What is the QR code good for?
This FAQ article covers the QR code that can be displayed in the app (and is used to confirm a contact’s identity and add their Threema ID at the same time; green verification level), not to be confused with the QR code on threema.id websites (which can only be used to add contacts; red verification level).
Scanning QR codes is a means for confirming contacts' identities. That way, man-in-the-middle attacks can be effectively prevented: If you receive a message of a confirmed contact (i.e., verification level 3), you can be sure that it wasn't spoofed or read by a third party (provided said contact's device wasn't stolen or hacked). On top of that, scanning someone's QR code is a convenient way of adding them to your contact list without having to manually enter their ID.
Display your own QR code
- Android: Navigate to the “My Profile” tab, and tap on the QR code icon
- iOS: Navigate to the “My Profile” tab, and tap on the QR code
Scan a contact’s QR code
- Android: In the Contacts tab, tap the “New contact” button, and select “Scan ID”
- iOS: Threema > My Profile > camera icon in the top right corner
If you are having trouble scanning a QR code, please make sure the camera is not too close (below 10 in/25 cm), which might prevent it from focussing.
The dots are an indicator for a contact's verification level. They don't affect the encryption strength, but are a measure for the probability, that the saved public key of a contact belongs indeed to that contact.
- Level 1 (red): The ID and public key have been obtained from the server because you received a message from this contact for the first time or added the ID manually. No matching contact was found in your address book (by phone number or email), and therefore you cannot be sure that the person is who they claim to be in their messages.
- Level 2 (orange): The ID has been matched with a contact in your address book (by phone number or email). Since the server verifies phone numbers and email addresses, you can be reasonably sure that the person is who they claim to be.
- Level 2 (blue): This verification level is only available in Threema Work; it indicates that the Threema ID belongs to an internal company contact.
- Level 3 (green): You have personally verified the ID and public key of the person by scanning their QR code. Assuming their device has not been hijacked, you can be very sure that messages from this contact were really written by the person that they indicate.
- Level 3 (blue): This verification level is only available in Threema Work; it indicates that the Threema ID belongs to an internal contact whose ID and public key you have verified by scanning their QR code.
The verification levels don't change anything in the encryption strength (it is always the same high-grade ECC based encryption), but they are a measure of thetrust that the public keys saved for your contacts really belong to them. Having the wrong public keys leaves you open to man-in-the-middle (MITM) attacks, therefore it isimportant to verify the keys.
Threema allows to verify that the ID of the person you are communicating with is really theirs.
If you are sure about your chat partner's ID, then there's no way for an attacker to spoof or intercept/decrypt a message from or to your chat partner.
The connection between the app and the servers is secure against MITM attacks because the server authenticates itself to the app based on a public key that is hard-coded into the app and whose corresponding secret key is only known by the legitimate servers.
Please note: Threema can only be as secure as the device that it is running on. Malware that runs in the background on your device can intercept and falsify data without being noticed. We highly recommend to always install the most recent operating system updates and to only use software from trusted sources.