Threema

Threema
Basic data
developer	Threema GmbH
Publishing year	2012
Current  version	4.4 ( Android ) August 10, 2020 4.6 ( iOS ) August 10, 2020
operating system	Android , iOS
programming language	Java (Android client), Swift and Objective-C (iOS client), JavaScript (web client), Python (communication protocol)
category	Instant messaging , IP telephony
License	proprietary AGPLv3  (web client) MIT  (communication protocol)
German speaking	Yes
threema.ch/de

Threema (English pronunciation: / θɹiː.mə /) is an end-to-end encrypted- Swiss instant messaging - service for use on smartphones and tablets . The software is designed for data protection and data avoidance and, unlike most competing products, does not require a telephone number or other personal information to be used. Currently (as of 2020) over 8 million private users use Threema, 2 million of them "Threema Work" in around 5000 companies and institutions. The associated software is chargeable and, from March 1, 2020, will only be available for mobile devices with the operating systems Android (from version 4.4 ) and iOS (from version 10 ). Threema can no longer be used under Windows Phone / Windows 10 Mobile since June 2020. Threema can also be used on the desktop computer via the “Threema Web” web application, but only if the smartphone app is also installed.

According to the developers, all messages are only sent end-to-end encrypted . This statement and the general effectiveness of the documented security and data protection mechanisms were confirmed in an external audit in November 2015 and March 2019. The messages are sent via the Swiss server of the Swiss-based manufacturer Threema GmbH. The communication between the Threema servers and the end device is secured by transport encryption.

The name Threema

The name threema is the acronym EEEMA , short for end-to-end Encrypting Messaging Application derived, the three E by the term Three (English for three were replaced).

Range of functions

With Threema, text messages, pictures, videos, your own location and voice messages can be sent and voice calls can be made. With Android and iOS from version 2.4 files of any kind with up to 50  MB can be sent. Since January 2015, it has also been possible to conduct surveys within a conversation or in group chat.

Threema provides support for Android Wear - Smart Watches (version 2.0), Android Auto , and may in the family with the Google family library to be used when it has acquired after 2 July 2016th

Threema Web was officially released on February 15, 2017 . This allows users of the Android app (from version 3.0) to send messages via the computer. All messages are fully synchronized with the Android app. Threema is proprietary software, but the source code of Threema Web is open source and therefore publicly available. Support for iOS followed in October 2018.

development

Threema was developed and founded by the Swiss Manuel Kasper with his Kasper Systems GmbH . The service is operated by the Swiss company Threema GmbH . According to Threema, all servers of the service are located in Switzerland. In summer 2013 and spring 2014, Threema was at times one of the most popular paid apps in German-speaking countries. In the course of the "iTunes Rewind", Threema was named the best-selling iPhone app of 2014. On February 21, 2014, Threema doubled the number of its users to 400,000 within one day. The reason for this was the takeover of WhatsApp by Facebook . From February to April, the number of users increased sevenfold to more than 2.8 million. In December 2014 it was 3.2 million users. By June 2015 Threema had registered 3.5 million purchases and in January 2018 around 4.5 million people were using Threema.

In 2018, the company consisted of 15 employees, around half of whom worked in software development or in communication and marketing.

safety

Threema uses the open source program library “ NaCl ” for communication and encryption. 256-bit long asymmetric keys are used, which are generated using elliptic curve cryptography and which, according to the NIST, are comparable to 3072-bit long RSA keys . This key is used to obtain a unique symmetric 256-bit key for every message sent . The XSalsa20 Stream Cipher is used for the final encryption of the message . Communication between the Threema server and the end device is also encrypted. A 128-bit verification code and a random number of “cryptographic filler bytes” are added to each message in order to prevent tampering with the content of the message.

Threema also offers Perfect Forward Secrecy , but only for communication between the server and the app. The end-to-end encryption on the other hand does not provide perfect forward secrecy , since it both parties at the same time online they must be set. The manufacturers reject special implementations of Perfect Forward Secrecy , as they believe this would increase the complexity of the protocol and the server. This would increase the risk of security gaps and server failures.

In group chats, the message is encrypted separately for each recipient and delivered individually. As a result, the Threema servers can neither understand which groups there are nor who is a member of a group. Media, on the other hand, are encrypted and uploaded once to the Threema server. The symmetric key for decrypting the medium is then sent like a normal message to all group members, who decrypt them, download the medium and then decrypt the file.

Features of the software

Security levels

Color code	safety
• ••	Low security, may not be the intended contact
•• •	Contact found in address book, not verified via QR code
•••	Contact verified via QR code
•••	Verification level Threema Work. Blue points: internal contact

When Threema is started for the first time, the user is asked to move his finger on the touchscreen in order to collect random data for later encryption. Since February 2015, the movements of the device have also been included when creating an ID . The Threema ID can then optionally be linked to your own telephone number and email address. Next to each contact there is a security level, which is represented by three dots. It shows how certain the user can be that the stored public key of the contact actually belongs to them. If this public key is not checked, man-in-the-middle attacks cannot be ruled out.

