In order to verify that the published source code was actually used to build the apps available for download in the stores, we provide reproducible builds.

Please note that Threema’s reproducible builds are still experimental. If a build cannot be reproduced, please let us know, and we’ll look into it.

Android

Prerequisites: A command line environment including bash, git, curl, gunzip and unzip as well as a Docker installation.

1. Determine App Version

In the Threema app on your phone, navigate to “Settings > About Threema,” and take note of the version. Export this information as well as the build variant (either googleplay, threemashop or hms) into variables. For example, if you’re using the Google Play version of Threema 4.54 for Android:

$ export VERSION=4.54 VARIANT=googleplay

2. Extract the APK from Your Device

First, you need to extract the APK file from your phone. The recommended way to do this is by using Android Debug Bridge (adb) on a phone where Developer Mode is enabled. Run the following command:

$ adb pull $(adb shell pm path ch.threema.app | grep "/base.apk" | sed 's/^package://') threema-extracted.apk

This will result in a file named threema-extracted.apk in your current directory.

There are also other ways to extract an APK file, e.g., by using backup apps or by means of a file manager on a rooted phone. How you obtain the APK is up to you.

Please note: If you use the Threema Shop version of Threema, you can also download the APK directly from the website instead of extracting it from your phone.

3. Load Docker Image

In order to reproduce the build, you need to load the Docker image containing the build environment that was used to generate the published app. The image can be downloaded from the Threema website.

$ cd /tmp
$ curl -LO https://oss.threema.ch/android/docker/docker-image-android-$VERSION.tar.gz
$ gunzip --stdout docker-image-android-$VERSION.tar.gz | docker image load

You can verify that the image was loaded properly by running docker image ls threema/android-compile.

4. Build Threema for Android

Next, you should compile Threema. First, clone the repository:

$ git clone https://github.com/threema-ch/threema-android
$ cd threema-android

Check out the tag corresponding to your app version.

$ git checkout $VERSION

Next, build the release APKs.

$ ./scripts/build-release.sh -v $VARIANT -n $VERSION --no-image-export --i-accept-the-android-sdk-license

This will result in an APK file at release/$VERSION/googleplay/.

5. Verify the Result

You can use the verify-build.sh script to verify the locally compiled APK against the extracted APK.

$ ./scripts/verify-build.sh -n $VERSION -v $VARIANT -p threema-extracted.apk
...
==> Comparing releases
==> Success! The APKs match.

If you get “Success” as log output, you have successfully verified that the app you have installed on your device corresponds to the published source code!

In case the verification fails, don’t panic! Please double-check that the version of the extracted APK corresponds to the source-code version you have checked out. If you are positive that this is correct, please send the log to opensource@threema.ch.

iOS

At the moment, reproducible builds are available for Threema’s Android app. Due to restrictions by Apple, it’s no easy task to offer reproducible builds for iOS, but we are currently evaluating possible ways to also support reproducible builds for this platform.