Threema

Last updated
Threema
Threema's App Icon.png
App Icon
Developer(s) Threema GmbH
Initial releaseDecember 2012 (2012-12) [1]
Stable release
iOS4.6.3 / November 11, 2020;2 months ago (2020-11-11) [2]
Android4.43 / December 7, 2020;38 days ago (2020-12-07) [3]
Written in Objective-C (iOS), Java (Android), C, .NET (Windows Phone)
Operating system iOS, Android, Windows Phone
Available in English, German, French, Spanish, Italian, Russian, Brazilian Portuguese, Polish, Rumantsch Grischun
Type Encrypted instant messaging & voice calling
License AGPLv3  (Apps, Web client) [4]
MIT  (Communication protocol) [5]
Website threema.ch

Threema is a paid open-source end-to-end encrypted instant messaging application for iOS and Android. [6]

Contents

The software is based on the privacy by design principles as it does not require a phone number or any other personally identifiable information. This helps anonymize the users to a degree. [7] [8] [9]

In addition to text messaging, users can make voice and video calls, send multimedia, locations, voice messages and files. [10] A web app version, Threema Web, can be used on desktop devices. [11]

Threema is developed by the Swiss company Threema GmbH. [12] [13] The servers are located in Switzerland and the development is based in Pfäffikon SZ. As of January 2020, Threema had 8 million users. [14] As of January 2019, the business version, Threema Work, was used by 3,000 companies and organizations. [15]

History

Threema was founded in December 2012 by Manuel Kasper. [16] The company was initially called Kasper Systems GmbH. [17] Martin Blatter and Silvan Engeler were later recruited to develop an Android application that was released in early 2013. [18]

In Summer 2013, the Snowden leaks helped create an interest in Threema, boosting the user numbers to the hundreds of thousands. [19] When Facebook took over Whatsapp in February 2014, Threema got 200,000 new users, doubling its userbase in 24 hours. [20] Around 80% percent of those new users came from Germany. By March 2014 Threema had 1.2 million users. [18]

In Spring 2014, operations have been transferred to the newly created Threema GmbH. [17] [21]

In December 2014, Apple listed Threema as the most-sold app of 2014 at the German App Store. [22]

In 2020, Threema expanded with video calls, [23] plans to make its codebase fully open-source as well as introduce reproducible builds [24] and Threema Education, a variation of Threema intended for education institutions.

During the first half of January 2021, Threema saw a quadrupling of daily downloads spurred on by controversial privacy changes in the WhatsApp messaging service. A spokesperson for the company also confirmed that Threema had risen to the top of the charts for paid applications in Germany, Switzerland, and Austria. [25]

Features

Threema uses a user ID, created after the initial app launch by a random generator, instead of requiring a linked email address or phone number to send messages. It is possible to find other users by phone number or e-mail address if the user allows the app to synchronize their address book. [26] Linking a phone number or e-mail address to a Threema ID is optional. Hence, the service can be used anonymously. Users can verify the identity of their Threema contacts by scanning their QR code, when they meet physically. The QR code contains the public key of the user, which is cryptographically tied to the ID and will not change during the lifetime of the identity. [27] Using this feature, the users can make sure they have the correct public key from their chat partners, which provides additional security against a Man-in-the-middle attack. Threema knows three levels of verification (trust levels of the contact's identity). The verification level of each contact is displayed in the Threema application as dots next to the corresponding contact.

Users can make voice calls and send text messages, multimedia, locations, voice messages and files of any type (up to 50 MB per file). [10] [28] It is also possible to create polls in personal or group chats. [29] With Threema Web, a client for web browsers, Threema can be used from other devices like desktop computers. Threema optionally supports Android Wear smartwatch and Android Auto. [30] Threema launched support for end-to-end encrypted video calls on August 10, 2020. The calls are person-to-person with group calls unavailable. [23]

Threema Work: On May 25, 2016, Threema Work, a corporate version of Threema, was released. Threema Work offers extended administration and deployment capabilities. [31] Threema Work is based on a yearly subscription model. [32]

Threema Gateway: On March 20, 2015, Threema released a gateway for companies. Similar to an SMS gateway, businesses can use it to send messages to their users who have Threema installed. [33] The code for the Threema Gateway SDK is open for developers and available on GitHub. [34]

