|Developer(s)||Kasper Systems GmbH|
|Initial release||11 December 2012|
1.3 (February 5, 2014 ) [±] 
|Operating system||iOS Android|
Threema is a proprietary instant messaging application for smartphones. Currently it is available for iOS and Android devices. In addition to text messaging, users can send each other images, videos and locations. A group chat functionality is implemented. Multiple device support is in development and will be published in a later version. Threema is a Swiss product. All servers are located in Switzerland.
According to its developer, Threema use a 255 bit long asymmetric elliptic curve cryptography (ECC) which is comparable to 2048 bit RSA. This key is used to derive a unique 256 bit symmetric key for every single message that is sent. The XSalsa20 stream cipher encrypts the message. Moreover the communication between the server and the device is also encrypted. A 128 bit message authentication code is added to the message to detect manipulations, as well as a random amount of "cryptographic padding" to prevent inferences or changes being made to the content of the message.
Because Threema is a closed source proprietary application, it is not possible to verify whether the claimed encryption standards are properly used and well implemented. Furthermore, it can not be verified if the product is free of intentional or accidental security flaws. Attempting to reverse engineer the software is illegal.
However, the manufacturer offers interested parties a way to verify the encryption by logging the raw encrypted message to a log file. Using the sender's public key and the recipient's private key, the encryption can be tested by a program that is supplied in source code form. However, this does not mean that the provider can't read the messages as the app could use the permissions e.g. to send the private key to Threemas servers or a third party.
On the first start of Threema, the user has to create his own keys by moving his finger on the display. The mobile phone can be linked with the phone number and the user's e-mail address. Next to every contact is a verification level, symbolized by three dots. It indicates the degree of confidence that a stored public key really belongs to the contact. This is independent of the encryption strength. Without checking the public key, a Man-in-the-Middle attack can not be excluded.
- • • • The ID and the public key were delivered by the server, there is no match with the address book and the user can't be sure that the person is who it claims to be.
- • • • The phone number or e-mail address of the contact was found in the address book. The user can be pretty sure that the person is who it claims to be.
- • • • The ID and the public key were checked by scanning the contact's QR code. Unless the device has been hacked, the user can be sure that the person is who it claims to be.
Threema offers the possibility to synchronize the contacts. Instead of uploading the whole contact the application sends a Hash to the server to check if there is a suitable user which is already in your contact list. After this comparison the Hashes will be deleted. In addition, all messages will be erased after their successful delivery. During this time they are only stored in the RAM.
- Kasper Systems GmbH (2013-11-05). "Threema". Apple App Store. Apple.
- Kasper Systems GmbH (2014-02-05). "Threema". Play Store. Google.
- FAQ website of Threema
- End User License Agreement of Threema, Bullet point 3
- Threema security assessment Research project for Security of Systems and Networks Master System and Network Engineering
- Due to possible copyright violations. For the (strict) software copyright within the territory of the EU read Hoehne, IT in general aviation: Pen and Paper vs. Bits and Bytes, pp. 26-27. In the US the "fair use" doctrine may be applicable.
- https://threema.ch/validation/ Threema Encryption Validation
- Podcast about Threema (German)