There are three levels of security:

1. The Threema ID and the public key were transmitted through the server. There is no match between the data and the local address book, so the user cannot be sure of communicating with the person they claim to be.
2. The contact's phone number or email address was found in the local address book. The user can be pretty sure that they are communicating with the desired person.
3. This is the highest level of security. The ID and public key were verified by scanning the contact's QR code . The user can therefore be very sure of communicating with the desired person.

Group chat

A group chat function for up to 100 participants is available in the current versions for all operating systems. In the group chats, the user who originally created the group has special rights (" Admin "). He alone is allowed to set the profile picture and the group name. People can be added to a group (by the administrator) and subsequently removed again from version 2.3 for Android and iOS. The Android version also has a function to add contacts to distribution lists.

Online status

There is no online status of the contacts and it is not possible to define a personal status text. However, you can activate or deactivate the "read" status of the messages in the settings. There is no “read” indicator in group chats.

Backup of data

Since all data is only stored locally on the device, it was previously not possible to transfer your Threema ID, chat histories and other data to another device without creating a backup of your data. Threema therefore expressly recommends making a backup, as otherwise - for example if the device is lost - there is no possibility of restoring the Threema ID (with the associated private key). When you uninstall the Android app, as is normal with Android, all data is deleted from the internal memory, i.e. H. Both the Threema ID with the private key and the rest of the data, such as chat history and media, are removed after the uninstallation. Regardless of this, Threema offers a separate directory in which the decrypted media (at the request of the user) and the data backups are saved.

Since December 2018 (from version 3.6 Android and version 4.1 for iOS), Threema Safe has been offering its own anonymous backup solution. This secures platform-independent Threema ID, contacts and groups encrypted on the Threema server or, if desired, on a selected server of the user, see the section on “Threema Safe” .

With the iOS version, the Threema ID with the private key is retained during deinstallation, as this is included in the iCloud backup. However, the key is previously encrypted with a unique key of the device (the UID key) so that it can only be restored on the same device. The contacts, messages and media will be deleted when you uninstall it.

Revoke the Threema ID

Threema IDs can be revoked via the provider's website. From version 2.20 for iOS or version 2.21 for Android, this is only possible with the revocation password specified in the app.

Threema Web

Via a website specified by the manufacturer or a self- hosted instance of the open source Threema web application, users can also use Threema via the desktop (or other devices with browsers that meet the system requirements). By scanning a special QR code on the website, a so-called session is created and the web browser and Threema app used connect to each other via WebRTC / SaltyRTC. WebRTC creates the most direct connection possible between the two devices via ICE with Threema's own STUN and TURN servers. H. if both devices are in the same network, the data is only exchanged in this network. With the specially developed SaltyRTC protocol , which “builds” on WebRTC, the exchanged data is additionally encrypted end-to-end (to the TLS- based encryption of WebRTC) with the NaCl encryption library. For this purpose, SaltyRTC is used as the signaling protocol and a SaltyRTC server operated by Threema is used as the signaling server in order to exchange metadata that are required to establish the connection. In contrast to "pure" WebRTC, this SaltyRTC server does not have to be trusted to establish a secure connection, which is implemented by means of a corresponding key (valid for the session) that is known to both devices through "transmission" through the QR code.

After the connection has been established, the user can send and receive messages, manage groups and display cell phone contacts (including phone numbers and email addresses) on the desktop. It is currently (as of February 2017) not possible to create or participate in surveys. In order to be able to restore sessions faster, the user can define a password before scanning the QR code, with which the session is encrypted with the NaCl, saved locally in the browser (in the local storage ) and by entering the password the next time he visits the Page that can be decrypted and recovered. A push (with Android via Google Cloud Messaging ) is sent to the Threema app by means of another Threema server , which wakes it up and thus initiates the restoration of the session. The saved session can also be deleted in the browser (without entering a password).

With Threema Web, the messages are processed by the mobile phone and sent to the web client or received in the web client (by the user) and sent via the Threema app. It is therefore not possible to operate the web client without a connected Threema app.

Threema Web can be used with the Android app from version 3.0 and the iOS app from version 4.0. Current browser versions are recommended as browsers, although Safari only works with the iOS version of the app.

Profile pictures

On May 15, 2017, Threema published updates that introduced profile pictures for all supported platforms that users can set for their own Threema ID. The profile pictures can be set optionally and are only sent end-to-end encrypted when sending messages to other users. The user can determine whether the profile picture should be sent to all users to whom he sends messages, only to selected contacts or not at all. If the latter is chosen, you can only see your profile picture yourself. As the recipient of the profile picture, the user can also decide whether the self-selected profile pictures should be displayed (corresponds to the default setting) or not, whereby - as before - the possibly specially defined contact pictures are used.

Voice calls

On August 7, 2017, Threema started a public beta test for iOS and Android users of the app, which enables VoIP calls. "Normal" Threema messages are used to establish the connection. H. only the Threema ID is used to identify the participants. This means that the telephone number is not required, as is common with other providers. A constant bit rate (with the Opus codec) is used for audio coding in order to prevent attackers from guessing content due to the variable size of the data stream (with variable bit rate). WebRTC is used for the encryption itself , whereby (D) TLS 1.2 and specified cipher suites are used. Threema calls also offer forward secrecy at the end-to-end level .

