What is Perfect Forward Secrecy?
A cryptographic system is said to have Perfect Forward Secrecy (PFS) if it’s not possible for an attacker who obtains a user’s private key in the present to use this key to decrypt messages the user has sent or received in the past.
This property is achieved by using separate keys for individual sessions or short periods of time instead of always using one and the same key.
Threema supports Perfect Forward Secrecy both on the transport layer and on the end-to-end layer. Technical information can be found in the Cryptography Whitepaper.
Related articles
Threema uses tried-and-tested asymmetric cryptography to protect messages and calls between sender and recipient (and the communication between the app and the servers). Threema uses the open-source library NaCl for encryption. Since the Threema apps are open source, anyone knowledgeable enough can confirm Threema’s security.
There are two layers of encryption: The end-to-end layer between the conversation participants, and an additional layer to protect against eavesdropping of the connection between the app and the servers. The latter is necessary to ensure that an adversary who captures network packets (e.g. on a public wireless network) cannot even learn who is logging in and who is communicating with whom.
All encryption and decryption happens directly on the device, and the user is in control over the key exchange. This guarantees that no third party – not even the server operators – can decrypt the content of the messages and calls.
Strength of the encryption: The asymmetric ECC based encryption used by Threema has a strength of 255 bits. According to a NIST estimate (page 54), this corresponds at least with the strength provided by 2048 bit RSA. ECDH on Curve25519 is used in conjunction with a hash function and a random nonce to derive a unique 256 bit symmetric key for each message. The stream cipher XSalsa20 is then used to encrypt the message. A 128 bit message authentication code (MAC) is also added to each message to detect manipulations/forgeries.
Perfect Forward Secrecy: Threema supports Perfect Forward Secrecy. For more details, please refer to this FAQ entry.For detailed technical information about the cryptography in Threema, read the Cryptography Whitepaper.
To find out how Threema stacks up against other messengers like WhatsApp, Signal, or Telegram in terms of security, privacy, and features, please refer to our comprehensive messenger comparison and the in-depth comparison of Threema and WhatsApp.
Comprehensive privacy protection requires solid message encryption, but there is more to it.
Full Anonymity
Threema can be used without providing any personal information whatsoever. Instead of a phone number, the Threema ID (a randomly generated eight-digit string) serves as unique identifier. Linking a phone number and/or email address to one’s Threema ID is optional.
Metadata Restraint
All data involved in communication other than the actual content is metadata. Serious privacy protection must include both protection of content and protection of metadata. The sole protection of content is insufficient because metadata allows to uniquely identify individuals, analyze their behavior, determine their circles of friends, detect their frequent locations, and monitor their communication behavior. Combined with data from other platforms, the picture that can be drawn of a person is much more detailed than one that could ever be drawn from message content alone. It’s likely that many messengers are used to systematically collect and analyze their users’ metadata. Threema, on the other hand, generates as little data as technically possible and only stores it as long as absolutely necessary.
Optional Contact Synchronization
Synchronizing your address book in order to retrieve your contacts’ Threema IDs (provided they have linked them, see above) is optional. If you don’t want to grant access to your address book, you can either scan your contacts’ Threema IDs or add them manually.
In case you enable contact synchronization or link your ID with a phone number or email address, you can rest assured that Threema uses this information only temporarily for the specified purpose. Personal information is always hashed, both in transit and on disk.
To find out how Threema stacks up against other messengers in regard to privacy protection, please refer to the messenger comparison.
Using Threema ought to generate as little data on our servers as possible – this is part of the concept. For that reason, data like contacts or group chats are stored in a decentralized way on user devices instead of on a Threema server. Our servers assume the role of a switch; messages and data are forwarded, but not permanently stored. Where there is no data, there is nothing to be accessed or misused. However, without some kind of (temporary) data storage, there cannot be any asynchronous communication. In the following, we will explain what kind of data we store, how we store it, and for how long.
- Messages and group chats: As soon as a message has been successfully delivered to the recipient, it is immediately deleted from the server. All messages and media are transmitted end-to-end encrypted in Threema. This means even if someone intercepted your message, it would be completely useless. Only the intended recipient is able to decrypt and read a message.
- No contact lists are stored when synchronizing contacts: The email addresses and phone numbers from your address book are anonymized (hashed) before they reach the server. Once the comparison is finished, they are immediately deleted from the server.
