Threema’s Android app gets a substantial update, bursting with new features and general refinements. Among the highlights are the global search functionality, the integrated media gallery, and the optional image-search feature, which is based on local, and thus privacy-compliant, image recognition.
Today is Data Privacy Day. This annual observance was established by the Council of Europe to raise awareness for data protection and to draw attention to the dangers of a decrease in online privacy.
Since the Data Privacy Day’s inception back in 2007, a myriad of startling privacy incidents has demonstrated over and over how vulnerable our privacy is and how easily it can be invaded on the Internet.
In a joint statement, we, together with ProtonMail, Tresorit, and Tutanota, outline why this proposal is not only misguided but also counterproductive and dangerous, and we ask the EU Council to adhere to the spirit of the Data Privacy Day and acknowledge the importance of privacy for democracy:
The latest Threema version for iOS includes several minor improvements. For example, you can now create groups containing up to 256 members, and it’s possible to quote any type of message, including images, voice messages, and locations.
When using a messaging service, the question who else is on that platform inevitably arises. In conventional chat apps, the contact list answers this question conclusively. In Threema, where privacy is a top priority and users are not forced to disclose their phone number, the contact list might not reveal every contact who uses the service.
Messengers like WhatsApp or Signal use the phone number as unique identifier. Since the phone number is personal data that points to the identity of its owner, Threema uses a random string of characters (the “Threema ID”) instead, and providing a phone number is optional.
Only contacts who have linked a phone number to their Threema ID appear automatically in Threema’s contact list.
Send your individual Share Link to friends who don’t appear in your contact list, and add this link to your email signature, for example. Those who don’t use Threema yet can download it using this link and contact you as soon as they have done so.
If you still use other chat services you intend to leave due to privacy concerns, consider setting this image as profile picture to let others know where to contact you in the future:
Besides Threema, Telegram and Signal are often considered to be secure alternatives to WhatsApp. But are theses solutions really equal in terms of security and privacy protection? Is their approach even comparable? And how does their range of features differ?
In order to answer these questions, we have compiled a comprehensive comparison that shows how the mentioned services stack up against one another in different respects.
The comparison shows that Telegram hasn’t got what it takes to be a secure WhatsApp alternative: By default, end-to-end encryption is disabled and messages are permanently stored on a server, where they could, in theory, be read by the service provider at any time.
Signal enjoys an outstanding reputation among experts, and it’s certainly a good alternative to WhatsApp. However, just like WhatsApp, it requires users to disclose personally identifiable information: Providing a phone number is mandatory. As a US-based IT service provider, Signal is also subject to the CLOUD Act, which entitles US authorities to access the service provider’s data.
When Threema was launched back in 2012, the main goal was to provide a WhatsApp alternative that’s as secure and privacy-friendly as possible. Given this goal, it’s no surprise that the Swiss messenger stacks up well against the competition in terms of security and data protection. It is the only one of the four services that adheres to the “Privacy by Design” principle: Only data that’s absolutely necessary for the service’s operation is generated, and Threema can be used without providing any personal data whatsoever.
As of today, the Threema apps are open source! To celebrate this occasion, the apps are available at half price until December 28. That’s 100% transparency at 50% of the price. Those who don’t use Threema yet have more compelling reasons than ever to regain privacy now.
Now, we go a step further. To ensure full transparency and to dispel even the slightest shadow of a doubt, the Threema apps’ source code is publicly accessible starting today. It is subject to the AGPLv3 license, and thanks to reproducible builds, there’s a way to verify that the published code (of the Android app, for the time being) actually corresponds to the apps available for download.
Therefore, it’s no longer necessary to believe our claims or to trust someone else’s assessment. Anyone knowledgeable enough is now able to confirm Threema’s security on their own.
All information on how to download the source code, build it, and reproduce the app can be found here:
As previously announced, the Threema apps’ source code will be published soon. This step ensures full transparency, and anyone knowledgeable enough will be able to independently verify Threema’s security.
However, going open source doesn’t mean it’s no longer necessary to commission external experts to audit the code. The mere fact that a software’s source is open doesn’t guarantee that qualified specialists go to the trouble of systematically reviewing the code. After all, reviewing software of Threema’s scale not only requires profound technical expertise, it’s also quite time-consuming.
Whereas the most recent audit to date was conducted by the University of Münster’s Lab for IT Security in 2019, we hired Cure53 this time. In a total of 16 person days, experts of the renowned security firm subjected the Threema apps to a thorough inspection.
Even though the audit was carried out with great rigor and attention to detail, it did not reveal any serious vulnerabilities. On the contrary, the experts were impressed with Threema’s code quality and its general structure:
“Cure53 needs to underline that the overall impression of the code quality and general structure of the project can only be described as unusually solid. The design and implementation were clearly accomplished by a rare team of experienced and securityaffine engineers. In Cure53’s opinion, there should be no doubt about the focus of these processes being on providing a highly secure messaging application without encumbering the overall user-experience.” (p. 17)
Of the few minor improvements Cure53 suggested, some are already implemented in the current app versions, and the others will be incorporated into upcoming updates. Read the full audit report here:
There’s a minor Threema update for iOS available, which, among other things, includes some improvements in regard to photo handling.
On iOS 14, you can now grant the Threema app access to individual photos on the fly (instead of either granting access to the entire photo library or not granting access at all):
Navigate to “iOS > Settings > Threema > Photos”
If you tap the plus sign in a chat and select “Choose Existing,” you’ll be presented with iOS’s photo picker instead of Threema’s. This way, the Threema app only gets access to the photos you actually send, not to your entire photo library.
