Frequently Asked Questions

RAVEN is a private, secure messenger with offline mesh networking. Unlike other apps, RAVEN can send messages via Bluetooth when there's no internet — device to device.

A username and an email address. You can also sign in with Apple or Google. Profile photo and bio are optional.

An email address is required for account creation and recovery. You can also use Apple ID or Google Account to sign in.

Go to Settings → Account → Delete Account. Your data is permanently removed within 30 days. This action cannot be undone.

Go to Settings → Profile → Edit. Usernames can be changed once every 30 days. They must be unique and 3–20 characters.

Tap 'Forgot Password' on the login screen. We'll send a reset link to your email address.

Not currently. Each device supports one active account. Multi-account support is planned for a future release.

Currently, RAVEN is single-device. Logging in on a new device will sign you out of the previous one. Multi-device sync is in development.

Log in with the same credentials on your new device. Messages sync from the server. Local-only data (wallpapers, drafts) does not transfer.

Your account and server-synced messages are restored on login. Local settings (wallpapers, mute preferences, drafts) are reset.

Yes. Every 1:1 conversation uses X3DH for asynchronous key agreement and the Double Ratchet for per-message key rotation, wrapped inside the ATSAM protocol stack. The result is end-to-end encryption that is forward-secret and post-compromise secure. Our servers and any mesh relay only ever see ciphertext they cannot decrypt, even under legal compulsion.

Forward secrecy means a stolen key today cannot decrypt the messages you sent yesterday — every message has its own key, derived from the previous one and then erased. Raven now ships forward secrecy via the Double Ratchet on every 1:1 conversation, on both internet and Bluetooth mesh paths.

Open the chat → tap their name → Verify Identity. Raven derives a 60-digit Safety Number from both identity keys. Compare it once — in person, on a video call, or by scanning the QR. If the numbers match, no man-in-the-middle is possible even if the carrier, the ISP, and our own server cooperated against you.

Encrypted messages are buffered briefly on the server for delivery sync, then your device caches them in an encrypted local database (SQLCipher / AES-256). The server only ever holds ciphertext — it cannot decrypt your messages, full stop.

Voice messages: up to 5 minutes. Files: up to 25 MB. Location: shared as a one-time pin (not live tracking). Image compression is automatic.

Single check = sent. Double check = delivered to device. Blue checks = read by recipient. You can disable read receipts in Settings → Privacy.

Online status shows when you have the app open. You can hide your status in Settings → Privacy → Show Online Status.

This was a known bug where network errors were incorrectly treated as auth failures. It has been fixed — the app now retries silently without logging out.

This can happen during brief network drops. Pull down to refresh the chat, or the message status will auto-update within a few seconds.

Delivered = the recipient's device received it. Seen = the recipient opened the chat and the message was on screen. Both require an active connection.

Swipe left on the conversation in the Messages list and tap the bell icon. You can choose: 1 hour, 8 hours, 24 hours, 1 week, or permanently.

Open their profile → tap the three-dot menu → Block or Report. Blocking prevents all contact. Reports are reviewed by our moderation team.

When there's no internet, RAVEN uses Bluetooth to find nearby phones running RAVEN. Your message hops from phone to phone until it reaches the recipient — or until a phone with internet uploads it to the server. All automatic, all encrypted.

Mesh works best within Bluetooth range (~10–30m). It's designed for nearby communication — like concerts, campuses, or subway cars. It is NOT a replacement for internet. Think of it as a safety net when connectivity fails.

Mesh mode uses Bluetooth Low Energy (BLE) to create a local device-to-device network. Messages hop from phone to phone — up to 5 hops — to reach the recipient without internet.

Bluetooth range is typically 10–30 meters. With multi-hop relay (up to 5 hops), the effective range can extend to ~150 meters depending on environment and obstacles.

Up to 5 hops. Each relay device decrements the hop counter and forwards the message. After 5 hops, the message is no longer relayed to prevent infinite propagation.

Minimal impact. RAVEN uses Bluetooth Low Energy (BLE), designed for efficiency. Background scanning is managed by iOS to minimize battery usage.

Bridge is when a mesh device regains internet and uploads stored messages to the server. It bridges the offline mesh world with the online server. Fully automatic.

The first copy is accepted. The duplicate is silently discarded using the nonce-based deduplication system. You only see one message.

