Last updated

Developer(s) Threema GmbH
Initial releaseMay 2013;10 years ago (2013-05)
Operating system HarmonyOS, Linux, [[macOS]], Android, iOS, Web
Service name Instant messaging

Threema is a paid cross-platform encrypted instant messaging app developed by Threema GmbH in Switzerland and launched in 2012. The service operates on a decentralized architecture and offers end-to-end encryption. Users can make voice and video calls, send photos, files, and voice notes, share locations, and make groups. Unlike many other popular secure messaging apps, Threema does not require phone numbers or email address for registration, only a one-time purchase that can be paid via an app store or anonymously with Bitcoin or cash. [1]


Threema is available on iOS and Android, and has clients for Windows, macOS, Linux, HarmonyOS and can be accessed via web browser but requires a mobile app to function. [2]


The service claims to be based on the privacy by design principles by not requiring a phone number or other personally identifiable information. This helps anonymize the users to a degree. [3] [4] [5]

Threema uses a user ID, created after the initial app launch by a random generator, instead of requiring a linked email address or phone number to send messages. It is possible to find other users by phone number or email address if the user allows the app to synchronize their address book. [6] Linking a phone number or email address to a Threema ID is optional. Hence, the service can be used anonymously. Users can verify the identity of their Threema contacts by scanning their QR code when they meet physically. The QR code contains the public key of the user, which is cryptographically tied to the ID and will not change during the lifetime of the identity. [7] Using this strong authentication feature, users can make sure they have the correct public key from their chat partners, which provides additional security against a Man-in-the-middle attack. Threema knows three levels of authentication (trust levels of the contact's identity). The verification level of each contact is displayed in the Threema application as dots next to the corresponding contact.

In addition to text messaging, users can make voice and video calls, send multimedia, locations, voice messages, and files. [8] A web app version, Threema Web, can be used on desktop devices, [9] but only as long as the phone with the Threema installation of the user is online. There is a beta for iOS users, where it is possible to take the phone offline and still use the desktop app. [10]

In addition to one-on-one chats, Threema offers group chats up to 256 people. Users can make voice and video calls, send text and voice messages, multimedia, locations, and files of any type (up to 50 MB per file). [8] [11] It is also possible to create polls in personal or group chats. [12]


Threema is developed by the Swiss company Threema GmbH. [13] [14] The servers are in Switzerland and the development is based in Pfäffikon SZ. As of May 2021, Threema had 10 million users [15] and the business version, Threema Work, was used by 2 million users across 5,000 companies and organizations. [16]

At the end of July, 2021 Threema introduced the ability for companies to host the messenger on their own server, primarily intended for companies with significantly high privacy concerns. [17]


Threema (clients)
Developer(s) Threema GmbH
Initial releaseDecember 2012 (2012-12) [18]
Stable release(s)
Android5.2.3 [19]   OOjs UI icon edit-ltr-progressive.svg / 23 January 2024
iOS4.6.17 [20]   OOjs UI icon edit-ltr-progressive.svg / 14 March 2022
Desktop1.2.0 [21]   OOjs UI icon edit-ltr-progressive.svg / 27 March 2022
Written in Objective-C (iOS), Java (Android), C, .NET (Windows Phone)
Operating system iOS, Android, Windows Phone
Available inEnglish, German, French, Spanish, Italian, Russian, Brazilian Portuguese, Polish, Rumantsch Grischun
Type Encrypted instant messaging & voice calling
License Android client: AGPL-3.0-only
iOS client: AGPL-3.0-only
Web client: AGPL-3.0-or-later [22]
Protocol: MIT [23]
Server: Proprietary

With Threema Web, a client for web browsers, Threema can be used from other devices like desktop computers, though only as long as the original device is online.

Threema optionally supports Android Wear smartwatch and Android Auto. [24] Threema launched support for end-to-end encrypted video calls on August 10, 2020. The calls are person-to-person with group calls unavailable. [25]

The application does not allow the self-deletion of messages after a period defined by the interlocutors. The application does prevent screenshots in conversations when configured to do so.


