Threema - Seriously secure messaging

What makes Threema secure?

Threema uses state-of-the-art asymmetric cryptography to protect messages and calls between sender and receiver, as well as the communication between the app and the servers. Threema uses the Open Source NaCl library for encryption, which is open to independent audits. Anyone can validate Threema's correct application of the encryption.

There are two layers of encryption: the end-to-end layer between the conversation participants, and an additional layer to protect against eavesdropping of the connection between the app and the servers. The latter is necessary to ensure that an adversary who captures network packets (e.g. on a public wireless network) cannot even learn who is logging in and who is communicating with whom.

All encryption and decryption happens directly on the device, and the user is in control over the key exchange. This guarantees that no third party — not even the server operators — can decrypt the content of the messages and calls.

Strength of the encryption: The asymmetric ECC based encryption used by Threema has a strength of 255 bits. According to a NIST estimate (page 54), this corresponds at least with the strength provided by 2048 bit RSA. ECDH on Curve25519 is used in conjunction with a hash function and a random nonce to derive a unique 256 bit symmetric key for each message, and the stream cipher XSalsa20 is then used to encrypt the message. A 128 bit message authentication code (MAC) is also added to each message to detect manipulations/forgeries.

Forward secrecy: Threema provides forward secrecy on the network connection (not on the end-to-end layer). Client and server negotiate temporary random keys, which are only stored in RAM and replaced every time the app restarts. An attacker who has captured the network traffic will not be able to decrypt it even if he finds out the long-term secret key of the client or the server after the fact.

For detailed technical information about the cryptography in Threema, read the Cryptography Whitepaper.

How does Threema compare to other messengers with encryption?

Many developers of messengers claim that their app encrypts the messages that users exchange. However, there are important factors to take into account:

Type of encryption

Other messengers: Transport encryption. With some messengers, only the connection between the user’s device and the server is encrypted, e.g. using SSL/TLS. Although this means that messages cannot be intercepted while in transit (a common problem in public wireless LAN hotspots), they are in unencrypted form again once they reach the server.

Threema: Full end-to-end encryption. Threema protects all messages using end-to-end encryption – not only messages in single chats but also group messages, files, and even profile pictures and status messages. A fallback to unencrypted or merely transport-encrypted connections is impossible. In addition, a separate transport encryption is used to protect the header information in transit.

Encryption library

Other messengers: Proprietary encryption technologies and algorithms. Some messengers use self-created encryption methods which aren’t established or which are controversial among experts.

Threema: Tried and trusted open-source encryption. Threema uses NaCl, a well-respected and widely used open-source encryption library. Using Threema’s Validation Logging, anyone can independently verify the correct application of the encryption.

Contact verification

Other messengers: No means of verifying contacts’ public keys. If there is no way for users to verify that messages are actually encrypted with a contact’s proper public key, a messenger is open to MITM attacks. The service provider could easily manipulate the automatic key exchange in order to read or forge messages without users noticing it.

Threema: Verification of contacts’ identities. With Threema, users can verify others’ identities by scanning their QR codes. This way, MITM attacks are prevented, and users can be sure that the key they’re using to encrypt messages to a certain user is actually the intended recipient’s public key, not someone else’s.

Key-pair generation

Other messengers: Unspecified key-pair generation. Key pairs (private key and public key) are the pivotal element of asymmetric encryption, yet many messenger providers don’t disclose how the key pairs are actually created. If key pairs are created and distributed by the service provider, the provider could keep a copy of the users’ private keys, which essentially means that there is a backdoor.

Threema: Local key-pair generation based on randomness. Threema’s key-pair generation is performed on users’ devices by means of randomness. The private keys never leave the users’ devices and remain unknown to Threema. Therefore, it is technically impossible for Threema to decrypt users’ messages.

Local encryption

Other messengers: Insufficient protection on users’ devices. Chats and files that are stored on users’ devices are protected only by weak encryption or are not encrypted at all.

Threema: Strong encryption on users’ devices. Chats and files that are stored on users’ devices are protected by strong encryption.

External security audits regularly review all security aspects of Threema, the used algorithms and protocols are well-documented, and the correct application of the encryption can be verified independently.

What’s special about Threema’s privacy protection?

Comprehensive privacy protection requires solid message encryption, but there is more to it.

Full anonymity

Threema can be used without providing any personal information whatsoever. Instead of a phone number, the Threema ID (a randomly generated eight-digit string) serves as unique identifier. Linking a phone number and/or email address to one’s Threema ID is optional.

Metadata restraint

All data involved in communication other than the actual content is metadata. Serious privacy protection must include both protection of content and protection of metadata. The sole protection of content is insufficient because metadata allows to uniquely identify individuals, analyze their behavior, determine their circles of friends, detect their frequent locations, and monitor their communication behavior. Combined with data from other platforms, the picture that can be drawn of a person is much more detailed than one that could ever be drawn from message contents alone. It’s likely that many messengers are used to systematically collect and analyze their users’ metadata. Threema, on the other hand, generates as little data as technically possible and only stores it as long as absolutely necessary.