If the called and calling contact is verified via a QR code (green trust level), the connection is, if possible, also established directly from device to device ( peer-to-peer ) by default . Since the IP address is inevitably known to each other, this behavior can be deactivated in the settings, so that all calls are routed via the Threema server. In this case the IP addresses are not known to the call participants.

The call function can be completely deactivated. On September 14, 2017, Threema released the final updates for the iOS and Android versions of the app that included this feature.

Threema Safe

On December 13, 2018, Threema released a new variant for data backup under the name "Threema Safe", initially only for the Android version. Support for the iOS version was implemented on February 5, 2019 with version 4.1. This replaces the integration into the Android system backup previously used with Android, which according to Threema did not work reliably. The new backup system automatically backs up the Threema ID, contacts, some Threema settings and other data once a day. The backup is compressed and encrypted using the NaCl library before it is uploaded to a Threema server by default. The key used for encryption is generated from an at least 8-digit password of the user and the Threema ID using scrypt . The resulting output is partially used as a file name so that the server (or an attacker who downloads the data) cannot assign the uploaded backup to a Threema ID. In addition, the server should limit the requests to the files in order to make brute force attacks that could lead to the download of the file more difficult. The backup should work across platforms and, for example, if the operating system is changed, it should only be possible to restore the backup with the Threema ID and the selected password.

In addition, the backup can also be saved on a separate server that supports WebDAV . For example, it can currently be used with OwnCloud / Nextcloud or with an unofficial, open source server implementation in the Rust programming language .

It should be noted that the backup does not save the chat history and media and is usually only a few kilobytes in size. The option of local data backup in a ZIP file (under Android) as well as the sole backup of your own ID is retained.

Video calls

A video calling beta was released on April 9, 2020. On August 10, 2020, the final updates for the fully end-to-end encrypted video calls were released.

privacy

Since, according to the manufacturer, the Threema servers are exclusively located in Switzerland, the company is subject, among other things, to the Swiss federal law on data protection and the General Data Protection Regulation . The data center is also ISO 27001 certified.

Threema offers to synchronize your own address book with the Threema servers. If the telephone number or e-mail address of a contact in the address book matches the Threema database, the contact ID is automatically added to the Threema contact list. Instead of uploading the local address book to a server, as other messaging services do, only checksum values ( SHA-2 56- HMAC with a static key) of the contact data (e-mail address and telephone number) are sent to the server. Because of the small number of possible combinations of numbers in a telephone number, the telephone number belonging to a checksum can easily be determined using brute force . The data is therefore transmitted in a TLS- secured manner. According to the manufacturer, address book data is only kept in the server's main memory and is deleted after checking for known contacts.

If you optionally link your own Threema ID with your email address or telephone number, only the SHA-256 - HMAC is saved on the server. The phone numbers, however, were stored in plain text until 2017. The reason for this was given by employees as the slight possibility of attack using brute force attacks. Since 2018, the phone numbers have also been hashed when uploading. The linking of both data to the Threema ID can also be removed at any time.

Group messages are sent individually to each recipient in order to prevent the server from knowing the composition of the groups.

In February 2014, Stiftung Warentest rated Threema as the only one of five messenger apps tested as uncritical in terms of data protection.

The data stored on the device is stored in encrypted form and can optionally be given a password on Android .

Since the end of 2016, Threema GmbH has published a transparency report in which it discloses inquiries from authorities.