Threema Broadcast: On August 9, 2018, Threema released Threema Broadcast, a tool for top-down communication. Similar to emails in electronic newsletters, Threema messages can be sent to any number of feed subscribers, and the Threema Broadcast allows to create chatbots. [35]

Threema Education: On September 10, 2020, Threema released Threema Education, a version of its messenger designed for education institutions. The app integrates Threema Broadcast and requires a one-time payment for each device used. It's intended for use by teachers, students, and parents. [36]

Privacy

Since Threema's servers are located in Switzerland, they are subject to the Swiss federal law on data protection. The data center is ISO/IEC 27001-certified. [37] Linking a phone number and/or e-mail address to a Threema ID is optional; when doing so, only checksum values (SHA-256 HMAC with a static key) of the e-mail address and/or phone number are sent to the server. [38] Due to the small number of possible digit combinations of a telephone number, the phone number associated with a checksum could be determined by brute force. The transmitted data is TLS-secured. The address book data is kept only in the volatile memory of the server and is deleted immediately after synchronizing contacts. [39] If a user chooses to link a phone number or e-mail address with their Threema ID, they can remove the phone number or e-mail address at any time. [40] Should a user ever lose their device (and their private key), they can revoke their Threema ID if a revocation password for that ID has been set. [41]

Groups are solely managed on users’ devices and group messages are sent to each recipient as an individual message, encrypted with the respective public key. Thus, group compositions are not exposed to the server. [42]

Data (including media files) stored on the users’ devices is encrypted with AES 256. On Android, it can be additionally protected by a passphrase. [43]

Since 2016, Threema GmbH publishes a transparency report where public authority inquiries are disclosed. [44]

On 9 March 2017 Threema was listed in the "Register of organizers of information dissemination in the Internet" operated by the Federal Service for Supervision of Communications, Information Technology and Mass Media of the Russian Federation. [45]

In a response, a Threema spokesperson publicly stated: "We operate under Swiss law and are neither allowed nor willing to provide any information about our users to foreign authorities." [46]

Architecture

The entire communication via Threema is end-to-end encrypted. During the initial setup, the application generates a key pair and sends the public key to the server while keeping the private key on the user's device. [47] The application then encrypts all messages and files that are sent to other Threema users with their respective public keys. [48] [49] Once a message is delivered successfully, it is immediately deleted from the servers. [50]

The encryption process used by Threema is based on the open-source library NaCl library. Threema uses asymmetric ECC-based encryption, with 256-bit strength. Threema offers a "Validation Logging" feature that makes it possible to confirm that messages are end-to-end encrypted using the NaCl Networking and Cryptography library. [51] In August 2015, Threema was subjected to an external security audit. [52] Researchers from cnlab confirmed that Threema allows secure end-to-end encryption, and claimed that they were unable to identify any weaknesses in the implementation. Cnlab researchers also confirmed that Threema provides anonymity to its users and handles contacts and other user data as advertised. [53] [54]

Reception

In February 2014, German consumer organisation Stiftung Warentest evaluated several data-protection aspects of Threema, WhatsApp, Telegram, BlackBerry Messenger and Line. It considered the security of the data transmission between clients, the services' terms of use, the transparency of the service providers, the availability of the source code and the apps' overall availability. Threema was the only app rated as 'non-critical' (unkritisch) in relation to data and privacy protection, but lost marks due to its closed-source nature. [55]

Along with Cryptocat and Surespot, Threema was ranked first in a study evaluating the security and usability of instant messaging encryption software, conducted by the German PSW Group in June 2014. [56] [ unreliable source? ]

In October 2014, Threema won the "connect App Awards 2014" for being the best app of the year. [57] [ unreliable source? ]

As of November 2015, Threema has a score of 6 out of 7 points on the – now withdrawn – Electronic Frontier Foundation's "Secure Messaging Scorecard". It has received points for having communications encrypted in transit, having communications encrypted with keys the provider doesn't have access to (i.e. having end-to-end encryption), making it possible for users to independently verify their correspondent's identities, having past communications secure if the keys are stolen (i.e. implementing forward secrecy), having its security design well-documented and having completed an independent security audit. It is missing a point because its source code is not open to independent review (i.e. it is not open-source). [58]

See also

Related Research Articles


End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation.

This is a comparison of voice over IP (VoIP) software used to conduct telephone-like voice conversations across Internet Protocol (IP) based networks. For residential markets, voice over IP phone service is often cheaper than traditional public switched telephone network (PSTN) service and can remove geographic restrictions to telephone numbers, e.g., have a PSTN phone number in a New York area code ring in Tokyo.