The entire communication via Threema is end-to-end encrypted. During the initial setup, the application generates a key pair and sends the public key to the server while keeping the private key on the user's device. [26] The application then encrypts all messages and files that are sent to other Threema users with their respective public keys. [27] [28] Once a message is delivered successfully, it is immediately deleted from the servers. [29]

The encryption process used by Threema is based on the open-source library NaCl library. Threema uses asymmetric ECC-based encryption, with 256-bit strength. Threema offers a "Validation Logging" feature that makes it possible to confirm that messages are end-to-end encrypted using the NaCl Networking and Cryptography library. [30] In August 2015, Threema was subjected to an external security audit. [31] Researchers from cnlab confirmed that Threema allows secure end-to-end encryption, and claimed that they were unable to identify any weaknesses in the implementation. Cnlab researchers also confirmed that Threema provides anonymity to its users and handles contacts and other user data as advertised. [32] [33]


Threema was founded in December 2012 by Manuel Kasper. [34] The company was initially called Kasper Systems GmbH. [35] Martin Blatter and Silvan Engeler were later recruited to develop an Android application that was released in early 2013. [36]

In Summer 2013, the Snowden leaks helped create an interest in Threema, boosting the user numbers to the hundreds of thousands. [37] When Facebook took over WhatsApp in February 2014, Threema got 200,000 new users, doubling its userbase in 24 hours. [38] Around 80% percent of those new users came from Germany. By March 2014 Threema had 1.2 million users. [36]

In Spring 2014, operations were transferred to the newly created Threema GmbH. [35] [39]

In December 2014, Apple listed Threema as the most-sold app of 2014 at the German App Store. [40]

In 2020, Threema expanded with video calls, [25] plans to open-source its client-side apps and introduce reproducible builds of them, [41] as well as introduce Threema Education, a variation of Threema intended for education institutions.

During the second week of 2021, Threema saw a quadrupling of daily downloads spurred on by controversial privacy changes in the WhatsApp messaging service. A spokesperson for the company also confirmed that Threema had risen to the top of the charts for paid applications in Germany, Switzerland, and Austria. [42] This trend continued into the third week of the year, with the head of Marketing & Sales confirming that downloads had increased to ten times the regular amount, leading to "hundreds of thousands of new users each day". [43]

In October 2022, researchers from ETH Zurich reported multiple vulnerabilities affecting Threema's security against network, server and client-based attacks. A new release fixing these issues was released in November 2022 and the vulnerabilities were announced publicly in January 2023. [44]

Threema Work: On May 25, 2016, Threema Work, a corporate version of Threema, was released. Threema Work offers extended administration and deployment capabilities. [45] Threema Work is based on a yearly subscription model. [46]

Threema Gateway: On March 20, 2015, Threema released a gateway for companies. Similar to an SMS gateway, businesses can use it to send messages to their users who have Threema installed. [47] The code for the Threema Gateway SDK is open for developers and available on GitHub. [48]

Threema Broadcast: On August 9, 2018, Threema released Threema Broadcast, a tool for top-down communication. Similar to emails in electronic newsletters, Threema messages can be sent to any number of feed subscribers, and the Threema Broadcast allows to create chatbots. [49]

Threema Education: On September 10, 2020, Threema released Threema Education, a version of its messenger designed for education institutions. The app integrates Threema Broadcast and requires a one-time payment for each device used. It's intended for use by teachers, students, and parents. [50]

Threema OnPrem: On July 27, 2021, Threema released Threema OnPrem, a version of the messenger which could be hosted on a company's own servers for maximum security purposes. [51]


Since Threema's servers are in Switzerland, they are subject to the Swiss federal law on data protection. The data center is ISO/IEC 27001-certified. [52] Linking a phone number and/or email address to a Threema ID is optional; when doing so, only checksum values (SHA-256 HMAC with a static key) of the email address and/or phone number are sent to the server. [53] Due to the small number of possible digit combinations of a telephone number, the phone number associated with a checksum could be determined by brute force. The transmitted data is TLS-secured. The address book data is kept only in the volatile memory of the server and is deleted immediately after synchronizing contacts. [54] If a user chooses to link a phone number or email address with their Threema ID, they can remove the phone number or email address at any time. [55] Should a user ever lose their device (and their private key), they can revoke their Threema ID if a revocation password for that ID has been set. [56]

