Every smartphone shares fundamental architectural weaknesses that cannot be patched away. The attack surface isn't a bug. It's the design. Even "hardened" phones like GrapheneOS or the Purism Librem 5 merely isolate the threats rather than eliminate them.
Every smartphone contains a secondary computer running proprietary firmware with DMA access to main memory. The BASECOMP study (USENIX Security '23) found 29 critical vulnerabilities in Samsung and MediaTek baseband firmware. BaseMirror uncovered 873 undisclosed commands and 8 zero-days in Samsung Exynos devices. Even the Purism Librem 5 merely isolates the baseband on a separate M.2 card connected via USB. The Bittium Tough Mobile 2C, a EUR 2,000 NATO-certified device, still runs on a Qualcomm Snapdragon with an integrated baseband. No smartphone eliminates this attack vector. SimpleGo has no baseband processor at all.
A modern smartphone runs approximately 50,000,000 lines of code across OS, drivers, and background services. Hundreds of processes run simultaneously with network access. Telemetry is continuous and unavoidable. Even GrapheneOS or CalyxOS cannot eliminate the fundamental complexity of a general-purpose computer pretending to be a secure communications device. The criminal encrypted phone networks (EncroChat with 60,000 users, Sky ECC with 170,000 users, FBI honeypot ANOM) were all compromised because they ran on modified Android or BlackBerry smartphones. SimpleGo runs approximately 50,000 lines of auditable C code on a single-purpose microcontroller.
Even with end-to-end encryption, smartphones leak metadata: who you talk to, when, how often, your location, your contacts graph, your behavioral patterns. As former NSA General Counsel Stewart Baker stated: "Metadata absolutely tells you everything about somebody's life." Standard E2E protocols like Signal protect message content but the servers still know exactly who is communicating with whom. SimpleX is the only messaging protocol where relay servers cannot determine sender-recipient relationships because communication happens through ephemeral unidirectional queues with no user identifiers of any kind.
What you did is impressive. It seems like you're the first third-party SMP implementation.Evgeny Poberezkin Founder & Lead Developer, SimpleX Chat
SimpleGo implements the complete SimpleX Protocol with seven independent encryption layers. Four nested cryptographic envelopes protect every single message, traveling through three separate TLS 1.3 tunnels via two relay servers. Content is padded to fixed 16KB block sizes at each layer. No other messaging protocol or hardware device implements anything comparable.
Each message sent through SimpleX is wrapped in four independent cryptographic envelopes before reaching the transport layer. Every envelope serves a distinct defensive purpose, and each one uses different keys, different algorithms, and different nonces. Compromising one layer does not weaken any other.
Layer 1: Double Ratchet E2E. The innermost layer provides end-to-end encryption with perfect forward secrecy and post-compromise security. It uses X3DH key agreement with Curve448, AES-256-GCM for message encryption, and a new symmetric key for every single message. Since SimpleX v5.6, this layer is augmented with hybrid post-quantum key exchange using CRYSTALS-Kyber and Streamlined NTRU Prime for protection against future quantum computers.
Layer 2: Sender to Destination Relay. A per-queue NaCl cryptobox (X25519 + XSalsa20-Poly1305) unique to each message queue. This layer prevents traffic correlation between different queues if the TLS tunnel to the destination relay is compromised. Each queue has its own independently generated X25519 keypair.
Layer 3: Destination Relay to Recipient. An additional NaCl encryption layer between the destination relay server and the recipient, preventing the server from correlating incoming messages with outgoing deliveries even if TLS is compromised.