history

Threema for Android

version	publication	Innovations
Current version: 4.4	August 10, 2020	Fully end-to-end encrypted video calls Practical overview of the open surveys in the upper area of ​​the chat Privacy option to prevent Android 10 answer suggestions in notifications Continuous playback of subsequent voice messages Various minor UI improvements and optimizations Turkish translation
Older version; still supported: 4.34	July 1, 2020	Internal camera: Improved stability and support for additional device models Threema Web: Fixed a bug that could lead to the transfer of large files causing the connection to be broken
Older version; still supported: 4.33	April 16, 2020	Fixed the bug that caused discarded tooltips to reappear Fixed possible crash on missed Threema calls
Older version; still supported: 4.32	April 7, 2020	Fixed missing display of missed calls
Older version; still supported: 4.31	April 3, 2020	Automatically download media by content type, not message type Keep camera settings Update of translations Fixed various bugs
Older version; still supported: 4.3	February 27, 2020	This update requires Android 4.4 or higher. Integrated video camera (selected devices, from Android 8) Integrated video editor for shortening videos (selected devices, from Android 8) Over 100 new emojis from the Unicode 12 standard Automatic download can also be activated for videos and files Advanced photo editing Improved display of stickers Threema Web: stability improvements Fixed various bugs and further improvements
Older version; still supported: 4.24	June 15, 2020	Threema web connection problems on devices with Android 4.1–4.3 fixed Only devices with Android 4.1–4.3 installed will receive this update.
Older version; still supported: 4.22	November 28, 2019	TLSv1.2 and TLSv1.3 are enforced on Android 4.1–4.4 (if supported by the device) Numerous bug fixes, stability and performance improvements For security reasons, Threema will no longer allow connections with TLSv1.0 or TLSv1.1 from January 2020. This applies to all devices with Android 4.0 and some devices with Android 4.1-4.4.
Older version; still supported: 4.2	October 28, 2019	Support of proxy servers (HTTP CONNECT and SOCKS) Small optimizations of the appearance Improved compatibility of the internal camera with some cell phones Numerous bug fixes, stability and performance improvements
Older version; still supported: 4.12	October 21, 2019	This version fixes a potential vulnerability in the player for animated GIFs
Older version; still supported: 4.11	19th August 2019	Workaround for OCSP stapling bug in Sony Xperia L3 firmware Management of background images improved General Troubleshooting
Older version; still supported: 4.1	August 1, 2019	Integrated camera: full screen, optical zoom and focusing by tapping added Fixed problem with missing contact pictures Corrected display of the number of archived chats Crash when starting the location selection when the language is set to Czech Fixed problems with the chat list update on certain cell phones (especially Android 5 and 6) Further improvements and various bug fixes
Older version; still supported: 4.0	23rd July 2019	This version of Threema requires Android 4.1 or higher ( note in the version history note in the FAQs ) New appearance according to the current "Material Design" as well as improved navigation Archive chats Integrated camera app and QR code scanner New map display and location selection without Google Maps Biometric lock via fingerprint or face unlock (on phones that support the official API) Configurable storage location for data backups Quote by swiping Improved connection establishment of Threema Web in networks with incorrect IPv6 configuration
		Threema for Android v3.7 and older

Threema for iOS

version	publication	Innovations
Current version: 4.6	August 10, 2020	Fully end-to-end encrypted video calls Grouped notifications in Notification Center Adjusted the volume of voice recordings Relative dates in chats Support of diacritical marks in the contact list search Removed button for starting cellular calls from contact details VoiceOver improvements Various other improvements and various bug fixes
Older version; still supported: 4.5.4	June 08, 2020	Translations: Basque (Spain) and Turkish Show dialog when discarding unsent voice messages Share multiple media of a chat at once New icons added to «Settings» Show captions below picture messages Redesign of the status messages Size restriction of chat exports increased from 100 to 300 MB Swipe recognition for quoting messages improved Various improvements for Threema calls, Threema Web and VoiceOver Various other improvements and various bug fixes
Older version; still supported: 4.5.3	17th March 2020	Fixed bug with Touch ID and Face ID
Older version; still supported: 4.5.2	March 15, 2020	Fixed bug in code lock
Older version; still supported: 4.5.1	March 10, 2020	iOS 13: Set the design style ("light" or "dark") independently of iOS (in "Settings> Appearance> Design style") Leave groups by swiping to the left Text formatting in in-app notifications Icons added to «Settings» Fixed a bug when using third party keyboards in group chats Various other improvements and various bug fixes
Older version; still supported: 4.5	February 25, 2020	iOS 13: The design style ("light" or "dark") is now set via iOS: "Settings> Display & brightness" iOS 13: 3D Touch replaced by Haptic Touch Swipe to quote messages Revised in-app banner for notifications When leaving (via group details> "Leave group"), groups are no longer deleted Share contacts Have text messages read out («Speak selection») Translation into Czech Fixed a bug that occurred while dictating in group chats Various improvements to Threema Web Various improvements to Threema calls Various other improvements and various bug fixes
Older version; still supported: 4.4.3	4th December 2019	Fixed a bug that occurred when sharing Live Photos
Older version; still supported: 4.4.2	November 13, 2019	Increased contrast for speech bubbles in a dark design Fixed a bug that could cause the call duration to be displayed incorrectly Various minor user interface improvements Fixed various minor bugs and other improvements
Older version; still supported: 4.4.1	October 30, 2019	Fixed an error that could occur in very rare cases during the database migration
Older version; still supported: 4.4	October 29, 2019	User interface revised: Uniform color scheme, "My ID" restructured and renamed to "My Profile", "Settings" cleaned up, etc. Storage management: delete all messages or media of a certain age at once General overhaul of Threema Web: stability and speed fundamentally improved General overhaul of Threema calls: connection establishment optimized Various improvements for iOS 13 When there is an existing connection to the Threema server, no more colored stripes are displayed, only when there is an interruption (red) and connection is being established (orange) Proxies are now supported (HTTP CONNECT or SOCKS) Numerous other improvements and various bug fixes
Older version; still supported: 4.3.2	13th August 2019	Fixed various minor bugs and other improvements
Older version; still supported: 4.3.1	July 22, 2019	Fixed a possible crash when connecting to Threema Web Fixed a crash when mentioning users whose names contain emojis
Older version; still supported: 4.3	16th July 2019	Info: This update requires iOS 10 or higher. “Mention” function in group chats: Select group members with the “@” sign and address them directly Preview of links using 3D Touch The duration of audio messages is specified in push notifications and in the chat overview Music continues after the video is played Deleting chats requires confirmation Further improvements and various bug fixes
		Threema for iOS v4.2.3 and older

