SecurityAccording to its developer, Threema use a 255 bit long asymmetric Elliptic curve cryptography (ECC) which is comparable to 2048 bit RSA. This key is used to derive a unique 256 bit symmetric key for every single message that is sent. The XSalsa20 stream cipher encrypts the message. Moreover the communication between the server and the device is also encrypted. A 128 bit message authentication code is added to the message to detect manipulations, as well as a random amount of "cryptographic padding" to prevent inferences or changes being made to the content of the message.
Because Threema is a closed source proprietary application, it is not possible to verify whether the claimed encryption standards are properly used and well implemented. Furthermore, it can not be verified if the product is free of intentional or accidental security flaws. Attempting to reverse engineer the software is illegal.
However, the manufacturer offers interested parties a way to verify the encryption by logging the raw encrypted message to a log file. Using the sender's public key and the recipient's private key, the encryption can be tested by a program that is supplied in source code form.
On the first start of Threema, the user has to create his own keys by moving his finger on the display. The mobile phone can be linked with the phone number and the user's e-mail address. Next to every contact is a verification level, symbolized by three dots. It indicates the degree of confidence that a stored public key really belongs to the contact. This is independent of the encryption strength. Without checking the public key, a Man-in-the-Middle attack can not be excluded.
- One dot colored (red): The ID and the public key were delivered by the server, there is no match with the address book and the user can't be sure that the person is who it claims to be.
- Two dots colored (orange): The phone number or e-mail address of the contact was found in the address book. The user can be pretty sure that the person is who it claims to be.
- Three dots colored (green): The ID and the public key were checked by scanning the contact's QR code. Except that the device has been hacked, the user can be sure that the person is who it claims to be.
PrivacyThreema offers the possibility to synchronize the contacts. Instead of uploading the whole contact the application sends a Hash to the server to check if there is a suitable user which is already in your contact list. After this comparison the Hashes will be deleted. In addition, all messages will be erased after their successful delivery. During this time they are only stored in the RAM.
Download here : https://play.google.com/store/apps/details?id=ch.threema.app