While captions could only be added when sending photos via the Share button prior to this update, it’s now possible to add captions right in the app. And if you select multiple photos at once, simply drag and drop them to define the order in which they are sent.
To learn about other changes and additions the 4.6.3 update contains, please refer to the changelog.
These days, many chat services allow users to use multiple devices in parallel. Therefore, one might assume that such a multi-device functionality must be easy enough to implement. Provided that security and privacy protection are not a major priority, this notion isn’t far off. If, however, the multi-device protocol is required to meet Threema standards, things get complicated.
In order to fulfill Threema’s requirements, a multi-device solution must, of course, provide full end-to-end encryption. That’s a given. But on top of that, it also has to rule out any possibility for the server to alter key material, and the amount of transferred metadata must be kept to the absolute minimum.
Even though these requirements pose a true technological challenge, we believe to have found a capable and elegant solution, which is currently in development and will become available in the course of 2021.
Using Threema Gateway, you can send, receive, and process Threema messages by means of your own software. Whappodo has used this technique to create a useful service for retrieving regional Corona stats.
Simply send a location (as location, not as text message) to the Threema ID *COVIDEN, and, in return, you’ll receive the current Corona stats for that region: Give it a try!
The Corona Radar showcases how Threema Gateway can be used in clever ways.
Chat apps have become an indispensable communication tool in many areas, also at school. Classroom chats form an integral part of everyday school life, and homework is often assigned via text message. Since conventional chat services systematically collect personal data, their use for school purposes is highly questionable and may violate applicable law.
With Threema Education, schools and other educational institutions benefit from all advantages modern instant messaging offers without compromising the privacy of students and teachers.
Thanks to a framework contract with educa.ch, it’s now easier than ever for public Swiss educational institutions to use Threema Education. As a Specialist Agency of the Swiss Confederation and the cantons, educa.ch negotiates framework contracts with commercial service providers in order to promote digitalization in the education sector.
The framework contract ensures legal certainty and reduces the acquisition effort. And since Threema Education doesn’t generate recurring costs, educational institutions benefit from planning security in any case.
A new chapter is added to Threema’s success story.
Strengthened Through Partnership
After an intense startup phase, Threema lays the foundation for continuity, further growth, and an acceleration of the product development thanks to the entry of the German-Swiss investment company Afinum Management AG.
Afinum fully shares our values regarding security and privacy protection. The additional resources gained through this partnership enable Threema to grow beyond the German-speaking part of Europe, and we can use our energy for visionary new ideas and projects. That said, Threema’s founders – Manuel Kasper, Silvan Engeler, and Martin Blatter, all software developers – will continue to lead the company and still retain a significant ownership interest.
Open Source and Multi Device
Security and privacy protection are deeply ingrained in Threema’s DNA, which is why our code gets reviewed externally on a regular basis. Within the next months, the Threema apps will become fully open source, supporting reproducible builds. This is to say that anyone will be able to independently review Threema’s security and verify that the published source code corresponds to the downloaded app.
In the future, it will be possible to use multiple devices in parallel thanks to an innovative multi-device solution. In contrast to other approaches, no trace of personal data will be left behind on a server. Thanks to this technology, Threema can be used on a PC without a smartphone.
In conclusion, Threema will become even more trustworthy and even more convenient to use.
After a thorough beta test, video calls are now ready for everyday use! Simply switch on the camera during a Threema call, and your contact will see you in stunning image quality, while you can rest assured that no one else is able to access the video.
Rigorous Data Protection
Since video calls contain personally identifiable information of the purest form, they are particularly worthy of protection. As is to be expected, Threema’s video calls are designed from the ground up with security and privacy in mind. Not only the transmitted data but also signaling is fully end-to-end encrypted, and before a call is accepted, no data is transmitted.
When it comes to metadata, video calls also meet Threema’s rigorous standard. In order to ensure full end-to-end encryption of all metadata (including real-time metadata, such as camera orientation), our team had to make corrections to the widely used base technology “WebRTC.” This security improvement will be incorporated into the WebRTC project, meaning that countless other communication services benefit from our patch in the future.
Technical details concerning the security aspects of Threema’s video calls are documented in the Cryptography Whitepaper.
Intuitive User Interface
To place a video call, simply start a regular Threema call, and tap the camera button in the top right corner to activate video transmission. Your call partner can choose to turn on their camera at any time, or, if preferred, they can leave it off during the entire call, which is to say that it’s possible to conduct one-way video calls.
While a video call is ongoing, you can return to the app and use it like you normally would. On Android, you can even leave the app and continue video calls in picture-in-picture mode.
If you wish not to receive video calls at all, simply deactivate the Allow Video Calls option in Settings > Threema Calls.
Excellent Voice and Image Quality
Video calls exhibit the crystal-clear voice quality Threema users have become accustomed to from voice calls. Image quality is every bit as brilliant and automatically adapts to the available bandwidth. But don’t take our word for it, update the app and see for yourself:
A photo of someone is personally identifiable information of the purest form. That’s why photos are so commonly used to identify people; a prime example is the photo in your passport.
Video calls not only contain single photos, they consist of continuous images of the participants in real time. Therefore, they are more up to date and a lot richer in information than a simple photo. Even without taking into account the facial recognition technology available today, the potential for misuse is considerable.
Given this sensitive nature, video calls are particularly worthy of the security and privacy protection Threema provides. Also those who wrongly believe their privacy is not at stake when exchanging text messages must be aware of the potential dangers video calls pose, and everyone should shy away from services that lack proper security and privacy protection when it comes to video calls.
For the past few weeks, the participants of our beta program have put video calls to the test. Starting next week, all Threema users will be able to make video calls without having to worry about their privacy. Stay tuned!