When the Bridge device uploads it, the server stores it. If you already received it via mesh, the server copy is deduplicated on your device.

Yes. All mesh payloads are encrypted before transmission. Relay devices only see opaque encrypted data and cannot read the content.

iOS restricts background Bluetooth activity. RAVEN works best when the app is in the foreground. Background mesh is limited to brief windows when iOS allows it.

Multi-hop relay depends on all intermediate devices being in range and having RAVEN open. iOS background restrictions can interrupt the relay chain.

Bridge reliability depends on Bluetooth signal quality and iOS background execution limits. We continuously improve this with adaptive retry logic.

That phone uses normal server messaging. It won't participate in mesh networking. Other nearby devices with Bluetooth can still mesh with each other.

Not yet. Mesh currently supports 1:1 messages only. Group mesh support requires additional routing logic and is planned for a future update.

Text-only posts can be broadcast via mesh. When a device with internet receives a mesh post, it uploads it to the server as a Bridge.

Images and files are too large for Bluetooth's limited bandwidth. Mesh posts are restricted to text to ensure reliable, fast delivery across hops.

Tap the group icon in Messages. Add members and set a name. Current limit is 100 members per group.

Admins can: rename the group, change the photo, add/remove members, promote/demote other admins, generate/reset invite links, and set group visibility.

Admins can generate a shareable link from Group Settings → Invite. Anyone with the link can join. Admins can reset the link at any time to invalidate old ones.

Public groups appear in search results and allow joining via link. Private groups are hidden from search and admins can restrict link-based joining.

Open Group Settings → scroll to the bottom → Leave Group. Your past messages remain but you stop receiving new ones.

Admins can swipe left on a member in Group Settings to see actions: Set Nickname, Promote to Admin, Demote, or Remove from Group.

Group Settings → Customize → Chat Wallpaper. Choose a preset or pick from your gallery. Wallpaper is saved locally per-user, not synced across members.

Make sure you tap 'Done' after selecting. If the issue persists, try restarting the app. Gallery images are compressed and saved locally.

This is a known issue with large gallery images. We compress images to max 1080px, but very large files may cause a brief layout recalculation.

Tap the bell icon in Group Settings. Choose a mute duration or 'Always'. You can also enable 'Mentions Only' to get notified only when you're mentioned.

Posts are stored on our servers and cached locally on your device. Mesh posts are stored temporarily on relay devices until uploaded.

This is a known issue with legacy media URL formats. We've fixed the image pipeline to handle both old and new URL formats correctly.

It means the post was originally created and broadcast via Bluetooth mesh networking, then uploaded to the server by a Bridge device.

Tap the three-dot menu on any post. You can delete your own posts or report others'. Reports include the post content and your reason.

There may be a caching delay. Pull down to refresh the feed. If it persists, force-quit and reopen the app to clear the local cache.

Our moderation team reviews all reports manually. We don't use automated content scanning. Action is taken within 24–48 hours.

Voice comments are currently in development. The feature will allow recording and playing back voice replies on posts.

Illegal content, harassment, spam, impersonation, and explicit material involving minors. Full details are in our Terms of Service.

When you delete a post, the server marks it as deleted and pushes the update to all connected clients. Cached copies expire within minutes.

Images are cached locally after first load. The cache is cleared on reinstall or when storage is low. You can manually clear it in Settings.

RAVEN+ is our premium subscription that unlocks 2GB file uploads, 10-minute voice messages, unlimited AI features, Ghost Mode, and VIP Mesh routing priority.

An exclusive RAVEN+ feature that lets you read messages without sending a read receipt (blue double-check) to the sender.

Free users can transcribe 3 voice messages and ask Gemini 5 questions per day. RAVEN+ subscribers have unlimited access.

Subscriptions are managed securely by Apple. You can cancel anytime via your iPhone Settings → Apple ID → Subscriptions.

Identity: Ed25519 signatures on every message. Content: AES-256-GCM (with ChaCha20-Poly1305 as a backup cipher). Key agreement: X3DH over X25519 ECDH, then the Double Ratchet for per-message rotation, all wrapped inside the ATSAM protocol stack. All keys derived through HKDF-SHA256 and stored in iOS Keychain, hardware-bound to the Secure Enclave. Login passwords are stretched with Argon2id; OPAQUE PAKE (RFC 9497) is rolling out so the server eventually never sees the password at all.

