Mobile messaging with a smartphone is quite popular these days. Services like WhatsApp, iMessage or even plain SMS are delivering Millions of messages each day. These services are even often used to deliver sensible data or used in corporate communications, without worrying about the possible risks. These messages are stored by the service provider, they can be intercepted by a third party and they are not protected at all as they are usually sent without any encryption.
With Threema, there is a new player entering the stage. By true end-to-end encryption, one can rest assured that messages are kept secure between the participants: only you and the intended recipient can read your messages. Using asymmetric cryptography, a message is encoded on the transmitter side with a public key and can only be decoded back on the receiving side using a second private key. This guarantees that really only the intended recipient can read the transmitted short message.
It´s not complicated at all!
Upon initial startup of the app, each user generates a pair of a public and private key by a simple “finger wipe“ on a code box. The public key is then stored along with an ID to a dedicated keyserver. When transmitting the first message, the key / ID packets are exchanged between the contacts, which enables the (ECC-based) encryption.
If you want to be really sure, that the key won´t fall in the wrong hands, you can exchange the ID/Key combination by QR code. If you scan the QR Picture with your smartphone, you can be sure about the identity of your contact, avoiding the possibility of a man-in-the-middle-attack.
Verification levels are indicated by colored dots:
Level 1 (red): ID and public key are fetched from the server, as this is the first time a message is received from this contact (or the contact was added manually). As there is no corresponding adressbook entry (Phone-number/eMail), there is no possibility to tell if the person is really the one it pretends to be.
Level 2 (yellow): The phone number or eMail adress was found in the adressbook. As the server checks the identity of a sender by SMS or eMail with a activation-link, you can be quite sure, that the preson is really the one, you expect.
Level 3 (green): The public Key of your contact was personally verified by yourself, by scanning the QR code. As long as the device is not stolen/hacked, it is not possible for a third party to read the messages from this person or to forge messages in her name.
More information can be found on the webpages of the swiss manufacturer.
Conclusion: Just like WhatsApp, it is just possible to share location, Photos and Videos with Threema. But this time encrypted and secure – nobody else can intercept them or manipulate these messages, due to its end to end encryption. If you are into it, you can download this App for iOS-devices and Android devices in the respective stores – or directly by the manufacturer – for a small fee.