Layer 4: Forwarding Relay to Destination (Onion). Since SimpleX v5.8, messages travel through two relay servers using onion-style routing. The forwarding relay encrypts toward the destination relay, creating a 2-hop path where neither relay has a complete picture. This is what SimpleX calls Private Message Routing (PMR), and it prevents relay servers from constructing communication graphs based on IP addresses.
| Aspect | Smartphone | SimpleGo Device |
|---|---|---|
| Codebase Size | ~50,000,000 lines (Android/iOS) | ~50,000 lines (auditable C) |
| Baseband Processor | Closed-source, DMA access, always active | None. Eliminated by design. |
| Operating System | Android/iOS (general-purpose, 100s of services) | FreeRTOS bare-metal (single-purpose firmware) |
| Background Services | Hundreds with network access, telemetry | Single application, zero telemetry code |
| User Identity | Phone number, IMEI, Apple/Google ID, SIM | None. SimpleX Protocol has no user identifiers. |
| Encryption Layers per Message | 2 (E2E + TLS) | 7 (4 application envelopes + 3 TLS tunnels) |
| Metadata Protection | Minimal. Server sees sender + recipient. | Complete. No party can correlate communicants. |
| Key Storage | Software keychain or single TEE | Hardware Secure Elements (up to 3 vendors) |
| Tamper Detection | None or verified boot only | Active monitoring + sub-microsecond zeroization (Tier 2/3) |
| Message Storage | SQLite on phone flash, app sandbox | AES-256 encrypted MicroSD, PIN-protected, portable |
| Contact Capacity | Unlimited (phone resources) | 150+ contacts (520 bytes ratchet state each) |
| Disposability | Impractical ($500+, identity-bound) | Designed for it (from EUR 100, no identity) |
After exhaustive research across more than 70 devices and platforms spanning consumer, military, criminal, DIY, and mesh-networking domains, the maximum feature overlap found in any single device is three out of six. SimpleGo targets all six.
Four independent cryptographic envelopes around every single message, each using different keys and algorithms. No hardware device implements SimpleX Protocol's triple-layer architecture, let alone the full 4+3 stack. The maximum found in any existing device was two layers (Meshtastic v2.5+ or GSMK CryptoPhone).
No Android, no iOS, no Linux, no general-purpose OS. SimpleGo runs directly on FreeRTOS with a single-purpose firmware. Approximately 50,000 lines of C code compared to 50 million in a smartphone. Every line is auditable. The entire firmware compiles from source in under 60 seconds.
Not isolated. Not firewalled. Not on a separate bus. Simply not present. The ESP32-S3 and STM32U5 microcontrollers have no cellular modem at all. Network connectivity is provided through WiFi, and optionally through external 4G/5G or LoRa modules that are electrically separate from the crypto engine.
SimpleX Protocol uses no phone numbers, no usernames, no cryptographic keys as identity, no accounts, and no central directory. Communication happens through ephemeral unidirectional message queues. A factory reset produces a cryptographically unrelated device. There is nothing to subpoena.
The Tier 3 Vault uses secure elements from three different manufacturers: Microchip ATECC608B, Infineon OPTIGA Trust M, and NXP SE050. This concept has never appeared in any commercial product, military device, or academic prototype. The NinjaLab "Eucleak" attack (2024) proved that even EAL5+-certified chips from a single vendor can harbor critical flaws for 14 years.
Every line of firmware code is published under AGPL-3.0. Every PCB trace is documented under CERN-OHL-W-2.0. No binary blobs. No proprietary modules. The entire device can be built from source by anyone with a compiler and a soldering iron. Security through transparency, not through obscurity.
Different threat models require different levels of protection. The same firmware runs across all tiers. Security features activate based on detected hardware capabilities. All devices are fully functional messaging devices from day one. Made in Germany.
Threat model: Protection against casual surveillance, mass data collection, and opportunistic adversaries. You buy the development board yourself, flash SimpleGo firmware via our web tool, and have a working secure messenger within minutes.
Target audience: Developers, privacy enthusiasts, tinkerers, security researchers. Anyone comfortable buying a development board and flashing firmware. Full source code access. Community-driven development.
Threat model: Protection against skilled adversaries with physical access and equipment. Journalists, lawyers, activists, corporate executives, human rights workers operating in hostile environments. A production-ready device that you use out of the box.
Target audience: Professionals who need strong physical security without understanding the technology. Journalists in hostile countries, lawyers handling sensitive cases, corporate security teams, NGO workers, whistleblowers. A device that protects you even if someone takes it from your hands.