Secure messaging is a server-based approach to protect sensitive data when sent beyond the corporate borders, and it provides compliance with industry regulations such as HIPAA, GLBA and SOX. Advantages over classical secure e-mail are that confidential and authenticated exchanges can be started immediately by any internet user worldwide since there is no requirement to install any software nor to obtain or to distribute cryptographic keys beforehand. Secure messages provide non-repudiation as the recipients are personally identified and transactions are logged by the secure email platform.

iMessage Instant messaging service by Apple

iMessage is an instant messaging service developed by Apple Inc. and launched in 2011. iMessage functions exclusively on Apple platforms: macOS, iOS, iPadOS, and watchOS.

Wickr is an American software company based in New York City. The company is best known for its instant messenger application of the same name.

Telegram (software) Cross-platform instant messenging service

Telegram is a freeware, cross-platform, cloud-based instant messaging (IM) software and application service. The service also provides end-to-end encrypted video calling, VoIP, file sharing and several other features. It was initially launched for iOS on 14 August 2013 and Android in October 2013. The application servers of Telegram are distributed worldwide to decrease data load, while the operational center is currently based in Dubai. Various Telegram client apps are available for desktop and mobile platforms including official apps for Android, iOS, Windows, macOS and Linux, as well as for the now-discontinued Windows Phone. There is also an official web interface and numerous unofficial clients that make use of Telegram's protocol. All of Telegram's official apps are open source.

Surespot is an open-source instant messaging application for Android and iOS with a focus on privacy and security. For secure communication it uses end-to-end encryption by default.

TextSecure was a free and open-source encrypted messaging application for Android that was first released in May 2010. It was developed by Open Whisper Systems and used end-to-end encryption to secure the transmission of instant messages, group messages, attachments and media messages to other TextSecure users. In November 2015, TextSecure was merged with an encrypted voice calling application called RedPhone and was renamed as Signal.

Signal Messenger Open source software organization

Moxie Marlinspike founded the Open Whisper Systems project in 2013, eventually evolving it into the Signal App in 2015 after merging the functionality of RedPhone and TextSecure. In 2018 Signal Messenger was incorporated as an LLC by Moxie Marlinspike and Brian Acton and then rolled under the non-profit Signal Foundation. Today Signal Messenger, LLC is funded by the non-profit Signal Foundation, with its main focus being the development of the Signal app and the Signal Protocol as free and open-source software.

Sicher Instant messaging software

Sicher is a freeware instant messaging application for iOS, Android, and Windows Phone. Sicher allows users to exchange end-to-end encrypted text messages, media files and documents in both private and group chats. Sicher is developed by SHAPE GmbH, German company which pioneered mobile messaging with IM+ multi-messenger app it has been offering since 2002.

ProtonMail end-to-end encrypted email service

ProtonMail is an end-to-end encrypted email service founded in 2013 in Geneva, Switzerland by scientists who met at the CERN research facility. ProtonMail uses client-side encryption to protect email content and user data before they are sent to ProtonMail servers, unlike other common email providers such as Gmail and Outlook.com. The service can be accessed through a webmail client, the Tor network, or dedicated iOS and Android apps.

Wire Swiss GmbH is a software company,with headquarters in Zug, Switzerland. Its development centre is in Berlin, Germany. The company is best known for its messaging application called Wire.

Signal (software) Encrypted communications app

Signal is a cross-platform encrypted messaging service developed by the Signal Foundation and Signal Messenger. It uses the Internet to send one-to-one and group messages, which can include files, voice notes, images and videos. It can also be used to make one-to-one and group voice and video calls, and the Android version can optionally function as an SMS app.

Matrix (protocol) Networking protocol for real-time communication and data synchronization

Matrix is an open standard and communication protocol for real-time communication. It aims to make real-time communication work seamlessly between different service providers, just like standard Simple Mail Transfer Protocol email does now for store-and-forward email service, by allowing users with accounts at one communications service provider to communicate with users of a different service provider via online chat, voice over IP, and videotelephony. Such protocols have been around before such as XMPP but Matrix is not based on that or another communication protocol.

