X Launches XChat Messaging App on iOS, Challenges WhatsApp

Elon Musk's X has officially launched XChat, a standalone messaging application for iPhone users that directly challenges WhatsApp and Signal in the encrypted messaging space. The app arrived on the Apple App Store in late April 2026, offering users a dedicated space for private messaging, file sharing, and audio and video calls with existing X contacts.

According to reporting from The Times of India, the app description emphasizes privacy as its core foundation. Every message is end-to-end encrypted with a key pair unique to each user, protected by a PIN that never leaves the device. The company claims no one can read conversations—not even X itself.

The launch represents a strategic pivot for X. Owner Elon Musk had previously envisioned X as an all-in-one "everything app" combining messaging, payments, shopping, creator tools, and AI. Instead, the company is now unbundling services into specialized applications, with XChat serving as the messaging hub. Payments are being tested separately but have not yet rolled out publicly.

XChat introduces several tools aimed at enhancing communication and privacy. Users can send private and group chats, make audio and video calls, and utilize disappearing messages. The app includes screenshot blocking and allows message editing and deletion for all participants. X claims the app is free from advertising and tracking mechanisms.

However, security experts have raised significant concerns about the app's privacy architecture. Forbes reported that security researcher Tommy Mysk posted Apple's iOS privacy label on X, detailing the information XChat collects despite the "no tracking" claims.

Two concerns stand out, according to Varun Badhwar, CEO and founder of Endor Labs. First, encryption keys live on X's servers. X stores users' private encryption keys on its own infrastructure, protected by a four-digit PIN. X has acknowledged that this architecture could allow "a malicious insider or X itself" to access conversations. That's a remarkable admission—and it means the end-to-end encryption claim depends on X's policies, not on math.

Second, image metadata is not stripped. Reports indicate that images sent through XChat retain GPS coordinates and camera details. Even when message content is encrypted, a shared photo can leak your location and device fingerprint.

Although XChat encrypts the content of messages, its App Privacy Notice reveals that it collects several types of data—including metadata and usage activity. Luke Dixon, a partner at Freeths who specializes in IT and data law, warns that metadata reveals who you are communicating with, when, and for how long. Usage activity includes product interaction records, search history, and information that reveals how you use the app.

In the U.S., there is no federal privacy baseline. The California Consumer Privacy Act gives users there some rights, but there's nothing comparable to the U.K.'s General Data Protection Regulation forcing X to disclose third-party recipients or processing purposes. In the U.K. and European Union, XChat will face a very different regulatory environment. GDPR requires disclosure of lawful basis, retention periods and third-party sharing.

X has already collided with European regulators. Ireland's Data Protection Commission investigated X's use of user data to train Grok, and X agreed to suspend processing of EU/European Economic Area user data on a permanent basis. This matters because XChat lives inside the same corporate envelope as Grok.

XChat shares account, usage and device data with third parties, including service providers, partners "and potentially advertisers," says Neil Thacker, global privacy and data protection officer at Netskope. Data may also be disclosed to authorities where legally required. Once data is shared, users have limited visibility and control over how it is used, increasing the risk of profiling, tracking and misuse.

The app was tested with a small group of beta users earlier in 2026, and feedback helped shape the launch version. According to X's lead designer Benji Taylor, XChat is "just the beginning of what we're building for messaging," hinting at future updates and expanded features. A release date for Android has not been set.

XChat will replace the Communities feature, which is being discontinued due to low usage and spam. The app requires an existing X account, so your identity, device information, IP and behavioral history on the parent platform are already part of the graph before you send your first message.

Whether users actually trust X with their private conversations remains the real question. The app works without a phone number—just an X account. But that convenience comes with the tradeoff of tying your messaging identity to a platform with a documented history of data controversies. Time will tell if the encryption promises hold up under scrutiny, or if this is just another messaging app with a privacy veneer.

Artūras Malašauskas is an AI Systems Integrator with 20+ years of production-grade web engineering experience. He has designed, shipped, and scaled enterprise Python/PHP systems for logistics, SaaS, and public-sector clients. For the past year, he has focused exclusively on AI integrations: deploying open-source LLMs, building generative media pipelines (image, audio, video), and engineering multi-agent workflows for real production environments. His standard: reproducibility, security, cost-efficient inference—no vaporware. He documents and evaluates emerging AI tooling, separating verified capabilities from marketing noise. Technical editor at: muza-ai.eu, ai-verslas.lt, ai-naujinos.lt Connect on LinkedIn