Secure messaging app FAQ
We have answers.
We answer questions about the anonymous messenger Mold. If you do not find the information you need here, just ask, using the form at the bottom of this page.
The foundation of the project.
What is Mold?
Mold is a secure messaging app with end-to-end encryption, requiring no VPN and no phone number for registration, created to work primarily in countries with authoritarian regimes, where people have no opportunity to communicate freely. It can also be used for ordinary communication.
Is it free?
Yes. Text messaging, encryption, censorship bypass, and all security features of the encrypted messenger are free. In the future, optional premium features may be offered by paid subscription. You can also support the project directly.
Who is behind Mold?
Mold is created by one person, a native of one of the authoritarian countries, on a purely ideological basis. In the future, Mold may have its own team.
How is Mold different from Signal?
Signal is an excellent messenger and we deeply respect it. It proved that end-to-end encryption can be a standard for billions. Meanwhile, Signal requires a phone number for registration, is blocked in Russia, China, and Iran, and does not protect the device at the moment of seizure. Mold has broader protection capabilities.
How is Mold different from Telegram?
Telegram is not an encrypted messaging app with end-to-end encryption by default. Regular chats and ALL group chats use only server-side encryption and are accessible on Telegram's servers. Only "Secret Chats" between two people have end-to-end encryption. Telegram requires a phone number, and its server code is closed.
Is Mold's source code open?
Yes. Fully. The server and client code of the secure and protected messenger Mold are published under the AGPL-3.0 license on GitHub.
Can you read my messages?
Can Mold's developers read their users' messages?
No. This is not a policy, this is a mathematical impossibility. All messages of the protected messenger are encrypted using Noise Protocol XX based on ChaCha20-Poly1305. Encryption and decryption happen only on the user's device. The server stores encrypted blocks that no one can decrypt. We do not own decryption keys. We have no mechanisms to obtain such keys.
What data does Mold collect?
The absolute minimum required to deliver messages between users: Mold ID, username (nickname). We also know the account creation date and the date of last connection. All user correspondence is stored on our servers in encrypted blocks. Protection of private correspondence is the main rule of the most secure messaging app.
What happens if Mold's server is hacked?
The probability of such an event is low. However, if it happens, only the data described above will become accessible. In other words, essentially nothing. This information has no commercial value for an attacker. Mold is built on a zero-knowledge architecture, which means there is simply nothing to steal. This is how an encrypted messenger should handle your data.
Is this a CIA/FBI/NSA tool?
No. Mold was created by a private individual under US jurisdiction. The code is open, anyone can verify the absence of hidden code that could spy on users. It is simply a quality product, an encrypted messaging app that ensures the protection of private correspondence.
Why should I trust you?
You should not. Trust the open source code. If something changes, the open source community will find out first, and even if you understand nothing about programming, that information will quickly become available to you. The most secure messaging app is the one whose code is open to everyone.
Do you cooperate with law enforcement?
Yes. Absolutely. We respond to lawful requests under the laws of the United States and the State of California. We provide everything we have: Mold ID, user nickname, registration date, last connection date, encrypted messages, and encrypted profile data. We cannot provide message content, because we do not own the decryption keys. Read our complete protocol for working with law enforcement.
In other countries.
Does Mold work in Russia?
This is one of the main goals of development. Mold was created specifically to counter Russia's deep packet inspection system, TSPU.
Does Mold work in China? Iran? Belarus?
The architecture of our anonymous messenger is universal. If Mold withstands Russia's TSPU, it withstands Iran's DPI, Turkey's traffic throttling, and most other censorship systems. This end to end encryption messenger is built for the hardest environments first.
Do I need a VPN to use Mold?
No. Mold is a secure and protected messenger without a phone number and without VPN. Authoritarian governments such as Russia's have already blocked more than 469 VPN services, because VPN traffic is detectable. Mold does not tunnel traffic through a VPN, it builds its own traffic which, in the eyes of inspecting systems, looks like ordinary web browsing. There is nothing to detect, slow down, or block.
How do I download Mold if the website is blocked?
There are many sources. Telegram bot, GitHub Releases, Google Drive, IPFS, and other sources. More details on this page.
Will my Internet provider know that I am using Mold?
