Data privacy & cybesecurity for normal people
TheNewOil.org

2022 Review: Threema

What is Threema & Why Do You Need It?

Threema is an end-to-end encrypted messenger available on Android, and iOS. Linux, Mac, Windows, and web clients also exist, but you’ll have to create an account on mobile first before connecting them (like Signal). I have long touted the need for E2EE in your daily communications for both practical and philosophical reasons. For practical reasons, it can protect sensitive communications like financial discussions, upcoming plans, and NSFW pics/texts if that’s your thing. For philosophical reasons, I think that everyone should use encryption whenever possible to normalize it and make mass surveillance less feasible/practical/economical.

Image

The Good

Threema has a lot of strong attributes to like. Starting at the top, the company is based in Switzerland, which is well known for having strong consumer data privacy laws. They follow this up by having been audited by Cure53 – a well-reputed security company with a history of audits like this. Finally, Threema offers a lot to their users in the way of privacy and anonymity. You can sign up without ever entering any personal information, like a phone number or username. Instead, they assign you a randomly-generated username – a short, easy-to-share one, unlike some other messengers which can be just as easily shared as a QR code. You can also pay for a license via the website, using a masked payment option (such as a privacy.com card or a prepaid gift card) and an alias or masked email address for near total anonymity.

The online payment option is particularly valuable for people with De-Googled devices, and on that topic Threema has been a champion of open source and free software ever since they open sourced their code in late 2020. Some of their recent privacy-first moves include things like trying to raise awareness for data privacy week, running an ice cream truck where they asked people to pay with their data to point out how invasive and ridiculous it is, and moving away from Google services for push notifications on Android, which later evolved into Threema Libre, a fully open-source version that does not have any proprietary dependencies and can be downloaded via F-Droid (or a similar front-end like Neo Store). It should be noted, this is the version I tested for this review.

On that note, from an end-user perspective, Threema worked very well. Signing up – even with a key purchased from the site – was a pretty straightforward process. Certainly not as “insultingly easy” as something like Signal or Session, but also nothing out of the ordinary that would be confusing to anyone who’s ever signed up for another service like email or social media. Adding people was pretty straightforward: just go to “Start a Chat” then click “New contact” and either paste their username or scan the QR code. Syncing to the desktop was similar to Signal in that you scan a QR code, except that you have to also enter your password for persistence, and every time you start the desktop app you have to enable the session on your mobile device so that’s a little annoying. Messages sent and arrived quickly with no issues, and voice chats were received with perfect, impressive clarity. I unfortunately didn’t make any time for voice or video calls, but based on my other experiences I assume they would’ve worked with perfect clarity and reliability.

Image

The Bad

As with every service, Threema is not without flaws. The most prominent of these is that Threema is not financially free. The fee to use the service is one time, and it is only about $5, but not everyone has $5 to spare and some people aren’t willing to pay for a messenger even if they do have it, thanks to years of getting things for free (as well the availability of options like Signal, which are more secure – more on that next – and still free). Threema accurately argues that you’re always paying somewhere – if not with cash then with data – but this can still be a hard pill to swallow for some.

More importantly, Threema’s security is not on par with Signal’s. Now regarding this particular post I just shared, I want to make two notes. First, it’s nearly a year old. I would hope Threema has fixed any serious issues by now. I did reach out to them asking them about this post and they dismissed the criticisms as “valid but well-known and non-essential,” saying they were “based on misconception or not relevant in regards to Threema’s practical use case.” In other words: the people at Threema disagree that these are security vulnerabilities at all on the grounds that it’s either a misunderstanding of how Threema works, or it’s not within the scope of problems Threema is aimed at solving. That brings me to my second point: I want it to be noted that I personally have some issues with this post. I really don’t want to get into it too much and derail the review, but the short version is “I think it’s obvious the author went into this research with some kind of bias.” That’s not me trying to attack them, for the record. I know nothing about this author or the work they do. I just wanted to say that in case anyone else reads that post and notices the same things I did. Having said that, I have no reason to suspect that the conclusions and findings were fabricated or invalid. Does this make Threema not worth using? Not in my opinion. But I do think it’s worth knowing the shortcomings of a messenger. Between the article itself and Threema’s rebuttal, I personally land on the belief that Threema’s security is probably fine for general, day-to-day talk with family and friends. Would I trust it if I were Edward Snowden fleeing the CIA? Probably not. Asking my wife if she needs me to grab anything from the grocery store? Sure.

There are some other downsides beyond questionable cryptographic choices, some of which may be more impactful for daily users. For one, Threema is centralized. We’ve seen this become a problem in the past with other messengers like WhatsApp and Signal, both of whom have had outages. That’s really the main concern with centralized messengers, in my opinion, is risk of an outage for one reason or another. But theoretically there can also be risks of censorship and compromise, depending on the app in question.

The aforementioned audit is also getting pretty old, having last been done in October 2020. At the time of publication, that’s nearly two years old. A lot can change in the digital landscape in just two years. Finally, Threema offers no form of multifactor authentication. The only thing standing between your account and an attacker who wishes to take over your account and pose as you is your password. We can only hope all their users are using good password practices and that Threema is storing those passswords with a strong hashing algorithm.

Conclusion

There are lots of options out there for encrypted messaging these days. Threema has long been a popular option, and it’s got some features worth considering: usernames, audits, strong jurisdiction, and a responsive and pleasant user experience. Getting your friends and family to fork over the $5 may be a challenge, but if they are willing to do so, Threema certainly doesn’t seem like the worst choice you can make when it comes to picking a private messenger. If some of the other popular recommendations – like Signal, Session, or Matrix – aren’t right for you, Threema would be worth checking out.

You can check out Threema here.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here.