Threat model: Protection against state-level adversaries with physical access, lab equipment, and unlimited time and resources. Comparable to military-grade TEMPEST devices, but fully open source and without identity binding.
Target audience: Heads of state, intelligence professionals, defense contractors, ultra-high-net-worth individuals, organizations operating under direct state-level threat. People who need the absolute maximum achievable security in a communications device and are willing to pay for it.
SimpleGo is in active development across 35+ engineering sessions. The Tier 1 firmware is functional today with bidirectional encrypted messaging between ESP32 and the official SimpleX Chat app. Here is exactly what works, what is in progress, and what comes next.
Security through obscurity is no security at all. Every line of SimpleGo code is publicly auditable. Every PCB trace will be documented. Trust is earned through transparency, not promised through marketing. The goTenna Pro X2 (a closed-source military messenger priced at $1,000-$2,000) had four critical vulnerabilities disclosed by CISA in 2024 including unauthenticated public key manipulation. Open source prevents this.
Copyleft license aligned with SimpleX Chat. All derivatives and network service modifications must remain open source. Fork it, audit it, improve it.
CERN Open Hardware License. Schematics, PCB layouts, bill of materials. Build your own device from scratch with off-the-shelf components.
The Tier 1 DIY firmware is functional now. Buy a LilyGo T-Deck Plus, flash the firmware through your browser, and start messaging securely with anyone running the SimpleX Chat app. No account required. No phone number. No identity.
SimpleGo offers three tiers of dedicated secure communication devices, each implementing the SimpleX Messaging Protocol natively on embedded hardware without any smartphone operating system or cellular baseband processor. The firmware implements seven independent encryption layers: four nested cryptographic application envelopes (Double Ratchet E2E with X3DH and optional post-quantum Kyber/NTRU, per-queue NaCl cryptobox, server-to-recipient NaCl, and forwarding-to-destination onion routing) traveling through three separate TLS 1.3 tunnels via two relay servers.
Tier 1 DIY is the entry-level device for developers and privacy enthusiasts, available from 100 Euro. Built on the LilyGo T-Deck Plus with ESP32-S3 processor, it features a 2.8 inch display, full QWERTY keyboard, WiFi connectivity, MicroSD card slot supporting up to 128GB of AES-256-GCM encrypted chat history, 150+ contact support, delivery receipts, and the complete SimpleGo firmware. The device can be flashed via a browser-based web tool within minutes.
Tier 2 Secure is the mid-range production device at 500 to 1500 Euro. It uses a custom PCB with STM32U585 ARM Cortex-M33 main processor featuring TrustZone hardware isolation, ESP32-C6 WiFi 6 module electrically separated from the crypto engine, dual-vendor secure elements from Microchip ATECC608B and Infineon OPTIGA Trust M, active tamper detection with automatic key zeroization, and a CNC-milled aluminum enclosure hand-assembled in Germany.
Tier 3 Vault is the premium device from 1500 to 15000 Euro. It features triple-vendor secure elements from three different manufacturers (Microchip, Infineon, NXP), the Maxim DS3645 tamper supervisor with sub-microsecond key destruction, epoxy-potted CNC aluminum enclosure with TEMPEST-aware RF shielding, premium AMOLED display, optional 5G NR and satellite connectivity, and a firmware path to CRYSTALS-Kyber post-quantum cryptography. The Vault implements all six security features that no existing device has ever combined: multi-layer per-message encryption, bare-metal firmware, no baseband processor, no persistent identity, triple-vendor secure elements, and fully open source code.
Best encrypted phone alternative 2026, secure messaging device without smartphone, encrypted hardware communicator buy, privacy device for journalists, secure communicator for lawyers, encrypted messenger for activists, Kickstarter encrypted device, open source security hardware, German made security device, encrypted communication device comparison, most private messaging hardware, SimpleX hardware device, dedicated encrypted messenger, seven layer encryption device, post-quantum secure messenger hardware.