- What makes Threema secure?
- How does Threema compare to other messengers?
- What’s special about Threema’s privacy protection?
- Which data gets stored at Threema?
- Is Threema open source?
- Are messages stored in encrypted form on my device?
- Could you decrypt my messages, for example if you were required to by law enforcement?
- How do you protect yourself against man-in-the-middle (MITM) attacks with Threema?
- Where are the servers located?
- Will my address book data be sent to your servers?
- How does Threema audit its code?
- How and where is my key pair generated?
- Is the use of Threema compliant with privacy laws?
- How can I find out which data is stored about my ID on Threema’s server?
- What kind of data is transmitted via push notification services?
What kind of data is transmitted via push notification services?
Threema uses the Apple Push Notification Service (APNS) to inform recipients with iOS about new messages while the app is closed or in the background. The APNS message contains a payload that has been encrypted with a symmetric key, which is negotiated between the app and the Threema servers and is not known to Apple.
Within this encrypted payload, the Threema ID and nickname of the sender, the message ID, and the fact whether it is a direct or a group message, are transmitted.
The Threema app is started in the background for each incoming push notification, decrypts the push payload, downloads the corresponding message directly from the Threema servers, decrypts it and shows a local message preview (if enabled) and the contact name of the sender.
Threema uses Firebase Cloud Messaging (FCM) to inform Android users about incoming messages in the background. The app then fetches messages directly from the Threema servers, decrypts them and displays a local notification. Neither contents nor details about messages are transmitted via FCM (the FCM payload is empty), and all of Firebase’s tracking and analysis components have been removed.
You can choose whether or not you would like to use Google services for Threema’s push notifications: The option “Settings > About Threema > Troubleshooting > Activate Polling” allows you to use Threema without FCM. However, we don't recommend this.
The development of a custom push service is difficult because its reliability depends on numerous factors. We are therefore consciously using the recognized push services of Apple, Google and Microsoft. They are already installed on the vast majority of devices. Furthermore, channelling push notifications saves battery power.