No. It is technically impossible, and this is one of our advantages. The provider sees HTTPS traffic to a CDN IP address, indistinguishable from a visit to any of the millions of sites behind the same CDN. The TLS handshake matches the Chrome browser fingerprint byte for byte. There are no persistent connections. From the provider's point of view, you are simply browsing the web.
What if the government blocks Mold's server domain?
New domain names of Mold's server ecosystem appear periodically in anonymous mode. No one will ever know at which moment each application receives the list of fresh access addresses to our servers. This is what makes a secure messaging app truly censorship-resistant.
What happens if the phone is seized?
What if the police take my phone?
For the police of an authoritarian country, nothing good. Our messenger for hidden communication contains six layers of protection. One of the first difficulties the security officer will face: he will not be able to find the application on the mobile device. And if he does find it, he will read absolutely harmless conversations.
Will government spyware apps see Mold?
No, they will not see it, if you use Mold's built-in anti-spyware shield. For example, Russian spy applications (VK, Max/Mail.ru, Yandex Keyboard) that serve the Yarovaya Law will not be able to track the presence of Mold, an encrypted hidden messenger. In addition, the messenger intercepts the telemetry of these spy apps and is itself able to block it. Roles change: the spies do not watch the protected messenger, the messenger watches them.
What is the second password (the duress password)?
You set two passwords. The real password (the working one) opens the real conversation feeds. The duress password opens a set of pre-configured innocent conversations that you set up earlier. Both interfaces look identical. While someone scrolls through your fake chats, Mold silently erases the real information.
What is Guardian Wipe?
You designate trusted people from your contacts (mother, spouse, best friend) as Guardians. If you are detained, a Guardian sends a cryptographically signed authentic command to your anonymous messenger. When the phone connects to any global network for even a second, Mold data on your device is instantly erased.
Where to begin?
Do I need a phone number to register the messenger?
No. You have the full lawful right to protection of private correspondence.
How do I add contacts without a phone number?
Five ways:
- QR code at an in-person meeting.
- Search by Mold ID or nickname.
- One-time invitation link (valid for 24 hours).
- 6-digit code that can be dictated.
- A mutual acquaintance invites you.
The contact list is never uploaded to the server.
What if I lose my phone?
When the account is created, Mold shows the 12-word recovery phrase one time. On any new device: install Mold, enter the 12 words, and your cryptographic identity will be restored in a couple of minutes.
Is Mold available for iOS?
This is a plan for further development. Apple's App Store restrictions make it difficult to distribute censorship circumvention tools.
What are the badges?
Mold IDs are sequential numbers for users, similar to the good old ICQ. Early users receive smaller numbers and permanent first-user badges. It is a distinguishing mark among other users of the hidden messenger who came later.
Is this legal?
Is Mold legal in the United States?
Completely. End-to-end encryption is protected by the First Amendment (Bernstein v. US, 1999). No US law requires hidden surveillance algorithms against citizens; attempts to introduce such an option have failed three times. The Supreme Court unanimously ruled that providing a general-purpose service is not aiding a crime (Twitter v. Taamneh, 2023). Signal has lawfully worked on the same model for more than 10 years. Building an end to end encryption messenger under US law is fully protected.
Is it legal to use Mold in Russia?
We are not specialists in the field of Russian jurisdiction. The use of encrypted communications in Russia is not criminalized. However, the Yarovaya Law imposes obligations on telecommunications operators working in Russia, forcing them to monitor citizens.
Can Mold be used for illegal activity?
Strictly prohibited. In every chat there is a "Report" button that sends us the last 20 messages of conversation context in decrypted form. If this conversation contains signs of breaking the law, we immediately transfer this information to the corresponding US authorities. We respond to all lawful requests and provide everything we possess. Read our protocol for working with law enforcement.
How do you make money?
Currently, no way. In the future, a freemium model is planned: a free basic messenger and optional paid features for advanced users. You can also support Mold directly.
What happens if Mold ceases to exist?
We very much hope this will not happen. However, in any case, the source code is open under the AGPL-3.0 license. If Mold as a company ceases to exist, the code remains on GitHub. Anyone can use it.
Still have questions?
Join our community. The team is in touch. Or read the source code, it can answer almost any question.
Or write to us directly