Optional contact synchronization

Synchronizing your address book in order to retrieve your contacts’ Threema IDs (provided they have linked them, see above) is optional. If you don’t want to grant access to your address book, you can either scan your contacts’ Threema IDs or add them manually.

In case you enable contact synchronization or link your ID with a phone number or email address, you can rest assured that Threema uses this information only temporarily for the specified purpose. Personal information is always hashed, both in transit and on disk.

Independent messenger comparison: An independent comparison of popular instant messengers in regard to privacy protection and security can be found here: securemessagingapps.com

Which data gets stored at Threema?

Using Threema ought to generate as little data on servers as possible – this is part of the concept. For that reason, data like e.g. contacts or group chats are stored in a decentralized way on user devices, instead of on a Threema server. Our servers assume the role of a switch; messages and data get forwarded, but not permanently stored. Where there is no data, there is nothing to be accessed or misused. However: without some kind of (temporary) data storage, there cannot be any asynchronous communication. In the following we will explain what kind of data we store, how we store it and for how long.

Messages and group chats: As soon as a message has been successfully delivered to the recipient, it is immediately deleted from the server. All messages and media are transmitted end-to-end encrypted in Threema. This means: even if someone intercepted your message, it would be completely useless. Only the intended recipient is able to decrypt and read a message.
No contact lists are stored when synchronizing contacts: The email addresses and phone numbers from your address book get anonymized (hashed) before they reach the server. Once the comparison is finished, they are immediately deleted from the server.
Key pairs are generated in a decentralized way on your device. Your private key is never known to us, and therefore we cannot decrypt any message contents.
Threema doesn't log who is communicating with whom (which Threema IDs are communicating).

Further information: Cryptography Whitepaper.

Are messages stored in encrypted form on my device?

Yes.

Android: Threema includes its own app-specific encryption based on AES-256 to protect stored messages, media and your ID's private key. The key used for this encryption is generated randomly the first time you start Threema, and can optionally be protected by setting a Master Key Passphrase in the settings, which we highly recommend. Without a passphrase, the encryption will only add obscurity due to the way hardware encryption is handled on Android. If you set a Master Key Passphrase, you will have to enter it after every restart of the device (and after the system has terminated the app due to low memory).

Note: The PIN lock, which can be enabled independently of the master key passphrase, does not cause any additional encryption; it is simply a UI lock.
iOS: Threema uses the iOS Data Protection feature to encrypt messages, images etc. in the device's flash storage. The key used for this encryption is linked to the device's passcode. It is necessary to set a passcode in the system settings to use this feature. On newer models, iOS also uses hardware features for the encryption; therefore even a simple six-digit passcode offers a certain protection. For the highest protection against brute force attacks, you should choose a longer, alphanumeric passcode.

Note: The passcode lock that is built into the app itself does not offer any additional encryption. This feature is intended to keep nosy people from reading your messages when you intentionally give them your phone for a short time for another purpose. Encryption with a six digit code inside the app would not be sensible, as brute force attacks would be trivial (since unlike iOS, an app cannot access special hardware features to protect the key).

For detailed technical information about the cryptography in Threema, read the Cryptography Whitepaper.

Could you decrypt my messages, for example if you were required to by law enforcement?

No, that is impossible, as we don't have the secret keys of our users (your secret key never leaves your device). Our servers do need to know who is sending a message to whom, so that they can route it to the correct recipient, but they do not log this information, and cannot decrypt the message's content.

How do you protect yourself against man-in-the-middle (MITM) attacks with Threema?

Threema allows to verify that the ID of the person you are communicating with is really theirs.

If you are sure about your chat partner's ID, then there's no way for an attacker to spoof or intercept/decrypt a message from or to your chat partner.

The connection between the app and the servers is secure against MITM attacks because the server authenticates itself to the app based on a public key that is hard-coded into the app and whose corresponding secret key is only known by the legitimate servers.

Please note: Threema can only be as secure as the device that it is running on. Malware that runs in the background on your device can intercept and falsify data without being noticed. We highly recommend to always install the most recent operating system updates and to only use software from trusted sources.

Will my address book data be sent to your servers?

That’s your decision – Threema can be used without any address book access whatsoever.

By default, the synchronization is disabled and no address book data will be read. In this case, you can add your Threema contacts manually (by typing in their IDs or scanning QR codes).

If you decide to enable the synchronization, email addresses and phone numbers from your address book will only be transmitted to the server in one-way encrypted (“hashed”) form and are additionally protected using TLS encryption. The servers only keep these hashes in volatile memory for a short time to determine the list of matching IDs, and then delete the hashes immediately. At no point are the hashes or the results of the synchronization written to disk.

Due to the relatively low number of possible phone number combinations, it is theoretically possible to crack hashes of phone numbers by trying all possibilities. This is due to the nature of hashes and phone numbers and cannot be solved differently (using salts like for hashing passwords does not work for this kind of data matching). Therefore we treat phone number hashes with the same care as if they were raw/unhashed phone numbers.

Where are the servers located?