- Key pairs are generated in a decentralized way on your device. We will never know your private key, and therefore we cannot decrypt any message contents.
- Threema doesn’t log who is communicating with whom (i.e., which Threema IDs are communicating).
Further information can be found in the Cryptography Whitepaper.
Yes, to ensure full transparency, the Threema apps are open source.
Thanks to reproducible builds, there’s also a way to verify that the published code (of the Android app, for the time being) actually corresponds to the apps available for download in the app stores.
To learn how to download, build, and reproduce the Threema app’s code, please refer to the Open Source subsite.
Yes.
-
Android: Threema includes its own app-specific encryption based on AES-256 to protect stored messages, media, and your ID’s private key. The key used for this encryption is generated randomly the first time you start Threema,
and can optionally be protected by setting a Master Key Passphrase in the settings, which we highly recommend. Without a passphrase, the encryption will only add obscurity due to the way hardware encryption is handled on Android. If
you set a Master Key Passphrase, you will have to enter it after every restart of the device (and after the system has terminated the app due to low memory).
Note: the PIN lock, which can be enabled independently of the Master Key Passphrase, does not offer additional encryption; it is simply a UI lock.
-
iOS: Threema uses the iOS Data Protection feature to encrypt messages, images, etc. in the device’s flash storage. The key used for this encryption is linked to the device’s passcode. It is necessary to set a passcode in the
system settings to use this feature. On newer models, iOS also uses hardware features for the encryption. Therefore, even a simple six-digit passcode offers a certain protection. For the highest protection against brute-force
attacks, you should choose a longer, alphanumeric passcode.
Note: The passcode lock that is built into the app itself does not offer additional encryption. This feature is intended to keep nosy people from reading your messages when you intentionally give them your phone for a short time for another purpose. Encryption with a six-digit code inside the app would not be sensible, as brute-force attacks would be trivial (since unlike iOS, an app cannot access special hardware features to protect the key).
For detailed technical information about the cryptography in Threema, read the Cryptography Whitepaper.
Threema allows you to verify that the ID of the person you are communicating with is really theirs by scanning their QR code.
If you are sure about your chat partner’s ID, then there’s no way for an attacker to spoof or intercept/decrypt a message from or to your chat partner.
The connection between the app and the servers is secure against MITM attacks because the server authenticates itself to the app based on a public key that is hard-coded into the app and whose corresponding secret key is only known by the legitimate servers.
Please note: Threema can only be as secure as the device that it is running on. Malware that runs in the background on your device can intercept and falsify data without being noticed. We highly recommend to always install the most recent operating system updates and to only use software from trusted sources.
Threema GmbH runs its own servers in two high-security data centers of an “ISO 27001”-certified colocation partner in the Zurich area (Switzerland).
The state-of-the-art data centers include biometric access control, full-height turnstiles, video surveillance, emergency power systems, fire protection, fail-safe air-conditioning, and a fully redundant Internet connection.
Group Calls
Apart from (some) group calls, Threema’s servers in Switzerland handle all communication. (For one-to-one calls, a direct connection will be established between the call participants if possible, which means that no server at all is involved after the call has been established.) For group calls, Threema media routers located abroad may be used to ensure a low latency and smooth communication: if group calls had to be routed through the servers in Switzerland from anywhere in the world, call participants might have a hard time to interact with each other due to high latency.
The media routers abroad are unaware of the identities / Threema IDs of a group call’s participants, and all audio/video streams are end-to-end encrypted. For technical reasons, it is necessary for the media routers to know the IP addresses of a group call’s participants while the call is ongoing. However, this information is not logged and will be deleted from the working memory right after the group call has ended.
That’s your decision – Threema can be used without any address book access whatsoever.
By default, the synchronization is disabled, and no address book data will be read. In this case, you can add your Threema contacts manually (by typing in their IDs or scanning their QR codes).
If you decide to enable the synchronization, email addresses and phone numbers from your address book will only be transmitted to the server in one-way encrypted (“hashed”) form and are additionally protected using TLS encryption. The
servers only keep these hashes in volatile memory for a short time to determine the list of matching IDs, and then delete the hashes immediately. At no point are the hashes or the results of the synchronization written to disk.
