Threema

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Threema
Icon of the Threema App.png
Developer(s) Threema GmbH
Initial release December 2012 (2012-12)[1]
Stable release

iOS
2.3.1 (May 11, 2015; 10 days ago (2015-05-11)) [±] [2]

Android
2.3 (April 16, 2015; 35 days ago (2015-04-16)) [±] [3]

Windows Phone
1.2.1 (May 4, 2015; 17 days ago (2015-05-04)) [±] [4]
Written in Objective-C (iOS), Java (Android), C, .net (Windows Phone)
Operating system iOS, Android, Windows Phone
Available in English (iOS, Android, WP), German (iOS, Android, WP), French (iOS, Android), Spanish (iOS, Android), Italian (iOS, Android), Russian (iOS, Android), Brazilian Portuguese (iOS, Android), Polish (Android)
Type Encrypted instant messaging
License Proprietary commercial software[5]
Website Threema's website

Threema is a proprietary encrypted instant messaging application for iOS, Android and Windows Phone.[6][7][8] In addition to text messaging, it’s possible to send multimedia files and voice messages. Locations can also be shared through the use of integrated mapping features.[9] Since January 2015, Threema offers an integrated Poll Feature, which allows to create a poll within a single conversation or group chat.[10] The name Threema is an acronym for EEEMA and stands for end-to-end encrypting Messaging Application.[11]

There is no need to link an email address or phone number to Threema in order to send messages. Instead the app uses a user ID, created after the initial app launch by a sophisticated random generator. At the same process, it generates a key pair and sends the public key to the server while keeping the private key on the user's device.[12] The application then encrypts all messages and media files that are sent to other Threema users with their respective public key.[13][14] To find other users, the app can synchronize the user's address book, but needs prior consent from the user to do so.[15]

Threema is developed by the Swiss company Threema GmbH.[16][17] The servers are located in Switzerland and the development is based in the Zürich metropolitan area. The application is especially popular in German speaking countries,[18] where it has generated 3.2 million downloads until December 2014.[19] One important factor of success[not in citation given] was in February 2014 when the awareness for privacy dramatically increased[not in citation given] due to the Whatsapp takeover by Facebook.[20]

History[edit]

On March 20, 2015, Threema released a gateway for companies. Similar to an SMS gateway, it can be used to send messages with their own software.[21][22] The advertised uses of Threema Gateway include sending of mTAN, eTAN or OTP, alarming for emergency services, secure exchange of passwords, internal communications or confidential customer information. The price for sending a message is set between 0.02 CHF and 0.05 CHF.[23] The code for the Threema Gateway SDK is open for developers and available on GitHub.[24]

Reception[edit]

In February 2014, a German consumer safety group called Stiftung Warentest evaluated WhatsApp, Threema, Telegram, BlackBerry Messenger and Line. Stiftung Warentest concluded that Threema was the most secure messenger compared to the five others.[25]

Along with Cryptocat and Surespot, Threema was ranked first in a study evaluating the security and usability of instant messaging encryption software, conducted by the German PSW Group in June 2014.[26]

In November 2014 Threema scored 5 out of 7 points on the Electronic Frontier Foundation's secure messaging scorecard. It received points for having communications encrypted in transit, having communications encrypted with keys the provider doesn't have access to (i.e. having end-to-end encryption), making it possible for users to independently verify their correspondent's identities, having past communications secure if the keys are stolen (i.e. implementing forward secrecy), and having its security design well-documented. It lost points because its source code is not open for independent review (i.e. it's not open source) and because there has not been a recent independent security audit.[27]

In October 2014, Threema won the "connect App Awards 2014" for being the best app of the year.[28]

In December 2014, Apple awarded Threema for "Best-selling iOS App of the year 2014 in Germany".[29]

Security and privacy[edit]

The entire communication via Threema is end-to-end encrypted. This includes text messages, any kind of media and also for group chats.[30] Once a message is delivered successfully, it is immediately deleted from the servers.[31] The encryption process used by Threema is based on the open source library NaCl library. Threema uses the asymmetric ECC based encryption, with 256 bit strength. In terms of encryption strength, according a NIST estimate, this corresponds or exceeds the encryption provided by 3072 bit RSA.[32] Threema offers a "Validation Logging" feature that makes it possible for everyone to independently confirm that messages sent via Threema are end-to-end encrypted using the NaCl Networking and Cryptography library.[33]

Threema has two layers of encryption. The End-to-end encryption layer is between the sender and the recipient. The transport layer protects the header information while being transmitted to the server and to the recipient (this prevent eavesdropping).[13][14]

Threema GmbH provides a whitepaper explaining how the cryptography works and how the encryption process can be validated.[34]

Users can verify the identity of their Threema contacts by scanning their QR code, when they meet physically. The QR code contains the public key of the users. Using this feature, the users can make sure they have the correct public key from their chat partners, which provides security against a Man-in-the-middle attack. Threema knows three levels of verification (certainty levels of the contact’s identity). The verification level of each contact is displayed in the Threema application as dots next to the corresponding contact.