Groups are solely managed on users’ devices and group messages are sent to each recipient as an individual message, encrypted with the respective public key. Thus, group compositions are not directly exposed to the server. [57]

Data (including media files) stored on the users’ devices is encrypted with AES 256. On Android, it can be additionally protected by a passphrase. [58]

Since 2016, Threema GmbH publishes a transparency report where public authority inquiries are disclosed. [59]

On March 9, 2017, Threema was listed in the "Register of organizers of information dissemination in the Internet" operated by the Federal Service for Supervision of Communications, Information Technology and Mass Media of the Russian Federation. [60]

In a response, a Threema spokesperson publicly stated: "We operate under Swiss law and are neither allowed nor willing to provide any information about our users to foreign authorities." [61]

On April 29, 2021, Threema won a significant case at the Federal Supreme Court of Switzerland against the Swiss Federal Department of Police and Justice, who wished to classify the company as a telecommunications provider. Had they lost the case, Threema would have had a legal requirement to identify users and send information about their users to law enforcement. [62]

Starting January 2022, Swiss Armed Forces suggested that the troops should use Threema instead of WhatsApp, Telegram and Signal, citing Threema being Swiss-based without servers in the United States and thus not subject to the CLOUD Act, also promising that soldiers would be reimbursed for the cost. [63]


In February 2014, German consumer organisation Stiftung Warentest evaluated several data-protection aspects of Threema, WhatsApp, Telegram, BlackBerry Messenger and Line. It considered the security of the data transmission between clients, the services' terms of use, the transparency of the service providers, the availability of the source code, and the apps' overall availability. Threema was the only app rated as 'non-critical' (unkritisch) in relation to data and privacy protection, but lost marks due to its closed-source nature, though this has changed for its frontend clients since the end of 2020. [64]

Along with Cryptocat and Surespot, Threema was ranked first in a study evaluating the security and usability of instant messaging encryption software, conducted by the German PSW Group in June 2014. [65]

As of November 2015, Threema had a score of 6 out of 7 points on the – now withdrawn and outdated – Electronic Frontier Foundation's "Secure Messaging Scorecard". It received points for having communications encrypted in transit, having communications encrypted with keys the provider doesn't have access to (i.e. having end-to-end encryption), making it possible for users to independently verify their correspondent's identities, having past communications secure if the keys are stolen (i.e. implementing forward secrecy), having its security design well-documented and having completed an independent security audit. It lost a point because its source code was not open to independent review (i.e. it was not open-source, though in late 2020 its frontend apps were open-sourced, leaving only its server component proprietary). [66]

See also

Related Research Articles

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

Hushmail is an encrypted proprietary web-based email service offering PGP-encrypted e-mail and vanity domain service. Hushmail uses OpenPGP standards. If public encryption keys are available to both recipient and sender, Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password and stored for pickup by the recipient, or the message can be sent in cleartext. In July, 2016, the company launched an iOS app that offers end-to-end encryption and full integration with the webmail settings. The company is located in Vancouver, British Columbia, Canada.

S/MIME is a standard for public-key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 8551. It was originally developed by RSA Data Security, and the original specification used the IETF MIME specification with the de facto industry standard PKCS #7 secure message format. Change control to S/MIME has since been vested in the IETF, and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.

The landscape for instant messaging involves cross-platform instant messaging clients that can handle one or multiple protocols. Clients that use the same protocol can typically federate and talk to one another. The following table compares general and technical information for cross-platform instant messaging clients in active development, each of which have their own article that provide further information.

End-to-end encryption (E2EE) is a private communication system in which only communicating users can participate. As such, no one, including the communication system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to converse.

This is a comparison of voice over IP (VoIP) software used to conduct telephone-like voice conversations across Internet Protocol (IP) based networks. For residential markets, voice over IP phone service is often cheaper than traditional public switched telephone network (PSTN) service and can remove geographic restrictions to telephone numbers, e.g., have a PSTN phone number in a New York area code ring in Tokyo.

Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication.