criticism

Since the source code of the application is not published (Threema is therefore not open source software), users can only check the statements about the functions and security of the program by means of reverse engineering , which the manufacturer does not explicitly exclude in its license conditions and which has already been carried out. Alternatively, security could be checked, for example, by an independent external IT security audit. Since such an external IT security audit is version-bound, it would also have to be carried out again for each new version. For economic reasons, the manufacturer therefore initially waived the audit process. The end of 2015 was the program of the cnlab Security AG , an IT security service from Switzerland, audited and found to be safe. In 2019 another audit was carried out by the Laboratory for IT Security at the Münster University of Applied Sciences . In contrast to the first test, the entire audit report was published. The testers found a few uncritical vulnerabilities (“low to medium risk”) in the company's Android and iOS apps, but noted that these were quickly fixed. In addition, they confirmed that the statements made in the whitepaper and on Threema's website are correct and attested that Threema's “security and privacy features are intact and effective.” (“[Threema's] security and privacy features are intact and effective.”) . It cannot be proven whether the source code checked by the audit is actually used 100% in the product delivered to the customer. In the case of public code and optimally traceable production of the executable files, the security could be checked by any professionally experienced person or company, whereas the audit service provider must currently be trusted according to the argument of authority .

With its validation logging function, the manufacturer offers the possibility of examining encrypted messages for their encryption quality. However, it cannot be clearly determined whether the messages are actually transmitted in exactly the same way, since the communication exchange between the participants takes place via a TLS- encrypted connection with the manufacturer's server. The validation thus only shows whether the NaCl library was used correctly.

In August 2013 it became known that the encrypted messages sent under iOS are stored in clear text on the device's memory, provided the device used is not protected by a code lock. This data on the device memory is also uploaded to the iCloud when the data backup is activated and the iCloud backup is activated . However, at least with the iCloud backup, the data is additionally encrypted by the device's unique device ID (UID).

Solutions for companies

According to the provider, Threema is "tailored" to private use. This does not seem to rule out business use. The following products are offered for business use:

Threema Gateway

Since March 20, 2015, Threema has been offering the “Threema Gateway” service for companies. Similar to an SMS gateway service, messages can be transmitted and received with it. At Threema, however, these are sent in encrypted form. According to the company, use cases are, for example, the secure sending of m TAN , eTAN or OTP , alarms for blue light services, secure password exchange, secure news channel for internal company communication or confidential customer communication. To use the gateway you need to register and receive an API key, whereby you can choose between a variant without end-to-end encryption and - with a surcharge for the setup fee - with end-to-end encryption. A self-determined (gateway) Threema ID is included in the offer, whereby the ID always begins with an asterisk (*) at the beginning of the ID in order to be able to distinguish it from "normal" Threema IDs. The software for encrypting the messages is open source and can be used for complete end-to-end encryption. The function can be integrated using an API . A software development kit in PHP , Python and Java , licensed under the MIT license , is provided by Threema for this purpose.

Since June 8, 2015, you can also test the gateway with a limited number of messages free of charge via a web interface and set a profile picture for your own Threema ID.

On August 24, 2015, the function was introduced to send images and other files (with a maximum size of 20 MB) via the gateway.

Threema Work

Since May 25, 2016, Threema has been offering a special version of the Threema app for companies ("Threema Work"), which can be installed in addition to the "normal" version of the app aimed at private customers and can also be distributed via MDM systems. This version of the app has also been available through resellers since November 2016 .

At the beginning of 2017, Threema announced on Twitter that one of the largest hospitals in the Netherlands (the Academic Medical Center University Hospital ) is using Threema Work. Even Daimler sets threema work as a "safe chat solution".

At the beginning of December 2017, Threema updated the management web interface, which now also allows administrators to configure Threema without a special MDM system. In addition, basic usage statistics (operating system version, number of users, ...) can be displayed. At the same time, the product portfolio has been simplified so that, with the exception of NGOs and educational institutions, there are only offers with periodic payment. Instead, a free trial was introduced.

On April 3, 2018, Threema Education, a discounted edition of Threema Work for educational institutions, was published. Shortly after publication, the pricing model was changed so that with Threema Education, in contrast to Threema Work, only a one-time payment is required and there are no recurring costs.

At the beginning of 2019, Threema announced that the Swiss federal authorities would use Threema Work for internal communication. On June 13, 2019, it was announced that Bosch was using Threema Work. From April 2020, licenses for teaching staff of the state of Baden-Württemberg will be rolled out free of charge and voluntarily for business communication.

Threema broadcast

The beta project “Threema Broadcast” was presented at a Mercedes event in April 2017. This is intended to distribute “periodic information” to “larger user groups” and form Threema Business Solutions with the two other products . The product was officially presented on August 9, 2018.