Peerio was a cross-platform end-to-end encrypted application that provided secure messaging, file sharing, and cloud file storage. Peerio was available as an application for iOS, Android, macOS, Windows, and Linux. Peerio (Legacy) was originally released on 14 January 2015, and was replaced by Peerio 2 on 15 June 2017. The app is discontinued.

pretty Easy privacy Data encryption application

pretty Easy privacy is a pluggable data encryption and verification system, which provides automatic cryptographic key management through a set of libraries for written digital communications. Its main goal is to turn the default in written digital communications towards end-to-end encryption for all users in the most easy way possible and on all channels they use already today, including e-mails, SMS or other types of messages.

SOMA Messenger Instant messaging software

SOMA Messenger is a cross-platform instant messaging and communication application that specializes in video calls and voice calls for smartphones. Users can also send each other text messages, emoticons, images, videos, voice messages, contacts, user location as well as create group chats, group video calls and conference calls.

The Signal Protocol is a non-federated cryptographic protocol that can be used to provide end-to-end encryption for voice calls, video calls, and instant messaging conversations. The protocol was developed by Open Whisper Systems in 2013 and was first introduced in the open-source TextSecure app, which later became Signal. Several closed-source applications claim to have implemented the protocol, such as WhatsApp, which is said to encrypt the conversations of "more than a billion people worldwide". Facebook Messenger also say they offer the protocol for optional Secret Conversations, as does Skype for its Private Conversations.

Wire is an encrypted communication and collaboration app created by Wire Swiss. It is available for iOS, Android, Windows, macOS, Linux, and web browsers such as Firefox. Wire offers a collaboration suite featuring messenger, voice calls, video calls, conference calls, file-sharing, and external collaboration –all protected by a secure end-to-end-encryption. Wire offers three solutions built on its security technology: Wire Pro –which offers Wire's collaboration feature for businesses, Wire Enterprise –includes Wire Pro capabilities with added features for large-scale or regulated organizations, and Wire Red –the on-demand crisis collaboration suite. They also offer Wire Personal, which is a secure messaging app for personal use.

Reception and criticism of WhatsApp security and privacy features

This article provides a detailed historic account of the reception and criticism of security and privacy features in the WhatsApp messaging service.

