
XChat’s biggest selling point, besides being a place for X users to communicate, is that it is end-to-end encrypted. As the app reminds you at setup, this encryption means there’s no way for anyone—including X—to read the contents of your messages. Only the sender and recipient (or receiver) of an encrypted message have the ability to open and read it. In fact, XChat sets you up with a passcode before proceeding to the actual app.
Once the app boots up, you’ll see all your X DMs organized just like you’d expect from any standard chat app. However, it doesn’t seem like the encryption applies to previous chats: once you send a new message, you see a warning that says “This conversation is now end-to-end encrypted.” Like other chat apps, you can send audio recordings, GIFs, files, photos, or take new pictures with the camera. By clicking on a recipient’s profile picture, you can view their profile and shared media, plus customize the chat a bit. You can set a nickname, block screenshots, or turn on disappearing messages so that chats disappear after a certain period of time.
A decent level of customization is available at the app level as well. There are standard light and dark themes, but you can also choose whether swiping left on a message “likes” it or reveals information, such as when the message was sent, whether it was encrypted, or when the recipient saw it. You can also choose from eight different chat app icons, which I always appreciate.
What do you think so far?
XChat is not as private as it seems
I’m all for adding end-to-end encryption to X DMs, so there’s some good stuff going on here. But it’s a bit alarming that a messaging app advertising a private experience with “no tracking” actually scrapes a number of data points and links them back to your identity. XChat’s app privacy page shows that the app reserves the right to take your contact information, contacts, identifiers, device diagnostics and usage data and link that information directly to you.
One of them is a big improvement What the app was carrying when it was first announcedThis includes things like location, search history, and user content. Maybe X adjusted this after facing pushback, but it rubs me the wrong way that a “private” chat app would still take this much data. Even if you only care about end-to-end encryption, you can be sure that X isn’t reading your messages.