Yes — both. Forward secrecy means a stolen key today cannot decrypt the messages you sent yesterday; post-compromise security means a single new handshake heals any conversation that was briefly exposed. Both are provided by the Double Ratchet, which now runs on every 1:1 conversation in Raven, on internet AND mesh.

Open the chat → tap their name → Verify Identity. Raven derives a 60-digit Safety Number from both identity keys (SHA-512 ×5,200). Compare it once — in person, on a video call, or by scanning the QR. If the numbers match, no machine-in-the-middle is possible, even if the carrier, the ISP, and our own server all colluded.

Not yet, and we say that openly. We are commissioning a third-party audit (Cure53 / Trail of Bits / NCC Group-tier engagement) against the cryptographic core for 2026 H2 with the full report published in the open. "Designed to be reviewed" is not the same as "audited" — we know, and we will not pretend otherwise until the report is on this site.

Not yet — we plan to open-source the cryptographic core (X3DH / Double Ratchet implementation, mesh envelope, BLE protocol layer) under an audit-friendly license alongside the third-party audit in 2026 H2. Application code follows in stages. In the meantime, security researchers can request review access to the security-critical sources by emailing info@raven-messager.com — we'd rather you check than take our word for it.

Reproducible builds are committed for v1.6 — anyone will be able to rebuild the App Store binary from public sources and verify it byte-for-byte. Until then, the SHA-256 of every release binary is published so you can at least confirm you have the artefact we shipped.

Sender identity is signed end-to-end today (so the recipient can verify it) but the relay learns the sender's user ID. Sealed Sender — where the server sees the message exists and where it's going but not who sent it — ships in v1.6. Until then we minimise sender exposure: no IP storage, no contact graph, no analytics SDK on the server.

Today: per-group symmetric AES-256 keys with key rotation when a member is removed (correct, but not as scalable or as provably secure as MLS). Migration to MLS (RFC 9420) — Messaging Layer Security, the IETF standard for group ratcheting — is committed for 2026 H2 in v1.7. MLS gives us per-group continuous group key agreement that scales to thousands of members with the same forward-secrecy guarantees as 1:1.

A real concern, and we will not hand-wave it. The encrypted envelope hides content, but radio-layer traffic analysis can reveal who-talks-to-whom. Today we mitigate with: anonymised sender/recipient hashes (no usernames in the envelope), per-relay SHA-256 deduplication, and randomised re-broadcast jitter. Coming 2026 H2: constant-rate cover traffic + decoy envelopes at the radio layer to flatten observable patterns. The third-party audit will explicitly cover this surface.

Today: keys are hardware-bound and don't survive the loss — by design, this means we cannot recover them either, but it also means you lose the ratchet history. Coming v1.6: optional opaque-encrypted key backup to iCloud, sealed with a user-chosen recovery passphrase that the server never sees. You'll get the trade-off you choose — maximum privacy (no backup) or convenience (encrypted backup with a passphrase only you know).

Today the online transport is a single WebSocket — easy to filter. Two answers: (1) the Bluetooth mesh path is not affected by network filtering at all, so local communication keeps working even when the internet is blocked; (2) for online use under censorship, domain fronting + pluggable transports (obfs4 / Snowflake-style) are committed for 2026 H2 so Raven keeps connecting without leaking that you're using Raven.

App-layer crypto neutralises pairing-level attacks: every envelope is signed (Ed25519) and encrypted (AES-256-GCM), so a downgrade or impersonation at the BLE pairing layer cannot inject a forged message or read a real one. We do not rely on BLE pairing for confidentiality. Protocol-level mitigations (encrypted pairing where the host stack supports it, MITM-resistant GATT verification) are part of the 2026 H2 audit scope.

Username, authentication info (email), encrypted messages, posts, and optional profile data. We do not collect location continuously, contacts without permission, or any analytics/tracking data. Push notifications carry no message content — only a wake-up.

No. We do not share, sell, or trade your data with anyone. We have no advertising partners, no analytics SDKs, and no data broker relationships. Apple delivers our push notifications and that is the extent of third-party involvement.

Account data: while active + 30 days after deletion. Encrypted messages: until you delete them, and they remain unreadable to us regardless. Server logs: 30 days. Mesh relay data: 24 hours maximum. To erase everything: Settings → Account → Delete Account. For an export beforehand: Settings → Account → Download My Data.