Due to the relatively low number of possible phone number combinations, it is theoretically possible to crack hashes of phone numbers by trying all possibilities. This is due to the nature of hashes and phone numbers and cannot be solved differently (using salts like for hashing passwords does not work for this kind of data matching). Therefore we treat phone number hashes with the same care as if they were raw/unhashed phone numbers.
The Threema apps are open source, allowing anyone to audit Threema’s code on their own. Furthermore, external experts are commissioned to conduct comprehensive security audits on a regular basis. The most recent audits are listed below.
- 2024: Audit by Cure53 of the new desktop app, see blog post and audit report
- 2023: Security analysis of the “Ibex” communication protocol by security researchers from the Chair of Applied Cryptography at the University of Erlangen-Nuremberg, see blog post and analysis
- 2020: Audit by Cure53, see blog post and audit report
- 2019: Audit by Lab for IT Security of the Münster University of Applied Sciences, see blog post and audit report
For a comprehensive documentation of the algorithms and protocols used in Threema, please refer to the Cryptography Whitepaper.
There is a bug bounty program for reports concerning Threema’s security. If you discover a security issue, please file a report on GObugfree (where all the details, including the bounty levels, are listed).
Please report bugs concerning Threema’s apps using the support form.Threema meets the requirements of the European General Data Protection Regulation (GDPR). As a Swiss company, Threema is also subject to Switzerland’s strict Federal Act on Data Protection (DSG) and the accompanying Ordinance to the Federal Act on Data Protection (DPO).
Threema does not use phone numbers to address users and can be used anonymously without uploading address book data. It is therefore also suited for childern under the age of 16.
In contrast to conventional messengers, you can therefore be sure to comply with privacy laws when using Threema.
To retrieve your ID’s inventory data that’s stored on the Threema server, simply send “info” to the Threema ID *MY3DATA
, and you’ll immediately receive a reply in machine-readable form (JSON).
If you’re reading this page on the device where Threema is installed, simply open the following link, and then tap “Send”: https://threema.id/%2AMY3DATA?text=info
Explanation of the JSON keys:
- identity: Threema ID
- publicKey: Base64 coded
- issueDate: date of ID creation
- lastLogin: date of last login
- mobileNoHash: hash of linked phone number
- emailHash: hash of linked email address
- featureMask: bit mask of features supported by the Threema version in use
- 0x01: audio messages
- 0x02: group chat
- 0x04: polls
- 0x08: file transfer
- 0x10: calls
- 0x20: video calls
- pushtoken/voippushtoken: push token of the push services in use (GCM/FCM, APNS, HMS). This key is obsolete if the “pushtokens” key is present
- pushtokens: list of devices that have a push token associated to them
- device_id: base64-encoded bytes of the unsigned 64-bit integer that identifies a device
- push_token/voip_token:
- data: base64-encoded token
- timestamp: unix timestamp when the token was set
- type: describes the type of the token (HMS, Apple, FCM)
- pushsound/pushgroupsound: name of the chosen sound file for push messages (not used on all platforms)
- revocationKey: information about revocation password, if set
Editable inventory data can be modified or deleted at any time in the Threema app (in the “My Profile” (Android) or “Profile” (iOS) tab) with immediate effect (see this FAQ article for more information). To permanently delete your Threema ID’s inventory data, please revoke your ID.
Android
To inform Android users about incoming messages in the background, you can use Threema’s own and independent push service “Threema Push,” which doesn’t generate metadata for third parties.
Otherwise, Threema uses the push service already installed on the device, i.e., Firebase Cloud Messaging (FCM) by Google (or Huawei’s push kit HMS). The app then fetches messages directly from the Threema servers, decrypts them, and displays a local notification. Neither contents nor details about messages are transmitted via FCM (the FCM payload is empty), and all of Firebase’s tracking and analysis components have been removed.
iOS
Threema uses the Apple Push Notification Service (APNS) to inform recipients with iOS about new messages while the app is closed or in the background. The APNS message contains a payload that has been encrypted with a symmetric key, which is negotiated between the app and the Threema servers and is not known to Apple.
Within this encrypted payload, the Threema ID and nickname of the sender, the message ID, and the fact whether it is a direct or a group message, are transmitted.
The Threema app is started in the background for each incoming push notification, decrypts the push payload, downloads the corresponding message directly from the Threema servers, decrypts it, and shows a local message preview (if enabled) and the contact name of the sender.