Briar

Briar is the hostile-network-conditions P2P messenger — an Android-primary application that routes messages directly between phones over Tor when you have internet, and over local Bluetooth or Wi-Fi when you don't, with no central server in the trust path. Listed at Grade A because Briar occupies a structural category-of-one: it's the only consumer messenger designed to keep working when the internet is cut off, the only one where the trust model genuinely eliminates the "operator infrastructure" surface that even SimpleX and Cwtch retain in their queue-server or onion-coordinator layers.

Background. Briar was developed by the Briar Project — a not-for-profit organisation based in the UK — with research roots in the University of Cambridge's distributed-systems research and funding from the Open Technology Fund, NLnet, and individual donations. The project has been in active development since 2014, with a stable Android release since 2018. Designed explicitly around the threat model of journalists, activists, and human-rights workers operating under censored or surveilled networks — the use case is "communicating when the government has shut down the internet" rather than "convenient daily messaging." Open source under GPLv3; codebase at code.briarproject.org/briar/briar. Distribution: F-Droid (canonical), Google Play (signed identical APK), direct APK download from briarproject.org. Desktop client: in beta for Linux at this writing (briar-desktop), Android remains the primary platform.

What you trust. No central server — Briar messages never touch a Briar-operated server because there is no Briar-operated server. Tor over internet — when you have working internet, the application opens .onion connections between your phone and your contact's phone; the message stays inside the Tor network end-to-end. Bluetooth + Wi-Fi mesh for offline — when the internet is down or you're physically near another Briar user, messages route over local Bluetooth or Wi-Fi Direct between the devices; no internet involvement. Identity is a public key — your "account" is a cryptographic identity stored on your phone; there is no email, no phone number, no centralised directory. Contact addition is in-person or via secure side channel — you exchange your contact's public key via QR code in person, or via an existing secure channel like Signal, or via a "remote contact" workflow that requires a separate secure introduction. Forward secrecy + end-to-end encryption — every message is encrypted with per-session keys derived from the contact's public key; compromise of one message doesn't compromise the conversation history. No PFS for old messages — messages stored on-device are encrypted with a database key derived from your passphrase; if your phone is seized and your passphrase is compelled, the history is readable. What you don't trust: any operator (there isn't one); any centralised key directory (there isn't one); the network for content (Tor for online, local-link for offline).

Operational specs. Platforms: Android (F-Droid, Google Play, direct APK) — the primary platform. Briar Desktop is in beta for Linux. Identity: per-device cryptographic identity stored locally; no account, no email, no phone number. Adding contacts: in-person QR-code exchange (recommended for high-threat scenarios), Bluetooth handshake when nearby, or "introduction by a mutual contact" (a third party you both trust introduces you). Messaging: 1:1 messages, private groups, public forums (limited scope), and blogs (one-way broadcasts to subscribers). Network modes: internet (Tor onion connection between devices), Bluetooth (peer-to-peer between nearby devices), Wi-Fi Direct (peer-to-peer over local Wi-Fi without internet), Wi-Fi via local network (when phones are on the same Wi-Fi). No push notifications — Briar checks for messages itself when the app is running; iOS-style push notifications would require a server, which Briar doesn't have. Battery considerations: continuous Tor + Bluetooth makes battery usage noticeable; Briar provides battery-optimisation settings to balance liveness vs power. Offline message forwarding: in mesh mode, if you're connected to user A and they're connected to user B, messages from you can hop through user A to reach B even without internet — assuming all three trust each other and the mesh is configured.

Philosophy. Briar's editorial differentiator is the eliminate-operator-infrastructure model. SimpleX, Cwtch, Signal — all have some form of operator infrastructure (SimpleX queue servers, Cwtch onion coordinators, Signal's centralised server) that's in the trust path even when the content is end-to-end encrypted. Briar says: even encrypted-content-on-a-server is metadata exposure, and the only way to truly eliminate metadata is to not have a server. The trade-off: convenience — no offline message delivery to a recipient who's not currently online (in pure P2P mode, the message waits in your outbox until both phones are reachable to each other directly or via mesh hop). For most users this is impractical compared to "send a message, recipient gets it on their phone whenever they next open the app." For the threat model Briar is designed for, this is a feature — there's no server to log "X sent message at time T to Y."

Grade rationale. Grade A reflects: open-source GPLv3 codebase; not-for-profit operator structure (Briar Project, UK); 10+ years of operational continuity; funded by Open Technology Fund + NLnet + donations (no commercial pressure); independent security audits with published reports at briarproject.org; F-Droid + Google Play + APK distribution (multi-channel trust diversification); no central server, no operator infrastructure to subpoena; native Tor + Bluetooth + Wi-Fi mesh network modes; in-person QR-code contact-add workflow (the strongest identity-binding option); cross-listed in Privacy Guides peer directory. Last verified 2026-05-12.

Useful when. You're a journalist or activist in a hostile network environment — Briar is built for this; the offline mesh mode keeps working when the government cuts the internet. You're at a protest or event where you need to coordinate with people physically near you without using cellular or operator-controlled networks. You're a human rights worker in a region where messenger metadata can put sources at risk. You want a messenger where the trust model doesn't include any operator — Briar is the strongest in this category. You're already on Android and want a privacy messenger that complements SimpleX (queue-server-based) and Signal (centralised-but-encrypted) by occupying the "no server at all" point on the spectrum.

Caveats. Android-primary — iOS users have no Briar option (iOS sandbox restrictions on background Bluetooth/Wi-Fi-Direct prevent porting). For iOS, use SimpleX or Signal with appropriate threat-model adjustments. Battery usage is noticeable — running Tor + Bluetooth continuously costs battery. Adjust the in-app battery optimization settings, or accept the trade-off as the price of the trust model. No offline message delivery to an offline recipient — in pure P2P mode, the message waits in your outbox until you and your recipient are both reachable (Tor-online, Bluetooth-nearby, or via mesh hop). For "send a message and forget" UX, use a queue-server-based messenger. No multi-device sync — your Briar identity is per-device; if you install Briar on a second phone, it's a different identity from the first. Per-device identity is a feature for plausible deniability but a friction for users who want desktop + mobile sync. Contact addition has friction — in-person QR exchange is the strongest workflow but requires being physically near the contact; the "introduction by mutual contact" workflow requires a mutually-trusted third party. For non-paranoid users coming from Signal, this friction is real. Public forums and blogs are limited scope — they work but they're not designed to be the primary social-media surface; you wouldn't use Briar as your Twitter replacement. Desktop is beta — Linux desktop client exists but is not as mature as the Android app; expect rough edges if you're testing the desktop path. No native voice/video calls — Briar's mesh networking is designed for asynchronous text + small attachments; for voice/video, use Signal or Element. Phone seizure exposes message history — Briar stores conversation history locally; if your phone is seized and your unlock passphrase is compelled, the history is readable. For high-threat scenarios, use the in-app feature to wipe messages on a schedule, or use a separate device that you can leave behind.