Secure messaging is a server-based approach to protect sensitive data when sent beyond the corporate borders, and it provides compliance with industry regulations such as HIPAA, GLBA and SOX. Advantages over classical secure e-mail are that confidential and authenticated exchanges can be started immediately by any internet user worldwide since there is no requirement to install any software nor to obtain or to distribute cryptographic keys beforehand. Secure messages provide non-repudiation as the recipients are personally identified and transactions are logged by the secure email platform.

Secure instant messaging is a form of instant messaging. Both terms refer to an informal means for computer users to exchange messages commonly referred to as "chats". Instant messaging can be compared to texting as opposed to making a mobile phone call. In the case of messaging, it is like the short form of emailing. Secure instant messaging is a specialized form of instant messaging that along with other differences, encrypts and decrypts the contents of the messages such that only the actual users can understand them.

TextSecure was an encrypted messaging application for Android that was developed from 2010 to 2015. It was a predecessor to Signal and the first application to use the Signal Protocol, which has since been implemented into WhatsApp and other applications. TextSecure used end-to-end encryption to secure the transmission of text messages, group messages, attachments and media messages to other TextSecure users.

<span class="mw-page-title-main">Proton Mail</span> End-to-end encrypted email service

Proton Mail is a Swiss end-to-end encrypted email service founded in 2013 headquartered in Plan-les-Ouates, Switzerland. It uses client-side encryption to protect email content and user data before they are sent to Proton Mail servers, unlike other common email providers such as Gmail and The service can be accessed through a webmail client, the Tor network, or dedicated iOS and Android apps.

Wire Swiss GmbH is a software company with headquarters in Zug, Switzerland. Its development center is in Berlin, Germany. The company is best known for its messaging application called Wire.

<span class="mw-page-title-main">Signal (messaging app)</span> Privacy-focused encrypted messaging app

Signal is an encrypted messaging service for instant messaging, voice, and video calls. The instant messaging function includes sending text, voice notes, images, videos, and other files. Communication may be one-to-one between users or may involve group messaging.

<span class="mw-page-title-main">Matrix (protocol)</span> Networking protocol for real-time communication and data synchronization

Matrix is an open standard and communication protocol for real-time communication. It aims to make real-time communication work seamlessly between different service providers, in the way that standard Simple Mail Transfer Protocol email currently does for store-and-forward email service, by allowing users with accounts at one communications service provider to communicate with users of a different service provider via online chat, voice over IP, and videotelephony. It therefore serves a similar purpose to protocols like XMPP, but is not based on any existing communication protocol.

<span class="mw-page-title-main">SOMA Messenger</span> Instant messaging software

SOMA Messenger is a cross-platform instant messaging and communication application that specializes in video calls and voice calls for smartphones. Users can also send each other text messages, emoticons, images, videos, voice messages, contacts, user location, as well as create group chats, group video calls and conference calls.

<span class="mw-page-title-main">Tuta (email)</span> Free and open-source end-to-end encrypted email software and host

Tuta, formerly Tutanota, is an end-to-end encrypted email app and a freemium secure email service. The service is advertisement-free; it relies on donations and premium subscriptions. As of March 2017, Tutanota's owners claimed to have over 2 million users of the product.

The Signal Protocol is a non-federated cryptographic protocol that provides end-to-end encryption for voice and instant messaging conversations. The protocol was developed by Open Whisper Systems in 2013 and was first introduced in the open-source TextSecure app, which later became Signal. Several closed-source applications have implemented the protocol, such as WhatsApp, which is said to encrypt the conversations of "more than a billion people worldwide" or Google who provides end-to-end encryption by default to all RCS-based conversations between users of their Google Messages app for one-to-one conversations. Facebook Messenger also say they offer the protocol for optional Secret Conversations, as does Skype for its Private Conversations.

Wire is an encrypted communication and collaboration app created by Wire Swiss. It is available for iOS, Android, Windows, macOS, Linux, and web browsers such as Firefox. Wire offers a collaboration suite featuring messenger, voice calls, video calls, conference calls, file-sharing, and external collaboration – all protected by a secure end-to-end-encryption. Wire offers three solutions built on its security technology: Wire Pro – which offers Wire's collaboration feature for businesses, Wire Enterprise – includes Wire Pro capabilities with added features for large-scale or regulated organizations, and Wire Red – the on-demand crisis collaboration suite. They also offer Wire Personal, which is a secure messaging app for personal use.

