+5 votes
How secure is Threema?

in Apps / software by (552k points)
reopened | 177 views

1 Answer

+3 votes
Best answer

General information about Threema
Where is your Threema data stored?
Threema and data protection
Security from Threema
Is Threema more secure than WhatsApp?
Threema advantages & disadvantages

Would you like to know how safe the WhatsApp alternative Threema really is? Here you can find out everything about the security of the app..

image image

Threema is an end-to-end (E2EE) encrypted messaging app for your smartphone. Unlike many other WhatsApp alternatives like Signal or Telegram, this app doesn't require you to enter an email address or phone number to create an account. This allows you to use the service with a very high degree of anonymity, which makes it perhaps the most private messenger of all. But how sure is it really? We have the answers here.

General information about Threema

Threema is an open source product from Threema GmbH - a small company based in Switzerland. The team released their first version of the product in December 2012 and officially launched the company in 2014. They launched Threema.Work (an enterprise version) in 2016, and several versions since then.

As you know, Switzerland is not part of the European Union. While WhatsApp reserves the right in its general terms and conditions to pass on information about users without informing the user, in the case of Threema a monitoring / information order from a Swiss court is necessary..

The name Threema stands for "End-to-End Encrypted Messaging Application", abbreviated for "EEEMA". But that was a little bit of "E" s, so it became "Threema". According to Threema, the company is financed through company subscriptions and app sales.

Where is your Threema data stored?

As far as possible, the data is only stored on the respective devices. The minimum amount of metadata that is necessary to move messages to their correct destinations is only stored on Threema's servers for as long as is necessary to complete the task..

The company's servers are physically located in two data centers belonging to an "ISO 27001" -certified colocation partner in Zurich, Switzerland. They are protected by security systems that include biometric access control, video surveillance, emergency power systems, fire safety and more.

Storing all of your data on your local device is very secure ... unless you lose access to your device. This is where Threema Safe comes into play. This is a platform-independent system for anonymously securing your unique Threema ID, all of your contacts that you have optionally synchronized, your groups and other data. But where does Threema Safe save your data? It's up to you. By default, the data is saved on the Threema servers. However, you can also configure it to store this data on any server of your choice.

Threema and data protection

Without strong encryption of your messages, a messaging app cannot protect your privacy. Threema has covered this aspect by using the open source encryption library "NaCl".

But private information can also exist in a messenger outside of the messages themselves. Threema also protects your privacy here. You can use the service without providing any personal information. The randomly generated Threema ID can be your only ID in the system, so you remain completely anonymous.

As a user, you have complete control over the exchange of your ID, with encryption and decryption only remaining on your device. The server operator or any other party can therefore not decrypt messages.

Note : You can have a phone number or email address associated with the service, but this is completely optional!

Metadata can be generated simply by using a messaging service. This concerns data about your use of the service, e.g. to whom you send messages, your whereabouts, etc. To prevent this, Threema generates as little metadata as possible and discards it as soon as it has served its purpose. In other words, this app protects your privacy and communication.

Security from Threema

Of course, there can be no guarantee that something is 100% secure and will stay that way forever. But compared to other messengers, Threema can be classified as very secure. The app uses strong end-to-end encryption for pretty much everything. To ensure maximum security, both the connection between the app and the servers and between the parties communicating with each other are encrypted separately. The former is particularly important because anyone who intercepts network packets (e.g. in public WLAN) cannot find out who is communicating with whom.

In addition, Threema is designed to generate as little data on servers as is technically possible. Groups and contact lists are managed exclusively on the users' devices and not on the server. Messages are deleted immediately after delivery, no log files are created and no personally identifiable information is collected.

The only exceptions are centrally managed groups from Threema Broadcast and data from Threema Safe, if you choose to save them on the Threema servers. The data is transmitted to the Swiss servers with additional SSL security. These delete the hashes from their main memory as soon as the list of matching IDs has been determined. Threema itself ensures that it writes neither hashes nor matching results to a hard drive.

Is Threema more secure than WhatsApp?

Both Threema and WhatsApp are end-to-end encrypted, which makes them very secure to start with. However, WhatsApp stores some metadata about who communicates with whom and when - Threema doesn't do that. What's more, WhatsApp is now part of Facebook - a company that doesn't have the best reputation for respecting the rights of its users.

In summary, one can say that Threema is at least as secure as WhatsApp, and even more secure in terms of data protection. Learn more about alternatives to WhatsApp here.

Threema advantages & disadvantages

Here is a quick recap of the pros and cons:

+ Advantages

  • End-to-end encryption (E2E)
  • Encryption algorithms: NaCl (open source cryptographic library)
  • No phone number or email address required; no central user account
  • Completed transition to open source
  • Does not log IP addresses or metadata
  • Owns all of its own servers
  • GDPR compliant

- Disadvantage

  • Does not support 2FA (two-factor authentication)
  • No free trial

by (3.5m points)

Related questions

+3 votes
1 answer
+5 votes
1 answer
asked Oct 4, 2023 in Guides by backtothefuture (552k points) | 105 views
+5 votes
1 answer
+4 votes
1 answer
Sponsored articles cost $40 per post. You can contact us via Feedback

Most popular questions within the last 30 days

10,659 questions
10,791 answers
3 users