With Threema Broadcast, feeds (similar to public newsletters), closed distribution lists (to reach a fixed group of contacts) and chatbots can be created, as well as special (centralized) group chats can be managed and moderated. A group chat is recorded / managed using a broadcast ID in the group chat, which also represents the group administrator. All group members can query whether the messages are recorded by this ID. The offer is mainly designed for "top-down communication", e.g. B. for sending newsletters or answering customer questions. Management takes place via a web interface and - in comparison to the Threema Gateway with the SDK method - is not end-to-end encrypted. Instead, the messages are managed and encrypted centrally on the Threema servers. For the user, it works similarly to Threema Gateway. For example, Threema Broadcast IDs can also be recognized by an asterisk (*) at the beginning of the ID, whereby the ID continues with "BC" as standard, but can also be freely selected by the company for a fee. It can be purchased individually in different price packages - depending on the number of users - or used with Threema Work or Threema Education, in which it is included.

Threema forum

In addition to the official support website, there is a German-language Threema forum. The official Threema support team has also been active there since October 2015.

See also

• List of mobile instant messengers

Web links

• Official website
• Test of the Stiftung Warentest
• Threema Cryptography Whitepaper (English)
• Threema forum

Individual evidence

1. ↑ The apps from Threema GmbH. In: Google Play . Retrieved December 14, 2018 . 
2. ↑ ^{a b} Threema - What's new? Retrieved August 10, 2020 . 
3. ↑ Threema Web on GitHub. Accessed January 30, 2020 (English). 
4. ↑ App Remote Protocol on GitHub. Accessed January 30, 2020 (English). 
5. ↑ These messengers are more secure than encrypted emails. May 13, 2018, accessed March 20, 2020 . 
6. ↑ SECURE MESSAGING APPS COMPARISON. Retrieved March 23, 2020 (English). 
7. ↑ Threema press information. (PDF) (No longer available online.) Threema, January 2020, archived from the original on March 2, 2020 ; accessed on March 2, 2020 . 
8. ↑ Which Android version is required? - Threema. Retrieved March 14, 2020 . 
9. ↑ Which iOS versions are supported? - Threema. Retrieved March 14, 2020 . 
10. ↑ Threema: Threema will be removed from the Windows Store in March 2020. In: www.microsoft.com. Retrieved March 15, 2020 . 
11. ↑ threema.ch
12. ^ Threema Web. Retrieved March 23, 2020 . 
13. ↑ ^{a b c d} Patrick Beuth: An app to annoy the NSA. In: The time . August 14, 2013, accessed November 4, 2014 . 
14. ↑ cnlab security AG: External Audit - Security Statement. (PDF) November 2, 2015, accessed on January 13, 2015 . 
15. ^ ^{A b} Threema GmbH: New Threema Audit. March 28, 2019, accessed March 28, 2019 . 
16. ↑ ^{a b c} Threema GmbH: Privacy Policy - Threema App. July 3, 2018, accessed February 10, 2019 . 
17. ↑ Where does the name come from? Threema GmbH, accessed on November 4, 2014 . 
18. ↑ Threema. The best-selling secure messenger. (PDF) Threema GmbH, accessed on January 31, 2017 . 
19. ↑ Threema: Send any files securely: New at Threema. Threema GmbH, accessed on July 14, 2015 . 
20. ↑ How can I send a file? - Threema. Retrieved September 20, 2017 . 
21. ↑ How do I create a survey? Threema GmbH, accessed on November 18, 2015 . 
22. ↑ Threema Blog: Big Update for Android December 9, 2014.
23. ^ Threema Web. The web client for Threema is here. Threema GmbH, February 15, 2017, accessed on February 15, 2017 . 
24. ↑ ^{a b} Threema for iOS: web client and much more. October 29, 2018, accessed December 14, 2018 . 
25. ↑ Contact. Threema GmbH, accessed on November 4, 2014 . 
26. ↑ Where are the servers located? Threema GmbH, accessed on November 4, 2014 . 
27. ↑ Interview with Threema developer: The NSA is helping. In: Appgefahren.de. July 20, 2013, accessed November 4, 2014 . 
28. ↑ Henning Steier: Messenger Wire: Difficult search for unique selling points. In: Neue Zürcher Zeitung . August 12, 2015. Retrieved June 19, 2017 . 
29. ^ Daniela Leistikow: iPhone and iPad: Threema is the best-selling app of 2014. In: Computer Bild . December 9, 2014, accessed June 19, 2017 . 
30. ↑ Hakan Tanriverdi: Whatsapp competitor Threema doubles the number of users. In: Süddeutsche Zeitung . February 21, 2014, accessed June 19, 2017 . 
31. ↑ Martin Weigert: Threema has 2.8 million users. In: Netzwertig.com. May 2, 2014, accessed November 4, 2014 . 
