Open Source

Vertrauen ist gut. Transparenz ist besser.

Threemas kryptografische Verfahren sind detailliert dokumentiert, und regelmässig werden externe Experten damit betraut, umfassende Sicherheitsaudits durchzuführen. Es ist aber nicht erforderlich, unseren Aussagen zu glauben oder auf die Einschätzung Dritter zu vertrauen. Um volle Transparenz zu gewährleisten, sind die Threema-Apps Open Source.

Auf dieser Seite finden Softwareentwickler und Sicherheitsforscher Informationen zum Herunterladen und Kompilieren des Quellcodes sowie zum Reproduzieren der App.

Die folgenden Inhalte sind technischer Natur und stehen nur auf Englisch zur Verfügung.

Übersicht Reproducible Builds Contributions GitHub

Overview

Source Code and Documentation

Mobile Apps

Desktop App / Threema Web

Threema for desktop: The app for macOS, Windows, and Linux
Threema Web: The Threema Web application
Push Relay: Push notifications for Threema Web
Compose Area: Library for a compose area with support for inline images
App Remote Protocol: Documentation of the Threema Web protocol

Build Instructions

Build and test instructions can be found in the README files included in the source-code repositories.

Reproducible Builds

In order to verify that the published source code actually matches the source code the mobile apps in the stores were built with, we provide reproducible builds.

At the moment, reproducible builds are available for Threema’s Android app. Due to restrictions by Apple, it’s no easy task to offer reproducible builds for iOS, but we are currently evaluating possible ways to also support reproducible builds for this platform.

For instructions on how to reproduce the published Android app build, please refer to the Reproducible Builds page.

Bug Reports / Feature Requests / Security Issues

To report bugs or request new features, please contact the Threema support team.

If you discover a security issue in Threema, please adhere to the coordinated vulnerability disclosure model.

To be eligible for a bug bounty, please file a report on GObugfree (where all the details, including the bounty levels, are listed).

If you’re not interested in the bug bounty program, you can contact us via Threema or by email; for contact details, see threema.ch/contact (section “Security”).

Contributions

You can contribute to the Threema apps through pull requests on GitHub, after signing the Contributor License Agreement. Please refer to the Submitting Contributions page for more information. (To translate the Threema app, please don’t create a pull requests; use OneSky instead.)

License

The Threema apps are subject to the GNU Affero General Public License version 3. More details can be found in the source code repositories.

Please note that even though they may be compiled and modified freely, the Threema apps are still paid apps. An anonymous license check prevents the creation of Threema IDs on self-compiled apps. If you would like to use a self-compiled app, please restore the backup of an existing Threema ID. You can create Threema IDs and backups thereof using the purchased app.

If you have questions about the use of self-compiled apps or the license in general, feel free to contact us. We are publishing the source code in good faith, with transparency being the main goal. By having users pay for the development of the app, we can ensure that our goals sustainably align with the goals of our users: Great privacy and security, no ads, no collection of user data!