FAQs

Germ DM is private chat software that gives you the freedom to connect securely with anyone, without oversharing. It is currently available in public beta on iOS.

Our beta is a 1:1 end-to-end encrypted text messenger. This first release lets you build and share multiple profiles to form 1:1 chats with other iOS users, all without phone numbers. We are growing as fast as we can to give you the features and products you expect, like group messaging and an Android product.

Germ DM is an iOS app that lets you create and exchange identities to access private messaging. Your identities in Germ are the profile cards you make in the app. You make connections with people by exchanging those cards, and in doing so set up an end-to-end encrypted (E2EE) messaging channel between the creators of those cards. Cards are representations of cryptographic keys. When you exchange cards, you’re exchanging cryptographic keys.

Today, you can exchange text messages in this E2EE channel, but more features are coming.

Germ DM is designed to help you control what information you produce and share—with other users, and with us, the developer. The information you produce is stored on your device, not with us. When you send information to other users, it is end-to-end encrypted: data is encrypted on your device and decrypted on the recipient’s device; we cannot read it as it travels through our servers, nor can we produce it for anyone else. Unlike some other software, we do not know your phone number, e-mail address, location, IP address, when you open or close the app, what you click on, how fast you scroll, who you talk to, or when. You can read a technical description of our data access in our Privacy Policy.

In many popular E2EE messengers, your phone number is your identity. Anyone can message you so long as they know your phone number. The messenger uses the phone numbers of people you know to provide a translation to these users’ public keys, facilitating an end-to-end encrypted session between your and the other person’s phone number.

In Germ, your identities are the cards you create. You control who can reach you and how you present yourself to them, by exchanging cards. No one can contact you on Germ unless you’ve given them permission by exchanging a card with them.

Our unique system not only allows you to control who can contact you, it also lets you connect via multiple identities through a single inbox. Cards and the conversations they open are managed by you from a single inbox, but other users who have one of your cards can’t find the others unless you share them. Read more about how cards work in our User Guide.

Germ is designed so that its developers know very little about you and your activity.

Your cards and messages are all end-to-end encrypted so that Germ’s developers and servers cannot see them.

When you install the Germ app, it generates a new signing key, and registers it with Germ’s servers. This key is used to authenticate uploads of encrypted cards, request addresses from the backend, and retrieve messages delivered to those addresses. The app will also upload a device push token, which is an address Germ can use to request that Apple sends a push notification to your device. This device push token is scoped to the Germ app and cannot be used to track you across apps from different developers via your phone.

Germ can observe that devices requested some addresses, uploaded some encrypted cards, and that messages were sent and retrieved for those reserved addresses. Germ does not have information to tie devices or addresses to card identities, unless someone reports the information on a card to Germ.

Your messages reside in the Germ app on your phone. When you send a message, you save a copy on your phone for your conversation history. The app end-to-end encrypts the message contents for the recipient on your device, then sends the encrypted message to Germ for delivery. Germ keeps the encrypted messages only as long as necessary for delivery, up to 30 days if the recipient is offline. When your messages leave your device, they’re end-to-end encrypted so that only the recipient can read them. Once your friend receives and decrypts your message, that message is then saved in the Germ app on their phone.

You have many options with which to backup your phone, and the Germ app tries to match your expectations for the particular option(s) that you choose to use. In most cases, including the recovery mechanisms that Apple provides, your messages are protected by a secret only you know, and can only be recovered by you.

Sensitive data in the Germ app – private keys, symmetric keys, and message contents — are protected on device with keys stored in the iOS keychain. If you use iCloud Keychain, these keys are recoverable by you, but cannot be accessed by Apple.

What does this mean? Your cards and message contents will be restored, and you can continue your conversations, if you transfer or restore your phone data in a way that preserves the contents of the iOS keychain, such as:

• direct transfer from device to device at setup time
• encrypted local backup on a Mac or PC
• iCloud Backup, only if you also use and recover the iCloud Keychain

Your sensitive data, including message contents, are not recoverable unless you can recover the phone’s keychain data, which is commonly protected by a secret only you know. If you use iCloud Backup but want to exclude all Germ data from it, you can do so in iCloud Settings.

Each card has a corresponding root signing key (Ed25519), which asserts the user-facing data (name, photo, etc) that should be associated with the key, and its connection to additional scoped signing keys for each connection you make.

When you share a card, you’re sharing

• the root public key and its assertions about your name, photo, and other information on the face of the card, and that you can setup a channel using an additional scoped key.
• a scoped public key that is used to set up a single E2EE channel with a recipient - it asserts addresses and encryption keys that should be used for this channel.

When you share a card, the Germ app symmetrically encrypts this data (with ChaCha20-Poly1305) and uploads it to Germ’s servers. The link to the encrypted card at Germ, and the symmetric key that unlocks it, are packaged as a URL with the key in the URL fragment, so that Germ never receives the symmetric key. This link can be shared as-is or packaged as a QR code. Anyone who possesses the full link can see the contents of a shared card.

With a decrypted card that contains public keys and addresses, you can send a message asymmetrically encrypted to the creator of the card.

In sum, when exchanging cards and messaging on Germ:

• The first card is symmetrically encrypted with ChaCha20-Poly1305
• A reply to the card is asymmetrically encrypted to the first card using HPKE in base mode
• Subsequent messages, depending on both parties possessing each other’s cards, are sent using HPKE in authenticated mode

The Germ app performs all cryptographic operations with the built-in CryptoKit library from the iOS SDK. For message encryption, it uses HPKE with the cipher suite comprised of X25519 key agreement, SHA-256 key derivation, and ChaCha20_Poly1305 symmetric encryption.

HPKE is only available in iOS 17 and later. With recipients on iOS 16, the app negotiates a session where it directly performs similar operations using available CryptoKit operations.

• For the first reply, the app performs an X25519 Diffie-Hellman key exchange with an ephemeral sender key, then derives a ChaCha20-Poly1305 symmetric key (using SHA-256 HKDF) from both X25519 public keys.
• For subsequent messages, the app performs an X25519 Diffie-Hellman key exchange with an ephemeral sender key, then derives a ChaCha20-Poly1305 symmetric key (using SHA-256 HKDF) from both X25519 public keys, the sender’s public signing key, and entropy exchanged within the E2EE channel.

We use Web Crypto on our servers to authenticate requests from your app (against a separate Ed25519 signing key from those on your cards), and to symmetrically encrypt push notification payloads (using AES-GCM) through the Apple Push Notification Service, to the receiving app.

Our name irreverently invokes a new paradigm of social media and digital connection that prioritizes care, community, research, public health, and natural growth.

Germ is built and managed in California by two co-founders, Tessa and Mark, and sometimes some wonderful interns. We release software updates regularly and hang out in our Discord and around the Bay Area and LA.

Germ Network, Inc. is a Delaware Public Benefit Corporation (PBC). That means we are a for-profit corporation that can accept investment capital to grow our business and reward our shareholders. It also means that beyond our fiduciary, or financial, duty to our shareholders, we have chartered for ourselves a public benefit duty to “create a material positive impact on society and the environment.” Specifically, our chosen public benefit is “to help people communicate in healthy ways, achieved by prioritizing transparency, privacy, user control, accessibility, and empathy in our products, services, governance, and partnerships.” We believe that serving this mission will lead us to build the best digital social products ever while growing a gigantic, successful business, and that this giant business will protect our ability to bring our mission to as many people as possible.

Please join our Discord community; follow us on LinkedIn, Mastodon, or TikTok, or send us an email at hello@germ.network. If you send us a card, one of us will DM you back!