Encrypted.
Peer‑to‑peer.
Yours.

SecureComm is a P2P-first encrypted messenger. Messages, calls, and files flow directly between devices over WebRTC — no relay reads them, no server stores them. Your keys never leave the browser.

Install for Android

securecomm-…apk·— MB

Sideload APK · Android 9.0+ · arm64-v8a default

Other ABIs: arm64 · armv7 · x86_64

Protocol: Double Ratchet; ECDH P-256 + ML-KEM-768 hybrid
Transport: WebRTC DataChannel; signaling → relay fallback
Group fan-out: Sender-key · HMAC-SHA-256 · AES-256-GCM
Recovery: WebAuthn passkeys · Ed25519
Source: AGPL · self-hostable

Sideload—release

What you get

Built for people who don't want to trust a server.

01E2E

End-to-end encrypted

Per-message forward secrecy via Double Ratchet. AES-256-GCM bulk. ECDSA-signed envelopes. Audited primitives only.

02P2P

Peer-to-peer first

Direct WebRTC DTLS between devices. Signaling and relay only carry blobs they can't decrypt. Falls back gracefully behind NAT.

03PQ

Post-quantum hybrid

ML-KEM-768 layered with classical ECDH so today's traffic stays safe even if quantum hardware lands tomorrow.

04Yours

Recoverable, not custodial

Hardware passkey recovery via WebAuthn. No central key escrow. Lose your device, keep your identity.

Installing

Three steps. No store, no ads, no telemetry.

Download the APK

Tap Install for Android above on your phone. The browser will ask if you want to keep the file — accept.

Allow sideload

Open the downloaded APK. If Android blocks it, grant Install unknown apps for your browser, then retry.

Open SecureComm

First launch creates a fresh identity. Pair your passkey in Settings → Recovery so you can restore on any device.

Verify before installing

Trust math, not us.

Version: — · build —
APK URL: —
SHA-256: —
Signing cert: 24:DD:02:09:D8:0D:C5:0D:5A:75:F2:03:98:6A:FA:40:11:FB:F8:90:6D:B0:75:25:4E:96:2F:C0:7D:60:B2:51

# verify after download
$ shasum -a 256 securecomm-*.apk
# expected:
$ —