As previously announced, the Threema apps’ source code will be published soon. This step ensures full transparency, and anyone knowledgeable enough will be able to independently verify Threema’s security.
However, going open source doesn’t mean it’s no longer necessary to commission external experts to audit the code. The mere fact that a software’s source is open doesn’t guarantee that qualified specialists go to the trouble of systematically reviewing the code. After all, reviewing software of Threema’s scale not only requires profound technical expertise, it’s also quite time-consuming.
Whereas the most recent audit to date was conducted by the University of Münster’s Lab for IT Security in 2019, we hired Cure53 this time. In a total of 16 person days, experts of the renowned security firm subjected the Threema apps to a thorough inspection.
Even though the audit was carried out with great rigor and attention to detail, it did not reveal any serious vulnerabilities. On the contrary, the experts were impressed with Threema’s code quality and its general structure:
“Cure53 needs to underline that the overall impression of the code quality and general structure of the project can only be described as unusually solid. The design and implementation were clearly accomplished by a rare team of experienced and securityaffine engineers. In Cure53’s opinion, there should be no doubt about the focus of these processes being on providing a highly secure messaging application without encumbering the overall user-experience.” (p. 17)
Of the few minor improvements Cure53 suggested, some are already implemented in the current app versions, and the others will be incorporated into upcoming updates. Read the full audit report here: