Threema: Alternative to WhatsApp with end-to-end encryption

Mobile messaging with a smartphone is quite popular these days. Services like WhatsApp, iMessage or even plain SMS are delivering Millions of messages each day. These services are even often used to deliver sensible data or used in corporate communications, without worrying about the possible risks. These messages are stored by the service provider, they can be intercepted by a third party and they are not protected at all as they are usually sent without any encryption.

With Threema, there is a new player entering the stage. By true end-to-end encryption, one can rest assured that messages are kept secure between the participants: only you and the intended recipient can read your messages. Using asymmetric cryptography, a message is encoded on the transmitter side with a public key and can only be decoded back on the receiving side using a second private key. This guarantees that really only the intended recipient can read the transmitted short message.

It´s not complicated at all!

Upon initial startup of the app, each user generates a pair of a public and private key by a simple “finger wipe on a code box. The public key is then stored along with an ID to a dedicated keyserver. When transmitting the first message, the key / ID packets are exchanged between the contacts, which enables the (ECC-based) encryption.

Threema 1

If you want to be really sure, that the key won´t fall in the wrong hands, you can exchange the ID/Key combination by QR code. If you scan the QR Picture with your smartphone, you can be sure about the identity of your contact, avoiding the possibility of a man-in-the-middle-attack.

Threema 2

Verification levels are indicated by colored dots:

  • Level 1 Level 1 (red): ID and public key are fetched from the server, as this is the first time a message is received from this contact (or the contact was added manually). As there is no corresponding adressbook entry (Phone-number/eMail), there is no possibility to tell if the person is really the one it pretends to be.
  • Level 2 Level 2 (yellow): The phone number or eMail adress was found in the adressbook. As the server checks the identity of a sender by SMS or eMail with a activation-link, you can be quite sure, that the preson is really the one, you expect.
  • Level 3 Level 3 (green):  The public Key of your contact was personally verified by yourself, by scanning the QR code. As long as the device is not stolen/hacked, it is not possible for a third party to read the messages from this person or to forge messages in her name.

More information can be found on the webpages of the swiss manufacturer.

Conclusion: Just like WhatsApp, it is just possible to share location, Photos and Videos with Threema. But this time encrypted and secure – nobody else can intercept them or manipulate these messages, due to its end to end encryption. If you are into it, you can download this App for iOS-devices and Android devices in the respective stores – or directly by the manufacturer – for a small fee.

8 thoughts on “Threema: Alternative to WhatsApp with end-to-end encryption”

  1. Do yourself a favour and stay away from Threema, Telegram, and most (not all) other self-proclaimed secure messengers. The author of this software didn’t make the source code public, so security experts won’t review if it’s vulnerable or not. However, there are still ways to find security holes, but these cost a lot of time and money – something civil security experts don’t have, but services like the NSA actually do have.
    What is more: Not everyone who is able to program is automatically a security expert. Especially the author Manuel Kasper isn’t really known for being one.

    Moxie Marlinspike, for example, is a well known security expert, and made a messenger called TextSecure. Another method is to use any Jabber client, and turn encryption on.

    The downside to every single of those messengers (except for the Jabber clients) however, is the fact that you can’t inter-communicate with the others. So when there will be revealed a critical security hole in Threema, for example (and it will!), and you’re smart enough to deduce that you should switch your client, you can’t communicate with the ones who haven’t been that smart.

  2. While these alternatives are all great and free but the problem is getting my friends to install them.

  3. Hey there!
    David, you’re right. Secure messengers like Threema, Telegram, Sicher etc. work only in case you use it with your phone #. And your friends also have to use their phone #s in order to communicate with you, and vice versa. However, I believe it shouldn’t be considered “downside”, but one more security option.

    I personally have 4 messengers (incl. WhatsApp) installed on my Android. Certainly I don’t use them all, but I’ve tried each app in order to understand which one works best for me. I trully don’t like WhatsApp, Threema looks good for me, but Sicher takes the lead.
    Cheers!

  4. You may want to try Sicher (www.sicherapp.com), a new free Germany-based messenger available for iOS, Android and Windows Phone. Sicher has true end-to-end encryption of both text messages and file attachments. Though it’s not open source, it’s made by well known German company, the developer of IM+.

Kommentare sind geschlossen.