<span class="mw-page-title-main">Reception and criticism of WhatsApp security and privacy features</span> Reception and criticism of security and privacy features in the WhatsApp messaging service

This article provides a detailed chronological account of the historical reception and criticism of security and privacy features in the WhatsApp messaging service.

xx messenger is a cross-platform decentralized encrypted instant messaging service developed by PrivaTegrity Corporation. Messages are delivered over a variety of mix network first described in 2016. Users can send one-to-one and group messages, which can include voice notes and images.


  1. "Support – Threema". Retrieved February 10, 2024.
  2. Happich, Julien (September 23, 2014). "Privacy gains traction with secure messaging apps". Electronic Engineering Times Europe. Retrieved December 21, 2015.
  3. "Cryptography Whitepaper" (PDF). Retrieved October 30, 2020.
  4. "FAQ – Privacy Protection" . Retrieved October 30, 2020.
  5. "What is a Threema ID?".
  6. "Will my address book data be sent to your servers?". Retrieved December 2, 2014.[ third-party source needed ]
  7. "What is a Threema ID? – Threema".
  8. 1 2 "What features does Threema offer?".
  9. "Threema Web" . Retrieved October 30, 2020.
  10. "Threema FAQ" . Retrieved December 11, 2023.
  11. "How can I send a file?".
  12. Bordel, Stefan (January 12, 2015). "Threema integriert Umfrage-Funktion" [Threema integrates survey function]. com! – Das Computer-Magazin (in German). Retrieved October 12, 2015.
  13. "Threema". Google Play Store. Retrieved July 5, 2014.
  14. Swiss Confederation. "Swiss company registry entry for Threema GmbH". Archived from the original on July 7, 2014. Retrieved July 5, 2014.
  15. Jungfer, Martin (May 28, 2021). "Number of Threema users climbed to over 10 million". Retrieved August 10, 2021.
  16. "Threema's Success Story: From the Company's Founding to Today" (PDF). Retrieved May 11, 2021.
  17. "Messenger for companies and authorities: Threema offers an on-premise version". Market Research Telecast. July 27, 2021. Retrieved August 10, 2021.
  18. Schurter, Daniel (December 13, 2012). "Die Schweizer Antwort auf WhatsApp" [The Swiss answer to WhatsApp]. (in German). Retrieved July 5, 2014.
  19. "Release 5.2.3". January 23, 2024. Retrieved February 20, 2024.
  20. "What's New - Threema" . Retrieved March 14, 2022.
  21. "What's New - Threema" . Retrieved April 4, 2022.
  22. "Threema Source Code on GitHub". GitHub .
  23. "App Remote Protocol on GitHub". GitHub . May 8, 2021.
  24. "Big Update for Android".
  25. 1 2 Cimpanu, Catalin (August 11, 2020). "Threema joins the ranks of E2EE chat apps that support encrypted video calls". ZDNet. Retrieved October 30, 2020.
  26. "Could you decrypt my messages?". Retrieved July 5, 2014.[ third-party source needed ]
  27. "Threema Cryptography Whitepaper" (PDF). September 14, 2017.
  28. Zorz, Mirko (September 17, 2014). "Secure mobile messaging with Threema". Help Net Security.
  29. "How long do messages stay in queue for delivery?". Retrieved September 20, 2017.
  30. "Threema Validation". Archived from the original on November 25, 2018. Retrieved September 20, 2017.
  31. "External Audit". Retrieved September 20, 2017.
  32. "Security Review Threema: Security Statement" (PDF). November 2, 2015. Retrieved October 30, 2020.
  33. Schirrmacher, Dennis (November 3, 2015). "Threema-Audit abgeschlossen: "Ende-zu-Ende-Verschlüsselung ohne Schwächen"" [Threema Audit Completed: "End-to-End Encryption Without Weakness"]. (in German). Retrieved October 30, 2020.
