Threema Focuses on Security and Comprehensive Privacy Protection
Security, confidentiality, and metadata restraint lie at the heart of Threema.
Security and Privacy by Design
Threema was designed from the ground up with security and privacy in mind. Since day one, the restraint on metadata has been our guiding principle. For where there is no data, no data can be misused. Threema’s server only assumes the role of a switch: After a message has been delivered to its recipient, it will be permanently deleted at once.
The focus on security and privacy protection is also reflected in the implementation of numerous particular features, such as profile pictures, Threema calls, and the desktop app / web client.
Threema is committed to full transparency, and for this reason, the apps are open source. On top of that, renowned experts are regularly commissioned to conduct comprehensive security audits.
How does Threema stack up against Signal, Telegram, and WhatsApp? Find out:
Consistent End-to-End Encryption
Threema employs the tried and tested open-source cryptography library NaCl. All messages are end-to-end encrypted, and the users are in control of the key exchange. This guarantees that no third party, not even the server operator, can decrypt messages.
The whole communication – including group messages, photos and videos, files, voice calls, and even status messages – is always end-to-end encrypted. In contrast to conventional messenger apps, a fallback to unencrypted connections is ruled out by design.
Thanks to support of Perfect Forward Secrecy, a potential attacker couldn’t even decrypt a user’s previous messages if they somehow managed to obtain the current private key of said user.
The algorithms and design decisions behind the cryptography in Threema are explained in the Cryptography Whitepaper.
Metadata Restraint as a Guiding Principle
Threema is designed to generate as little data on servers as technically possible. Groups* and contact lists are solely managed on the users’ devices, not on the server, messages are deleted immediately upon delivery, no log files are created, and no personally identifiable information is collected.
Open Source and External Audits
To ensure full transparency, the Threema apps’ source code is publicly accessible and open for review. Thanks to reproducible builds, anyone can verify that the published code (of the Android app, for the time being) corresponds to the apps in the stores.
On top of that, external experts are regularly commissioned to conduct systematic security audits, and the resulting reports are published in their entirety.
Anonymous Use, No Account Required
It is not necessary to provide a phone number or email address in order to use Threema. When setting up the app, each user generates a Threema ID, which serves as unique identifier. Since this ID is a random sequence of characters, Threema can be used anonymously. No central user account is created.
Optional Contact Synchronization
Threema can be used without access to your address book. If you do grant access to the address book in order to retrieve your contacts’ Threema IDs, the contact data is transferred in one-way encrypted form and will not be stored on the server.