Independent security audit confirms: Threema lives up to its promises

2nd Nov, 2015

We are convinced that Threema currently is the most secure mobile instant messenger on the market. A well-respected Swiss IT research lab has put Threema to the acid test. The result confirms the quality and security of our system across the board: “We confirm the quality of the system as claimed by Threema in their public specification”. All security-relevant aspects within the areas server, apps (Android and iOS) and Gateway were examined. For its thorough investigation, the auditing agency was granted full access to Threema app's source code as well as the servers, and our developer team provided any assistance needed.

Two of Threema's main promises are: The whole communication – including group chats, media, files and status messages – is end-to-end encrypted. Threema is designed to limit users' data track to a bare minimum (e.g., groups and contact lists are handled on users' devices instead of our servers). Both of these assertions were confirmed by the audit. Furthermore, the auditing agency attests in its report:

  • Threema's concepts meet the requirements for truly secure and trustworthy messaging.
  • The application of the encryption is correct and implemented as documented by Threema.
  • The used protocols are free of vulnerabilities.
  • The app's local data is stored in a safe and secure manner.
  • The server components only store data that is absolutely necessary for message delivery.
  • The servers are located in Switzerland.

Supplementing our comprehensive Cryptography Whitepaper, we hope that this security audit increases transparency and trust towards Threema further. The good result encourages us to remain true to our principles, and we will keep improving Threema by making it even more secure, user-friendly and feature-rich.

Read a summary of the audit report here.