•• No matching contact was found for a specific ID in the user's address book. You can not be sure that the user is who he or she claims to be.
•• The ID has been matched with a contact in the user's address book (by phone number or email). You can be quite sure that the contact is who he or she claims to be.
••• The ID of this particular contact has been personally verified by scanning the QR code. You can be sure, that the ID truly belongs to this person. Level three protects the user from a Man-in-the-middle attack.

References[edit]

  1. ^ Daniel Schurter (13 December 2012). "Die Schweizer Antwort auf WhatsApp" (in German). 20min.ch. Retrieved 5 July 2014. 
  2. ^ Threema GmbH (2015-05-11). "Threema". Apple App Store. Apple. 
  3. ^ Threema GmbH (2015-04-16). "Threema". Play Store. Google. 
  4. ^ Threema GmbH (2015-05-04). "Threema". Windows Phone Store. Microsoft. 
  5. ^ Threema GmbH. "End-User Software License Agreement". Threema GmbH. Retrieved 5 July 2014. 
  6. ^ "Threema's official homepage". Retrieved 5 July 2014. 
  7. ^ Encrypted Messaging On Your Smartphone http://nullmag.com/encrypted-messaging-smartphone/#
  8. ^ Privacy gain traction with secure messaging apps http://www.electronics-eetimes.com/en/privacy-gains-traction-with-secure-messaging-apps.html?cmp_id=7&news_id=222922448&vID=13&page=1
  9. ^ heise.de (3 July 2014). "Krypto Messenger Threema ergänzt Sprachnachrichten" (in German). Heise Verlag. Retrieved 5 July 2014. 
  10. ^ Threema What's new https://threema.ch/en/whats-new
  11. ^ Threema FAQ Why is it called Threema? https://threema.ch/en/faq/name_origin
  12. ^ "Could you decrypt my messages?". threema.ch. Retrieved 5 July 2014. [third-party source needed]
  13. ^ a b Threema Cryptography Whitepaper https://threema.ch/press-files/cryptography_whitepaper.pdf
  14. ^ a b "Secure mobile messaging with Threema" http://www.net-security.org/review.php?id=333
  15. ^ "Will my address book data be sent to your servers?". threema.ch. Retrieved 2 December 2014. [third-party source needed]
  16. ^ "Google Play Store entry for Threema". google.com. Retrieved 5 July 2014. 
  17. ^ Swiss Confederation. "Swiss company registry entry for Threema GmbH". zefix.ch. Retrieved 5 July 2014. 
  18. ^ Romain Dillet (21 February 2014). "Bye Bye, WhatsApp: Germans Switch To Threema For Privacy Reasons". TechCrunch. Retrieved 5 July 2014. 
  19. ^ Till Simon Nagel (21 May 2014). "Der Preis der Sicherheit" (in German). Handelsblatt. Retrieved 5 July 2014. 
  20. ^ „Facebook Buying WhatsApp for $19B, Will Keep the Messaging Service Independent“ http://techcrunch.com/2014/02/19/facebook-buying-whatsapp-for-16b-in-cash-and-stock-plus-3b-in-rsus/
  21. ^ Threema Gateway https://gateway.threema.ch
  22. ^ “Threema releases secure messaging gateway” https://www.business-cloud.com/articles/news/threema-releases-secure-messaging-gateway
  23. ^ Threema Gateway products https://gateway.threema.ch/de/products
  24. ^ https://github.com/threema-ch
  25. ^ http://www.androidpit.com/whatsapp-alternatives-data-security-officially-tested
  26. ^ Christian Heutger. "Die Ergebnisse unseres großen Messenger-Tests" (in German). Retrieved 2014-06-26. 
  27. ^ "Secure Messaging Scorecard. Which apps and tools actually keep your messages safe?". Electronic Frontier Foundation. 2014-11-04. 
  28. ^ http://www.connect.de/news/connect-app-awards-2014-die-besten-apps-preisverleihung-gewinner-sieger-award-2659952.html
  29. ^ "iPhone und iPad: Threema ist die meistverkaufte App 2014" http://www.computerbild.de/artikel/cb-News-App-Check-iPhone-und-iPad-Threema-ist-die-meistverkaufte-App-2014-11205436.html
  30. ^ “Top Three Apps for Encrypted Messaging" http://www.theepochtimes.com/n3/1023270-top-3-apps-for-encrypted-messaging/
  31. ^ https://threema.ch/en/faq/message_storage
  32. ^ The Case for Elliptic Curve Cryptography https://www.nsa.gov/business/programs/elliptic_curve.shtml
  33. ^ Threema Validation https://threema.ch/validation/
  34. ^ "Threema cryptography whitepaper" (PDF). 2014-11-05.