Threema GmbH runs its own servers in two high-security data centers of an “ISO 27001”-certified colocation partner in the Zurich area.

The state-of-the-art data centers include biometric access control, full-height turnstiles, video surveillance, emergency power systems, fire protection, fail-safe air-conditioning, and a fully redundant Internet connection.

How does Threema audit its code?

Ensuring security and privacy is our main mission. Therefore, we review our code internally on a regular basis and with the greatest care. For encryption, Threema uses NaCl, a well-respected and widely used open-source library. Using Validation Logging, anyone can independently verify the correct application of the encryption.

Furthermore, well-established experts audit Threema periodically. Headed by Prof. Sebastian Schinzel, the Lab for IT Security of the Münster University of Applied Sciences has conducted the latest audit in March 2019. With considerable effort and all the required technical expertise, the Android and the iOS app as well as Threema Safe were examined in great detail for possible security flaws. However, no critical vulnerabilities were found, and the researches gave Threema top grades. Read the full audit report.

For a comprehensive documentation of the algorithms and protocols used in Threema, please refer to the Cryptography Whitepaper.

How and where is my key pair generated?

During initial setup of your Threema ID, a key pair for the encryption of messages based on Elliptic Curve Cryptography (ECC) is generated. This key generation is performed directly on your phone, without any server interaction. The private key never leaves your device. The random data necessary for key pair generation is obtained from the phone's random number generator and is mixed with further random data that you generate yourself by moving your finger on the screen. This ensures that even if a weakness is discovered in the phone's random number generator, the private keys of the users cannot be cracked.

For more information about the cryptography in Threema, read the Cryptography Whitepaper.

Is the use of Threema compliant with privacy laws?

Threema meets the requirements of the European General Data Protection Regulation (GDPR). As a Swiss company, Threema is also subject to Switzerland’s strict Federal Act on Data Protection (DSG) and the accompanying Ordinance to the Federal Act on Data Protection (VDSG).

Threema does not use phone numbers to address users and can be used anonymously without uploading phone book data. It is therefore also suited for childern under the age of 16.

In contrast to conventional messengers, you can therefore be sure to comply with privacy laws when using Threema.

How can I find out which data is stored about my ID on Threema’s server?

To retrieve your ID’s inventory data that’s stored on the Threema server, simply send “info” to the Threema ID *MY3DATA, and you’ll immediately receive a reply in machine-readable form (JSON).

If you’re reading this page on the device where Threema is installed, simply open the following link, and then tap “Send”: threema://compose?text=info&id=*MY3DATA

Explanation of the JSON keys:

publicKey: Base64 coded
issueDate: date of ID creation
lastLogin: date of last login
mobileNoHash: hash of linked phone number
emailHash: hash of linked email address
featureMask: bit mask of features supported by the Threema version in use

0x01: Audio messages
0x02: Group chat
0x04: Polls
0x08: File transfer
0x10: Calls

pushtoken/voippushtoken: Push token of the push services in use (GCM/FCM, APNS, WNS)
pushsound/pushgroupsound: name of the chosen sound file for push messages (not used on all platforms)
revocationKey: information about revocation password, if set

Editable inventory data can be modified or deleted at any time in the Threema app (in the “My ID” tab) with immediate effect (see this FAQ article for more information). To permanently delete your Threema ID’s inventory data, please revoke your ID.

What kind of data is transmitted via push notification services?

iOS

Threema uses the Apple Push Notification Service (APNS) to inform recipients with iOS about new messages while the app is closed or in the background. The APNS message contains a payload that has been encrypted with a symmetric key, which is negotiated between the app and the Threema servers and is not known to Apple.

Within this encrypted payload, the Threema ID and nickname of the sender, the message ID, and the fact whether it is a direct or a group message, are transmitted.

The Threema app is started in the background for each incoming push notification, decrypts the push payload, downloads the corresponding message directly from the Threema servers, decrypts it and shows a local message preview (if enabled) and the contact name of the sender.

Android

Threema uses Firebase Cloud Messaging (FCM) to inform Android users about incoming messages in the background. The app then fetches messages directly from the Threema servers, decrypts them and displays a local notification. Neither contents nor details about messages are transmitted via FCM (the FCM payload is empty), and all of Firebase’s tracking and analysis components have been removed.

You can choose whether or not you would like to use Google services for Threema’s push notifications: The option “Troubleshooting > Activate Polling” allows you to use Threema without FCM. However, we don't recommend this.

The development of a custom push service is difficult because its reliability depends on numerous factors. We are therefore consciously using the recognized push services of Apple, Google and Microsoft. They are already installed on the vast majority of devices. Furthermore, channelling push notifications saves battery power.

Threema provides maximum security and comprehensive privacy protection

No other chat service offers a similar level of security, metadata restraint, and confidentiality.

Security and Privacy by Design

Consistent end-to-end encryption

Anonymous use, no account required

Optional Contact Synchronization

Unparalleled metadata restraint

Decentralized architecture

Strong encryption on the mobile device

Frequent security audits

Security and Privacy