Built by a man who can’t afford to trust.

Why this exists

Mass surveillance is no longer a future concern or a dissident’s paranoia. Multiple foreign intelligence services are actively ingesting ordinary people’s communications at population scale, decrypting what they can, and archiving the rest in cold storage for the day a pattern makes any one of those conversations interesting. It is documented. It is budgeted. It is accelerating. And the messengers that most people reach for as “the secure ones” are, one by one, failing to meet the moment.

Telegram has faced credible reports of compromise following the arrest of its founder Pavel Durov in France — whatever Telegram was before that arrest, a messenger whose custodian has been under judicial pressure is no longer one through which a careful person ships anything sensitive. Signal’s cryptographic design is genuinely solid, but reports have surfaced suggesting that its operational edges have been breached, and excellent math on a breached perimeter still leaks. WhatsApp and the rest of the closed-source Meta family cannot be audited at all: the source code is not public, the builds are not reproducible, the cooperation with governments is not disclosed. You cannot trust what you cannot read. Messenger MAX, the one option officially offered to users in the countries where the rest are blocked, has no end-to-end encryption worth the name — users are already reporting that they can see each other’s attachments and hear each other’s calls, which is mathematically impossible on a system that actually held the keys on the user’s device.

Disapp was designed from its very first commit for this threat model, not retrofitted to it. Post-quantum migration is on the wire-format roadmap from day one. Message bodies are sealed per recipient device with X25519 ECDH and AES-256-GCM. Device keys live in StrongBox / TEE where the hardware permits it and in non-extractable CryptoKey handles where it doesn’t. The server holds ciphertext and opaque wrappers; it cannot decrypt what it forwards, because the math does not allow it to. It was built this way because it was built by a man whose work puts him squarely on the list of people state actors would most like to compromise — and he had no intention of making that compromise easy.

That threat model was, on its own, reason enough to build Disapp. Then the personal stakes caught up.

One man. His family in America. A country he could not easily cross back into, and a country his family could not easily cross into either. For a long time, that was fine — there were messengers. WhatsApp, for birthdays. Signal, for the harder conversations. Telegram for the in-between. None of them perfect, but between them, a way to stay in the lives of the people he loved without asking anyone’s permission.

Then, one by one, the bridges came down. WhatsApp, blocked. Signal, blocked. Telegram, blocked. Every option he had used to say goodnight to his children closed in the space of a few news cycles.

What remained, officially, was Messenger MAX — and MAX was never going to reach his family anyway. It is not installed on American phones. It is not available in their app stores. For the specific problem of saying goodnight to his children across an ocean, the officially-approved tool offered neither privacy nor reach. The worst possible answer to the question that actually mattered.

He could hear his own voice saying the quiet part out loud: staying in touch with his own children had become a matter of what the state allowed. That is not a problem you fix with a feature request to someone else’s product. It is a problem you fix by building the product yourself, so that the decision about who may read your family’s messages is made by mathematics — not by a border crossing, not by a vendor, not by whoever runs the firewall this week.

Disapp is that tool. It exists because somebody had to build the messenger that ordinary people, in ordinary families, could still use to reach across hostile borders after every other option had been taken away. It is the product of a man who is not interested in trusting anyone — not an employer, not a government, not his own infrastructure — with the right to decide whether he gets to hear his family’s voices this week.

What we believe

• Cryptography should be the boring part. X25519 + AES-256-GCM + HKDF-SHA256 + ECDSA P-256. Battle-tested, no home-grown constructs, no “our own flavor of” anything.
• The server is a hostile party. Even if it’s ours. Especially if it’s ours. Plaintext never touches it; message bodies are sealed per-device before they hit the network.
• Hardware when we can get it. On Android, device keys live in StrongBox / TEE. On the web, non-extractable CryptoKey handles. Stolen databases stay sealed.
• Coercion is part of the threat model. Duress PINs open decoy vaults. Non-admin sessions can’t be silently promoted. Losing a phone shouldn’t lose a life.
• Compliance without surveillance. Regulated organizations can opt into client-side escrow — recoverable under warrant, without the server ever seeing plaintext. Off by default; on visibly when it’s on.
• If the math doesn’t permit it, we can’t do it. That includes reading your messages, decrypting your backups, or — as we’ve been asked, more than once — turning any of that on quietly for one user.

How we work

The wire format is published. The Android client is signed with keys we don’t hand out. The backend is a single Go binary whose source tree is open to third-party audit; nothing about the crypto happens on it. Clients do the sealing; the server moves opaque bytes and keeps a hash-chained audit log nobody can silently rewrite.

We don’t collect telemetry beyond what it takes to rate-limit abuse. We don’t sell anything. We don’t share anything. We don’t have most of what surveillance vendors would want. See the Privacy page for the full list.

Who we are

Disapp is led by a man whose name moves through certain rooms without needing an introduction. Two decades in applied security, platform engineering and the quieter corners of the industry have earned him a small circle of allies and a long list of governments who have, publicly and privately, failed to find the data he chose not to give up.

He did not take on this work to be popular. He took it on because a tool that lets ordinary families stay in touch across hostile borders was going to be built by someone, and the alternatives were people whose interests are less aligned with yours. The quiet calculus of his career has taught him a set of assumptions the world does not reward you for saying out loud: that any server an adversary can reach, an adversary eventually does reach; that any key a vendor can hold, a vendor can be compelled to surrender; and that the only durable protection is cryptographic, not political. Disapp is built on those assumptions from the first line of code.

He does not look for enemies. He has, however, long since stopped being surprised when they find him. The tools that outlast a regime are never the ones that assume good faith — they are the ones built by people who know precisely how good faith is compromised, and who designed around that from the beginning.

If you’d like to reach the team for something non-sensitive, there’s a mailbox at hello@disapp.io. For security disclosures, follow the protocol in our security.txt.