32. ↑ Marco Metzler: Threema cryptography app: Swiss people ensure privacy. In: Neue Zürcher Zeitung. June 28, 2015, accessed August 12, 2015 . 
33. ^ Die Zeit : The Germans are looking for Threema , December 16, 2014.
34. ↑ Threema. The best-selling secure messenger. (PDF) Threema GmbH, December 22, 2015, accessed on February 15, 2017 . 
35. ↑ Niklas Hintermayer: Encrypted messages. Forbes.at, January 7, 2019, accessed on January 17, 2019 . 
36. ↑ threema.ch, March 1, 2014: Threema Encryption Validation (English)
37. ^ NSA, January 15, 2009: The Case for Elliptic Curve Cryptography ( Memento of May 29, 2015 in the Internet Archive ) (English).
38. ↑ Teltarif.de, October 2, 2013, Hans-Georg Kluge: Experience report: Threema secures chats with encryption .
39. ↑ Threema, FAQ - Does Threema offer forward secrecy?
40. ↑ ^{a b} Threema, Cryptography Whitepaper (English)
41. ↑ ^{a b} Hristo Dimitrov, Jan Laan, Guido Pineda: Threema security assessment (PDF, English).
42. ↑ Threema Blog: iOS Update 2.1.1 February 11, 2015.
43. ↑ Version 2.6 for Android: Unique agree / reject function and much more. In: threema.ch. Retrieved February 3, 2016 . 
44. ↑ Threema, FAQ - Why is it important that I create a backup of my ID?
45. ^ Android, developer.android.com
46. ↑ ^{a b} Threema GmbH: Threema Safe: The anonymous backup solution for your most important Threema data. In: Threema Blog. December 13, 2018, accessed December 14, 2018 . 
47. ↑ Threema, FAQ - Why am I not receiving any or delayed push notifications?
48. ↑ myid.threema.ch
49. ↑ Heise.de, Threema destroys account on request
50. ^ Threema Web - Threema. Retrieved February 16, 2017 . 
51. ↑ ^{a b c d} Threema Web Whitepaper. February 15, 2017, accessed February 16, 2017 . 
52. ↑ Why SaltyRTC? Retrieved February 16, 2017 . 
53. ↑ GitHub - saltyrtc / saltyrtc-client-js: SaltyRTC JavaScript implementation. Retrieved February 16, 2017 . 
54. ↑ What functions does Threema Web offer? - Threema. Retrieved February 16, 2017 . 
55. ↑ What is a session and what is the session password for? - Threema. Retrieved February 16, 2017 . 
56. ↑ What are the system requirements for Threema Web? - Threema. Retrieved February 16, 2017 . 
57. ↑ Threema-style profile pictures. May 15, 2017. Retrieved May 16, 2017 . 
58. ^ Threema calls - Threema. Threema GmbH, accessed on December 6, 2017 . 
59. ↑ Threema calls: public beta test. August 7, 2017. Retrieved August 7, 2017 . 
60. ↑ Threema can now encrypt voice calls: developers ask for support with beta testing. In: heise online. August 7, 2017. Retrieved August 7, 2017 . 
61. ↑ Threema GmbH: Threema Safe for iOS. In: Threema Blog. February 5, 2019, accessed February 10, 2019 . 
62. ↑ Where is «Android Backup»? In: Threema FAQ. Retrieved December 14, 2018 . 
63. ↑ Which data are contained in Threema Safe-Backups? In: Threema FAQ. Retrieved December 14, 2018 . 
64. ↑ What makes Threema Safe secure? Threema FAQ, accessed on December 14, 2018 . 
65. ↑ Messenger app: Threema introduces new back-up solution . In: Spiegel Online . December 14, 2018 ( spiegel.de [accessed December 14, 2018]). 
66. ↑ How can I save Threema Safe backups on my own server? In: Threema FAQ. Retrieved December 14, 2018 . 
67. ↑ rugk: Use Threema Safe with Nextcloud. Threema Forum, December 14, 2018, accessed December 14, 2018 . 
68. ↑ Danilo Bargen: Sekurŝranko, an efficient and memory-safe Threema Safe server implementation in Rust .: dbrgn / sekursranko. December 14, 2018, accessed December 14, 2018 . 
69. ↑ Video calls: Beta phase starts. In: threema.ch. April 9, 2020, accessed April 11, 2020 . 
70. ↑ Threema-style video calls. In: threema.ch. August 10, 2020, accessed August 10, 2020 . 
71. ↑ ^{a b} Threema GmbH: Data protection declaration - Threema. (No longer available online.) Archived from the original on October 30, 2017 ; accessed on February 10, 2019 (2017 version of the app). 
72. ↑ Leaflet: Security and data protection. (PDF) Threema GmbH, August 24, 2017, accessed December 6, 2017 . 
73. ↑ rugk / threema-msgapi-sdk-php. Retrieved February 1, 2017 . 
74. ↑ Threema, Frequently Asked Questions - Will my address book data be transferred?
75. ↑ ^{a b} Threema GmbH: Transparency report - Threema. (No longer available online.) October 25, 2016, archived from the original on June 23, 2018 ; Retrieved February 1, 2017 (2018 version). 
76. ↑ Danilo Bargen (@dbrgn): Updated website including transparency report . Answer in thread. Threema Forum, October 27, 2016, accessed on February 10, 2019 . 
