Threema

1.8 ( iOS ) April 7, 2014

Threema [ θɻima ] is an instant messaging application for smartphones that (version 4.0 ) and iOS is available for the operating systems Android (version 5.1.1). In addition to text messages and photos can be sent. All data is sent encrypted by Threema.

Founder and operator of the service is the Swiss Manuel Kasper with its Kasper Systems GmbH. According to the statement of Threema hosts all server of the service in Switzerland. In the summer of 2013 and winter 2014 Threema was at times the most popular paid apps in German-speaking countries. On February 21, 2014 Threema doubled the number of its users in a day to 400,000. This was due to the acquisition of WhatsApp through Facebook. Approximately 1.1 million users installed the app Between 21 and 24 February. An estimated 1.4 million users had Threema at this time.

The name is derived from EEEMA Acronym, short for end-to -end Encrypting Messaging Application, is derived.

Security

Threema uses the open NaCL library for communication and encryption. It uses 255 bit long asymmetric keys that are generated by means of Elliptic Curve Cryptography and be the loud statement of the NIST with 3072 -bit RSA keys comparable. This key is used to obtain a unique 256-bit symmetric key for each message sent. For the final encrypt the message of XSalsa20 stream cipher is used. Further, the communication between the server and the terminal Threema is also encrypted. A 128 bit long verification code and a random number of " cryptographic padding bytes " will be added to each message to prevent tampering with the contents of the message.

The encryption of messages and their encrypted transmission contribute to cryptographic security of Threema. However, this presupposes a secure terminal. If on the smartphone a virus or trojan found, messages can be read by recording the keyboard input before the actual encryption.

Use of the Software

When you first start Threema the user is prompted his finger as random as possible to move on the touch screen to collect random data for subsequent encryption. Then the Threema account can optionally be linked with their own phone number and e - mail address. Next to each contact there is a verification level, which is represented by three points. It shows how confident the user may be that the stored public key actually belongs to that of the contact. If this public key is not checked, man-in- the-middle attacks can not be excluded.

There are three verification levels:

A group chat feature (up to 20 participants) is available in the current versions for iOS and Android. New groups can use the button " Send a message " (iOS ), or via the menu item "New Group" (Android) will be created. However, only those contacts in the list are selected that have a group chat enabled version installed by Threema.

Privacy Policy

Since the servers of Threema are located exclusively in Switzerland, the company is subject, among other things, the Swiss Federal Act on Data Protection.

Threema offers to match its own address with the Threema servers. Is the phone number or e -mail address of a contact in the Address Book correspond with the Threema database, the contact ID is automatically inserted into the Threema contact list. Instead of uploading the local address book on a server, as practiced other messaging services, are sent to the server from the contact only checksum (SHA- 256). Because of the small number of possible combinations of numbers of a phone number that belongs to a checksum phone number, however, can be determined by brute force. Therefore, the data is transmitted via SSL. Address data is maintained according to the manufacturer only in memory of the server and deleted on known contacts after the test. Sent messages are saved only until the successful transmission ( encrypted).

The Foundation Warentest Threema in February 2014 only five Messenger Apps tested to be critical in terms of privacy.

Criticism

Since the source code is not published, users can not verify the statements about the features and the security of the program without committing copyright infringement. Alternatively, the security can be checked for example by an independent external IT security audit. As such, external IT security audit is version specific, this should also be performed again for each new version. For reasons of economy therefore, the manufacturer waives the audit process, leaving the software in the status " closed source ".

In August 2013 it was announced that the encrypted sent messages are stored on iOS in plain text in the backup of the device, unless the device used is not protected by a code lock.