References

  1. Schurter, Daniel (13 December 2012). "Die Schweizer Antwort auf WhatsApp" [The Swiss answer to WhatsApp]. 20min.ch (in German). Retrieved 5 July 2014.
  2. "‎What's New - Threema". threema.chlanguage=en-us. Retrieved 2020-11-12.
  3. "What's New - Threema". threema.ch. Retrieved 2021-01-12.
  4. "Threema Source Code on GitHub".
  5. "App Remote Protocol on GitHub".
  6. Happich, Julien (23 September 2014). "Privacy gains traction with secure messaging apps". Electronic Engineering Times Europe. Retrieved 21 December 2015.
  7. "Cryptography Whitepaper" (PDF). Retrieved October 30, 2020.
  8. "FAQ – Privacy Protection" . Retrieved October 30, 2020.
  9. "What is a Threema ID?". threema.ch.
  10. 1 2 "What features does Threema offer?". threema.ch.
  11. "Threema Web" . Retrieved October 30, 2020.
  12. "Threema". Google Play Store. Retrieved 5 July 2014.
  13. Swiss Confederation. "Swiss company registry entry for Threema GmbH". zefix.ch. Retrieved 5 July 2014.
  14. "About - Threema: Best-Selling Chat App".
  15. "Verschlüsselte Botschaften".
  16. Metzler, Marco (28 June 2015). "Kryptografie-App Threema: Schweizer sorgen für Privatsphäre" [Cryptography app Threema: Swiss ensure privacy]. Neue Zürcher Zeitung (in German). Retrieved 8 October 2015.
  17. 1 2 "Im Interview: Threema". Mailify (in German). 23 July 2014. Archived from the original on 2 August 2014. Retrieved 11 October 2015.
  18. 1 2 Tanriverdi, Hakan. "Der Schlossherr". Der Freitag (in German). ISSN   0945-2095 . Retrieved 11 October 2015.
  19. Price, Rob (18 June 2015). "Germany's most popular paid app is a secure messenger loved by millions — now it's taking on the US". Business Insider UK. Retrieved 11 October 2015.
  20. Dillet, Romain (21 February 2014). "Bye Bye, WhatsApp: Germans Switch To Threema For Privacy Reasons". TechCrunch .
  21. "Threema GmbH, Pfäffikon SZ". Shabex.ch. Retrieved 11 October 2015.
  22. "iOS-Highlights: Die besten Apps des Jahres" [The best apps of the year]. Focus (in German). 9 December 2014. Retrieved 1 March 2016.
  23. 1 2 Cimpanu, Catalin (August 11, 2020). "Threema joins the ranks of E2EE chat apps that support encrypted video calls". ZDNet. Retrieved October 30, 2020.
  24. Cimpanu, Catalin (September 4, 2020). "Threema E2EE chat app to go 'fully open source' within months". ZDNet. Retrieved October 30, 2020.
  25. "WhatsApp-Konkurrenten verzeichnen starken Nutzeranstieg". Die Zeit (in German). 13 January 2021. Retrieved 13 January 2021.
  26. "Will my address book data be sent to your servers?". threema.ch. Retrieved December 2, 2014.[ third-party source needed ]
  27. "What is a Threema ID? - Threema". threema.ch.
  28. "How can I send a file?". threema.ch.
  29. Bordel, Stefan (January 12, 2015). "Threema integriert Umfrage-Funktion" [Threema integrates survey function]. com! - Das Computer-Magazin (in German). Retrieved October 12, 2015.
  30. "Big Update for Android". threema.ch.
  31. "The messenger for organizations". work.threema.ch.
  32. "Pricing Threema Work".
  33. Iseli, Marc (28 September 2015). "US-Feldzug von Threema gerät ins Stocken" [US campaign of Threema is stalled]. Handelszeitung (in German). ISSN   1422-8971 . Retrieved October 12, 2015.
  34. "Threema GmbH". GitHub. Retrieved September 20, 2017.
  35. "Broadcast Blog-Post".
  36. "Threema Education: Framework Contract with educa.ch". September 10, 2020. Retrieved October 25, 2020.
  37. "Reference Sheet Privacy and Security" (PDF). threema.ch. p. 2.
  38. "Threema Cryptography Whitepaper" (PDF). threema.ch. p. 11.
  39. "Will my address book data be sent to your servers?". threema.ch.
  40. "How can I unlink my Threema ID from an email address or phone number?". threema.ch.
  41. "Revoke your ID". threema.ch.
  42. "Threema Cryptography Whitepaper" (PDF). threema.ch. p. 5.
  43. "Are messages encrypted when they are stored on my device?". threema.ch.
  44. "Transparency Report". threema.ch.
  45. "Threema GmbH". rublacklist.net  [ ru ] (in Russian). Retrieved September 20, 2017.
  46. "Russia adds international messenger Threema to official registry". East-West Digital News. 16 Mar 2017. Retrieved January 27, 2018.
  47. "Could you decrypt my messages?". threema.ch. Retrieved July 5, 2014.[ third-party source needed ]
  48. "Threema Cryptography Whitepaper" (PDF). threema.ch. September 14, 2017.
  49. Zorz, Mirko (September 17, 2014). "Secure mobile messaging with Threema". Help Net Security.
  50. "How long do messages stay in queue for delivery?". threema.ch. Retrieved September 20, 2017.
  51. "Threema Validation". threema.ch. Retrieved September 20, 2017.
  52. "External Audit". threema.ch. Retrieved September 20, 2017.
  53. "Security Review Threema: Security Statement" (PDF). threema.ch. November 2, 2015. Retrieved October 30, 2020.
  54. Schirrmacher, Dennis (November 3, 2015). "Threema-Audit abgeschlossen: "Ende-zu-Ende-Verschlüsselung ohne Schwächen"" [Threema Audit Completed: "End-to-End Encryption Without Weakness"]. Heise.de (in German). Retrieved October 30, 2020.
  55. "WhatsApp und Alternativen: Datenschutz im Test" [WhatsApp and alternatives: data protection tested]. Stiftung Warentest (in German). February 26, 2014. Retrieved October 30, 2020.
  56. Heutger, Christian (June 13, 2014). "Die Ergebnisse unseres großen Messenger-Tests" [The results of our great messenger test]. PSW Group (in German). Retrieved October 30, 2020.
  57. Buchta, Steve. "Connect App Awards 2014: Das sind die besten Apps des Jahres". Connect.de. Retrieved October 30, 2020.
  58. "Secure Messaging Scorecard. Which apps and tools actually keep your messages safe?". Electronic Frontier Foundation. 3 November 2015. Archived from the original on April 14, 2016. Retrieved October 30, 2020.