Will my address book data be sent to your servers?
That’s your decision – Threema can be used without any address book access whatsoever.
By default, the synchronization is disabled and no address book data will be read. In this case, you can add your Threema contacts manually (by typing in their IDs or scanning QR codes).
If you decide to enable the synchronization, email addresses and phone numbers from your address book will only be transmitted to the server in one-way encrypted (“hashed”) form and are additionally protected using TLS encryption. The servers only keep these hashes in volatile memory for a short time to determine the list of matching IDs, and then delete the hashes immediately. At no point are the hashes or the results of the synchronization written to disk.
Due to the relatively low number of possible phone number combinations, it is theoretically possible to crack hashes of phone numbers by trying all possibilities. This is due to the nature of hashes and phone numbers and cannot be solved differently (using salts like for hashing passwords does not work for this kind of data matching). Therefore we treat phone number hashes with the same care as if they were raw/unhashed phone numbers.