- What makes Threema secure?
- How does Threema compare to other messengers?
- What’s special about Threema’s privacy protection?
- Which data gets stored at Threema?
- Is Threema open source?
- Are messages stored in encrypted form on my device?
- Could you decrypt my messages, for example if you were required to by law enforcement?
- How do you protect yourself against man-in-the-middle (MITM) attacks with Threema?
- Where are the servers located?
- Will my address book data be sent to your servers?
- How does Threema audit its code?
- How and where is my key pair generated?
- Is the use of Threema compliant with privacy laws?
- How can I find out which data is stored about my ID on Threema’s server?
- What kind of data is transmitted via push notification services?
Will my address book data be sent to your servers?
That’s your decision – Threema can be used without any address book access whatsoever.
By default, the synchronization is disabled and no address book data will be read. In this case, you can add your Threema contacts manually (by typing in their IDs or scanning QR codes).
If you decide to enable the synchronization, email addresses and phone numbers from your address book will only be transmitted to the server in one-way encrypted (“hashed”) form and are additionally protected using TLS encryption. The servers only keep these hashes in volatile memory for a short time to determine the list of matching IDs, and then delete the hashes immediately. At no point are the hashes or the results of the synchronization written to disk.
Due to the relatively low number of possible phone number combinations, it is theoretically possible to crack hashes of phone numbers by trying all possibilities. This is due to the nature of hashes and phone numbers and cannot be solved differently (using salts like for hashing passwords does not work for this kind of data matching). Therefore we treat phone number hashes with the same care as if they were raw/unhashed phone numbers.