77. ^ Messenger rapid test by Stiftung Warentest test.de from February 26, 2014.
78. ↑ Threema, FAQ - Are messages stored on my device encrypted?
79. ^ Threema GmbH: Transparency report - Threema. January 11, 2019, accessed February 10, 2019 . 
80. ↑ Threema - Seriously secure messaging - Why is the source code not disclosed? threema.ch, accessed on January 20, 2016 . 
81. ↑ Jan Ahrens: Threema protocol analysis. (PDF, English).
82. ↑ Why does Threema not undergo an external security check? (No longer available online.) In: Threema FAQ. Archived from the original on January 11, 2015 ; accessed on November 12, 2015 . 
83. ↑ Threema audit completed: "End-to-end encryption without weaknesses". Heise online , accessed on November 3, 2015.
84. ↑ Threema GmbH: How is the security check carried out at Threema? In: Threema FAQ. Retrieved February 10, 2019 . 
85. ↑ Fabian Ising, M.Sc., Damian Poddebniak, M.Sc., Prof. Dr. Sebastian Schinzel .: Security Audit Report - Threema 2019 . Ed .: FH Münster. March 28, 2019, p. 27 (English, threema.ch [PDF]). 
86. ↑ golem.de, Threema validation is not very informative , accessed on June 29, 2014.
87. ↑ Hetzel.net, August 12, 2013, Timo Hetzel, Threema - plain text via USB and iCloud backup .
88. ↑ Threema, Cryptography Whitepaper (PDF, p. 9).
89. ↑ Threema support website: Can I also use Threema for business? threema.ch, accessed on July 29, 2020 . 
90. ↑ Threema Gateway - Offer. In: gateway.threema.ch. Threema GmbH, accessed on November 18, 2015 . 
91. ↑ Threema Gateway - Seriously secure messaging. In: gateway.threema.ch. Threema GmbH, accessed on November 18, 2015 . 
92. ↑ threema-ch / threema-msgapi-sdk-java. In: GitHub. Retrieved on August 17, 2015 (current version on the Threema Gateway website ). 
93. ↑ threema-ch / threema-msgapi-sdk-php. In: GitHub. Retrieved on August 17, 2015 (current version on the Threema Gateway website or in a fork ). 
94. ↑ lgrahl / threema-msgapi-sdk-python. In: GitHub. Retrieved November 18, 2015 (This is the official fork, as linked on the official Threema Gateway page , an outdated version can also be found on GitHub ). 
95. ↑ iX: Threema Gateway enables even encrypted messages to be sent. Retrieved November 18, 2015 . 
96. ↑ Threema Gateway with new functions. In: threema.ch. Retrieved June 10, 2015 . 
97. ↑ Receive and send images and documents with the Threema Gateway. In: threema.ch. Retrieved August 24, 2015 . 
98. ↑ Threema now also for companies: Threema Work. In: threema.ch. May 25, 2016. Retrieved January 13, 2017 . 
99. ↑ Reseller program for Threema Work. In: threema.ch. November 23, 2016, accessed January 13, 2017 . 
100. ↑ Threema on Twitter . In: Twitter . January 12, 2017 (English, twitter.com [accessed February 1, 2017]). 
101. ↑ Daimler uses Threema Work as an internal company messenger. March 21, 2017. Retrieved March 21, 2017 . 
102. ↑ ThreemaWork . In: Daimler . ( daimler.com [accessed March 11, 2017]). 
103. ↑ Threema MDM: Full control over the Threema Work app. Threema GmbH, December 6, 2017, accessed on December 6, 2017 . 
104. ↑ Documentation - Threema Work. Threema GmbH, accessed on December 6, 2017 . 
105. ↑ Offers and prices - Threema Work. Retrieved December 6, 2017 . 
106. ↑ Threema Education: A special offer. Retrieved August 10, 2018 . 
107. ↑ Even more reasons for Threema Education. Retrieved August 10, 2018 . 
108. ↑ Sebastian Grüner: Messenger: Swiss Confederation relies on Threema - Golem.de. Golem.de, February 14, 2019, accessed on May 7, 2019 . 
109. ↑ Bosch relies on Threema Work for mobile communication. June 13, 2019, accessed June 13, 2019 . 
110. ^ Julian Burgert: Messenger for teachers. In: km-bw.de. Ministry of Culture, Youth and Sport Baden-Württemberg, April 15, 2020, accessed on May 6, 2020 . 
111. ↑ Speaker profile: Roman Flepp @ ​​65th MBSMN 6.4.17 . In: Social Media Club Stuttgart . April 4, 2017 ( smcst.de [accessed May 1, 2017]). 
112. ↑ Threema Broadcast: Threema communication reaches a new dimension. Retrieved August 10, 2018 . 
113. ^ Threema Broadcast. Retrieved August 10, 2018 . 
114. ↑ Frequently asked questions - Threema Broadcast - What are centrally managed group chats? Retrieved August 10, 2018 . 
115. ↑ heise online: Instant Messaging: Threema Broadcast facilitates company communication. Retrieved August 10, 2018 . 
116. ↑ Frequently asked questions - Threema Broadcast - Can the broadcast ID be freely selected? Retrieved August 10, 2018 . 
117. ↑ Cooperation with Threema-Forum launched. In: threema.ch. Retrieved November 7, 2015 .