What makes Threema Safe secure?
Threema Safe encrypts the backup data using the password you specify. To derive a cryptographic key from the password, the scrypt algorithm is used. This algorithm is memory- and computation-intensive in order to render brute-force attacks challenging. It is, of course, still important to choose a secure password. The compressed backup data is encrypted using the NaCl library, which applies the XSalsa20 and Poly1305 algorithms.
The backup’s file name is also derived from the user’s password. Therefore, the Threema Safe server cannot determine which backup belongs to which ID. Finding (and, of course, decrypting) the backup of a given ID is only possible if the
backup’s password is known.
Threema Safe is optional, and you can store backups either on the Threema server or on your own server.
For technical details, please refer to the Cryptography Whitepaper.
Related articles
There are PDF documents for the different platforms available where all backup options are explained in detail:
Threema doesn’t store your data on a central server, your data is only stored on your local device. This provides the ideal protection against unauthorized access.
To prevent that your Threema ID, your contacts, and your groups (as well as other data and some settings) are lost if you ever happen to lose access to your device, Threema Safe regularly creates an anonymous and encrypted backup of this data on the Threema server or on another server of your choice.
Threema Safe is platform independent. No matter what Threema version (Android or iOS) was used to create a Threema Safe backup, it can be restored on any platform. This allows to conveniently transfer basic Threema data from one platform to another.
Enable Threema Safe
- Android
- In Threema’s main screen, open the main menu by tapping the three vertical dots in the top right corner, and select “Backups”
- Enable “Threema Safe,” and set a secure password (without this password, you will not be able to restore your Threema Safe backup)
- iOS
- In Threema’s main screen, open the “Profile” tab, and tap on “Threema Safe”
- Enable “Threema Safe,” and set a secure password (without this password, you will not be able to restore your Threema Safe backup)
Learn how to store your Threema Safe backup on your own server in this guide.
Threema Safe regularly creates an encrypted backup of your basic data:
- Your Threema ID (including the public and private key)
- Your nickname
- Your profile picture
- Your contacts (including verification level)
- Your group memberships
- Android: your distribution lists
Furthermore, Threema Safe backups contain the following Privacy settings:
- Sync contacts
- Block unknown
- Send read receipts
- Send typing indicator
- Exclusion list
- Blacklist
- Enable Threema Call
- Always relay calls
- Android: no thumbnails and screenshots
- Android: request incognito keyboard
Threema Safe backups don’t include chats, media files, and profile pictures of contacts and groups. To save chats, please create a data backup or use the export feature.
Provided that changes were made to the data to be backed up and an Internet connection is established, Threema Safe creates a backup approximately every 24 hours. Each backup replaces the previous one.
You can manually trigger the backup process:
- Android: Tap the three dots in the top right corner, select “Backups,” and tap “Backup now.”
- iOS: Navigate to “Profile > Threema Safe,” and tap on “Backup now.”
If the Threema app on your device doesn’t connect to the Threema server for 180 days, your backup will be deleted automatically from the server. To manually delete your Threema Safe backup, simply disable Threema Safe in “Backups” or “Profile.”
There are PDF documents for the different platforms available where all backup options are explained in detail:
Threema Safe backups can be restored in the setup wizard. To restore a Threema Safe backup, you will need your Threema Safe password and your Threema ID. If there is already a Threema ID set up on your device, delete it first:
- Android
- In Threema’s main screen, tap on “My Profile”
- Tap “Delete ID”
- iOS
- In Threema’s main view, select “Profile”
- Scroll to the bottom, and tap “Remove ID and Data”
In the setup wizard, select “Restore from backup,” and follow the on-screen instructions.
If you don’t remember your Threema ID, you can tap “Forgot your ID?” to retrieve it. This only works, if you have linked it to a phone number or email address.
If you don’t remember the password of your Threema Safe backup or your Threema ID, there is no way to restore it.
Threema Safe can be used with any WebDAV server (such as NextCloud), provided that the server can be reached via the Internet and is equipped with a valid TLS certificate trusted by the operating system (not self-signed).
To support iOS clients, the server needs to be compliant with the ATS requirements.
Configure the Server
- Create a directory for Threema Safe on your WebDAV server, e.g., /path/to/threema_safe
- In /path/to/threema_safe, create a text file, name it “config” (without filename extension), and add this content:
{
"maxBackupBytes": 524288,
"retentionDays": 180
}
Please note that we cannot provide support for server setup and configuration.
Configure the App
- Android
- In Threema for Android’s main view, tap the three dots in the top right corner, and select “Backups”
- Activate “Threema Safe,” and tap on “Expert Settings”
- Deactivate “Use default server,” and enter the URL to your Threema Safe directory (as defined above), e.g., https://myserver.org/path/to/threema_safe. If your server requires HTTP authentication, please specify your username and password
- iOS
- In the “Profile” tab, select “Threema Safe”
- Activate Threema Safe
- Deactivate “Use default server,” and enter the URL to your Threema Safe directory (as defined above), e.g., https://myserver.org/path/to/threema_safe. If your server requires HTTP authentication, please specify your username and password
There is no way to reset your Threema Safe password if you don’t have access to your mobile device (e.g., in case of loss). If you have access to the mobile device where your Threema ID is set up, you can change the password as follows:
- Android: Open Threema, and open the main menu by tapping the three vertical dots in the top right corner, and select “Backups.” Then, tap “Change Password.”
- iOS: Open Threema, and navigate to “Profile > Threema Safe,” and tap “Change Password.”
If you use Threema Work, please contact your administrator to complete the setup process and start using Threema Work. It is not required to register on this website.