Practical privacy and simple cybersecurity.
TheNewOil.org

2023 Review: Threema

What is Threema & Why Do You Need It?

Threema is an end-to-end encrypted (E2EE) messenger available on Android, and iOS. Linux, Mac, Windows, and web clients also exist, but you’ll have to create an account on mobile first before connecting them (similar to Signal). I have long advocated for the need for E2EE in your daily communications for both practical and philosophical reasons. Practically, it can protect sensitive communications like financial discussions, upcoming plans, and NSFW content (if that's something you choose to engage in with another consenting adult). Philosophically, I believe that everyone should use encryption whenever possible to normalize it and make mass surveillance less feasible/practical/economical.

Image

The Good

Threema offers several positive qualities. To start, the company is based in Switzerland, a country known for having strong data privacy laws. They follow this up by being audited by Cure53, a reputable security company with a history of such audits, along with a few informal specialized audits of specific aspects of the app by other organizations. In a big development, Threema finally added Perfect Forward Secrecy this year. In a nutshell, PFS automatically rotates your encryption keys periodically, preventing attackers from accessing all your messages even if they manage to crack one key. Finally, Threema offers a lot to their users in the way of privacy and anonymity. You can sign up without ever entering any personal information, like a phone number or username. Instead, they assign you a randomly-generated username in the form of a short, easy-to-share alphanumeric code, which can be just as easily shared as a QR code. You can pay for a license via the website, using a number of privacy-focused payment options such as virtual cards or even Bitcoin and an alias email address for near total anonymity. (Note: users should always be aware that Bitcoin is not truly anonymous by default but is, in my opinion, an improvement over a typical debit or credit card.)

The online payment option is particularly valuable for people with “De-Googled” devices, which seems to be in keeping with their values. Threema has been a champion of open source and free software ever since they made their code source available in late 2020. Some of their recent privacy-first efforts include raising awareness for data privacy week, running an ice cream truck where customers were asked to pay with their data to point out how invasive and ridiculous it is, and moving away from Google services for push notifications on Android, which later evolved into Threema Libre, a fully source-available version that does not have any proprietary dependencies available via F-Droid. For the record, this is the version I use.

From an end-user perspective, Threema functions smoothly. The signup process, even with a key purchased from the site, is straightforward, intuitive, and user-friendly process. Certainly not as “insultingly easy” as something like Signal or Session, but also nothing out of the ordinary that would be confusing to anyone who’s ever signed up for another service like email or social media. Adding contacts is simple, requiring only pasting their username or scanning a QR code. Syncing to the desktop was similar to Signal in that you scan a QR code, except that on every launch it will require a password and you'll have to enable the session on your mobile device. This is not an app you can sign up with on mobile then never touch the phone again, like Signal or Session. It's a bit annoying and honestly prevents me from using it most of the time unless I'm typing out a particularly long message. Regardless, messages send and arrive quickly with no issues, and voice chats boast impressive clarity. I unfortunately didn’t make any time for voice or video calls, but based on my other experiences I assume they would’ve worked with perfect clarity and reliability.

Image

The Bad

Threema is not without flaws. The most glaring is the financial cost. While the fee is a one-time payment of around $5, not everyone has that to spare, and some are unwilling to pay for a messenger when free alternatives like Signal, which offers superior security (more on that in a moment), exist. Threema argues that you’re always paying somewhere – if not with cash then with data (which is a sentiment I agree with) – but this can still be a hard pill to swallow for some. To make matters worse, Threema doesn't even offer a free trial period, further deterring potential users who otherwise might be willing to give it a shot.

More importantly, Threema’s security is not on par with Signal. Now regarding this particular post I just shared, I want to make two notes. First, it’s nearly two years old at this point. I would hope Threema has fixed any serious issues by now. I did reach out to them asking them about this post when I wrote last year's review and they dismissed the criticisms as “valid but well-known and non-essential,” saying they were “based on misconception or not relevant in regards to Threema’s practical use case.” In other words: the people at Threema disagree that these are security vulnerabilities at all: either it's a misunderstanding of how Threema works, or it’s not within the scope of problems Threema is aimed at solving. That brings me to my second point: I personally have some issues with this post. I really don’t want to get into it too much and derail the review, but the short version is “I think it’s obvious the author went into this research with some kind of bias.” That’s not me trying to attack them, for the record. I know nothing about this author or the work they do, and I have no reason to suspect any of their claims are fabricated or invalid. I just think it's important to acknowledge bias whenever possible. Does this make Threema not worth using? Not in my opinion. But I do think it’s worth knowing the shortcomings of any messenger. Between the article itself and Threema’s rebuttal, I personally land on the belief that Threema’s security is probably fine for general, day-to-day talk with family and friends, but may not be appropriate for high-stakes scenarios

Other downsides include low user adoption, potentially due to the aformentioned paywall and absence of a free trial. Threema also lacks some mainstream features, such as GIF and sticker support, and backing up chats can be challenging. Personally I'm not one much for backups – I enjoy the fresh start of a new device every now and then – but for some people that's really important. Also, a lot of messengers now integrate with popular services – even Matrix can offer bridges to places like Slack, Discord, or Signal – but Threema remains pretty closed off. That can be yet another barrier to entry.

In the realm of more advanced but worthwhile considerations, Threema is centralized. While there are both pros and cons to centralization, I personally consider it overall more harmful than helpful, particularly because it increases the risk of outages and censorship. We've seen outages in particiular become a problem for other messengers like Signal or WhatsApp (especially WhatsApp, who seems to go down every few months like clockword). The aforementioned audit is also getting pretty old, having last been done in October 2020. At the time of publication, that’s nearly three years old. A lot can change in the digital landscape in just three years. And critically, Threema offers no form of multifactor authentication. The only thing standing between your account and an attacker who wishes to take over your account and pose as you is your password. We can only hope all their users are using good password practices and that Threema is storing those passswords with a strong hashing algorithm.

Finally, I want to make note of Threema's behavior as a company. It's not good. Threema has a strong history of getting defensive and downplaying criticisms, often in a highly unprofessional manner. Consider my earlier statement about how they downplayed Soatok's research as “non-essential” or this Mastodon post (my response here) with a highly hostile and unprofessional response to another research paper, or (as noted in my response) their misleading claims against Signal and the US CLOUD Act (which you can see here). Threema's responses to criticism are so bad that they even won a tongue-in-cheek “award” for “lamest vendor response.” I like Threema, I really do, but they need to shape up how they handle these kinds of criticisms or else their reputation (which honestly already has room for improvement) will only go downhill.

Conclusion

There are lots of options out there for encrypted messaging these days. Threema has long been a persistent – if underrecommended – option, but it’s got some features worth considering: usernames, audits, strong jurisdiction, and a user-friendly experience. Convincing friends and family to fork over the requisite $5 may be a challenge, but if they are willing to do so Threema is certainly a viable choice for an encrypted messenger. If popular recommendations like Signal, Session, or Matrix don't suite your needs, Threema is worth checking out.

You can check out Threema here.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...