  34. Metzler, Marco (June 28, 2015). "Kryptografie-App Threema: Schweizer sorgen für Privatsphäre" [Cryptography app Threema: Swiss ensure privacy]. Neue Zürcher Zeitung (in German). Retrieved October 8, 2015.
  35. 1 2 "Im Interview: Threema". Mailify (in German). July 23, 2014. Archived from the original on August 2, 2014. Retrieved October 11, 2015.
  36. 1 2 Tanriverdi, Hakan. "Der Schlossherr". Der Freitag (in German). ISSN   0945-2095 . Retrieved October 11, 2015.
  37. Price, Rob (June 18, 2015). "Germany's most popular paid app is a secure messenger loved by millions — now it's taking on the US". Business Insider UK. Retrieved October 11, 2015.
  38. Dillet, Romain (February 21, 2014). "Bye Bye, WhatsApp: Germans Switch To Threema For Privacy Reasons". TechCrunch .
  39. "Threema GmbH, Pfäffikon SZ". Retrieved October 11, 2015.
  40. "iOS-Highlights: Die besten Apps des Jahres" [The best apps of the year]. Focus (in German). December 9, 2014. Retrieved March 1, 2016.
  41. Cimpanu, Catalin (September 4, 2020). "Threema E2EE chat app to go 'fully open source' within months". ZDNet. Retrieved October 30, 2020.
  42. "WhatsApp-Konkurrenten verzeichnen starken Nutzeranstieg". Die Zeit (in German). January 13, 2021. Retrieved January 13, 2021.
  43. Pladson, Kristie (January 18, 2021). "WhatsApp controversy highlights growing fears about data privacy". DW. Retrieved January 19, 2021.
  44. "Three Lessons from Threema: Analysis of a Secure Messenger". Retrieved January 10, 2023.
  45. "The messenger for organizations".
  46. "Pricing Threema Work".
  47. Iseli, Marc (September 28, 2015). "US-Feldzug von Threema gerät ins Stocken" [US campaign of Threema is stalled]. Handelszeitung (in German). ISSN   1422-8971 . Retrieved October 12, 2015.
  48. "Threema GmbH". GitHub. Retrieved September 20, 2017.
  49. "Broadcast Blog-Post".
  50. "Threema Education: Framework Contract with". September 10, 2020. Retrieved October 25, 2020.
  51. "Threema OnPrem". Threema. Retrieved August 10, 2021.
  52. "Reference Sheet Privacy and Security" (PDF). p. 2.
  53. "Threema Cryptography Whitepaper" (PDF). p. 11.
  54. "Will my address book data be sent to your servers?".
  55. "How can I unlink my Threema ID from an email address or phone number?".
  56. "Revoke your ID".
  57. "Threema Cryptography Whitepaper" (PDF). p. 5.
  58. "Are messages encrypted when they are stored on my device?".
  59. "Transparency Report".
  60. "Threema GmbH".  [ ru ] (in Russian). Archived from the original on June 20, 2017. Retrieved September 20, 2017.
  61. "Russia adds international messenger Threema to official registry". East-West Digital News. March 16, 2017. Retrieved January 27, 2018.
  62. Bannister, Adam (May 28, 2021). "Threema, the European rival to Signal, wins pivotal privacy battle in Swiss Court". The Daily Swig. Retrieved August 10, 2021.
  63. "Swiss army backs home-grown IM service amid privacy concerns". AP NEWS. January 5, 2022. Retrieved January 10, 2022.
  64. "WhatsApp und Alternativen: Datenschutz im Test" [WhatsApp and alternatives: data protection tested]. Stiftung Warentest (in German). February 26, 2014. Retrieved October 30, 2020.
  65. Heutger, Christian (June 13, 2014). "Die Ergebnisse unseres großen Messenger-Tests" [The results of our great messenger test]. PSW Group (in German). Retrieved October 30, 2020.
  66. "Secure Messaging Scorecard. Which apps and tools actually keep your messages safe?". Electronic Frontier Foundation. November 3, 2015. Archived from the original on April 14, 2016. Retrieved October 30, 2020.