- What makes Threema secure?
- How does Threema compare to other messengers?
- What’s special about Threema’s privacy protection?
- Which data gets stored at Threema?
- Is Threema open source?
- Are messages stored in encrypted form on my device?
- Could you decrypt my messages, for example if you were required to by law enforcement?
- How do you protect yourself against man-in-the-middle (MITM) attacks with Threema?
- Where are the servers located?
- Will my address book data be sent to your servers?
- How does Threema audit its code?
- How and where is my key pair generated?
- Is the use of Threema compliant with privacy laws?
- How can I find out which data is stored about my ID on Threema’s server?
- What kind of data is transmitted via push notification services?
How and where is my key pair generated?
During initial setup of your Threema ID, a key pair for the encryption of messages based on Elliptic Curve Cryptography (ECC) is generated. This key generation is performed directly on your phone, without any server interaction. The private key never leaves your device. The random data necessary for key pair generation is obtained from the phone's random number generator and is mixed with further random data that you generate yourself by moving your finger on the screen. This ensures that even if a weakness is discovered in the phone's random number generator, the private keys of the users cannot be cracked.
For more information about the cryptography in Threema, read the Cryptography Whitepaper.