Yes, they sent some source code for security review in 2015, but there is no guarantee that the binary you download is related to that source code at all.
Nowadays I'd expect a secure messaging app to not just be open source, but also have reproducible builds (checked by third parties). It would be nice to have Binary Transparency too, so that people can check that they are being offered the same binary as other users are getting.
However, I believe we found that Apple would alter the binary prior to release so we couldn't even guarantee the binary Apple was producing was ours. So it was not possible to allow users a way to validate even from the time of our closed-source build.
Alternatively, they can make it paid, shared source to allow inspections while simultaneously making money. If aiming for contributions to paid source (eg bug fixes or feature improvements), they can make the licenses irrevocable per version with the OS interfacing parts permissive, open source with allowance to swap them out as desired. So, the old version could be updated legally for new platforms giving potentially, perpetual ROI. People wanting upgrades or security fixes have to buy the new version or maintain a subscription.
I mean, nothing would stop people from just doing that themselves with the source shared. I just figure lots of paying customers will stay paying customers switching for reasons having nothing to do with source license. They move for all kinds of non-security, non-philosophical reasons.
and this is a good explanation about Mozilla's plan for logging Binary Transparency results:
Of course, not being FOSS is a pity, a trade-off. But I believe their 'solid business' would be made impossible then. (Unless someone invests $50 million or so - but frankly I prefer the status quo).
Uhm... Would one be able to verify that? Threema is a swiss company, and Switzerland is known for their high standards in terms of privacy. Would it be possible to see who owns the shares of Threema the company?
In contrast, the silicon valley idea of a startup is "get as much investor money as you can get, grow your team quickly, become a unicorn, sell your company and cash out, rinse and repeat".
Both have their advantages and disadvantages, but especially for privacy focused products I prefer to get those from companies that finance themselves, and that don't have big VC investors which will want to see big ROI sooner or later. If the startup behind a free product I use is sold, then my user data is sold with the company. And usually financial interests stand above privacy considerations. (Obviously, otherwise the investors wouldn't invest.)
Money is power. Ideally your money comes from your users.
Are there any IMs that actually have these?
- Cryptography whitepaper: https://threema.ch/press-files/2_documentation/cryptography_... Covers the technical aspects.
- Transparency report: https://threema.ch/en/transparencyreport Covers the legal aspects.
- Reverse engineering of the protocol (33c3): https://media.ccc.de/v/33c3-8062-a_look_into_the_mobile_mess...
- Third party open source re-implementation of Threema for the desktop (Qt): https://openmittsu.de/
- Source code of the web application: https://github.com/threema-ch/threema-web/
- Protocol developed to enable trustless WebRTC signaling between app and browser: https://saltyrtc.org/
Obligatory disclaimer: I'm working for Threema as a developer.
I like that it doesn't need a phone number or email address to create an account, and thus offers a better degree of anonymity compared to other popular apps like Telegram, Wire, WhatsApp and Signal.
A few downsides I noticed are:
* It doesn't offer a desktop client (unlike say, Wire).
* Threema web uses the phone as a proxy and is not independent.
* Probably the worst thing, which is a weak point (in the users' eyes) that it shares with Wire, is that the chat data backups are not cross platform. If you backup your chat on Android, you can only import it back on Android (and similarly for iOS).  If you switch platforms, you can "export" your chats, but that cannot be imported to preserve continuity.
I'll still try it out to see how good it is, but I don't think this will get anywhere close to being my go to chat app anytime soon.
Because the backup must be automatic, in the background and reliable, it is limited to a small size, which means that chat contents aren't backed up. But everything else (contacts, groups, key verification levels, privacy settings etc) are.
You can host your own backup server. The protocol is WebDAV compatible, alternatively you can use projects like this Rust based backup server that I wrote: https://github.com/dbrgn/sekursranko/
Chat contents not being backed up is practically useless for me, and I'd guess for many other common users. While security is important, convenience is more important. Allowing backup of chat content to iCloud or iTunes or the Google account would make this more attractive. I also don't think normal non-techie users would really (want to understand) what's a Threema ID backup, Threema Safe, and all the other variations of managing data and keeping it alive over time. I'd suggest that your team focus on simplifying is part.
Threema values convenience, but only if it's not in violation of your privacy.
As an example of this, the Threema Safe backups are anonymous. We don't know which backup file belongs to which user. This has some usability downsides, but the obvious huge upside that we don't know which backup file belongs to which user.
Another example: Your avatar is not stored on any server. Instead it's sent along with your messages if it changes. This has the usability downside that people won't immediately see your changed avatar if you don't exchange any messages. However, it has the advantage that we don't know how all our users look like (in case they use a picture of themselves as avatar).
As a service provider, user data becomes a liability. The less you have, the better :) In German, there's a word called "Datensparsamkeit" (data frugality) that describes this concept well.
They got a significant boost in German press and downloads when Facebook bought WhatsApp which seems to have propelled them ever since.
What’s interesting about this is it shows that while the majority “don’t care about privacy” a significant minority do care - enough to allow a company to thrive.
That's a big disadvantage you have in front of Signal, Matrix and alternatives.
I'm not saying threema is unsuccessful. I am saying their justification for not providing end-to-end forward secrecy isn't really valid.
Threema looks smart, and I what I think is missing from the material is what threats it addresses and how.
- protect the content of your messages from mass interception? (appears to, barring crypto errors)
- protect the anonymity of you and your correspondents from network operators and their staff and admins?
- protect your contacts and messages from reading and exfiltration by other apps on your phone?
- protect content of your messages from corporate mobile device management tools?
- protect anonymity of correspondents and contents of messages from targeted malware that has rooted or jailbroken the device? (probably not, but wickr's aliases can mitigate it somewhat)
- protect anonymity of you and your correspondents from captive portals? (+ message secrecy/integrity)
- protect message content and correspondent anonymity from theives/attackers/co-workers with phone imaging forensic tools?
- protect group membership from infiltration using unauthorized, stolen, or cloned app memory images?
This isn't a complete threat model (I generate these for a living), but having short answers to these would go a long way to making a case for a secure messaging product.
Backdoors introduced by law, as far as I've gotten into it. I no longer can recommend it.
More information can be found in the transparency report: https://threema.ch/en/transparencyreport
(Disclaimer: Threema dev)
After all, https://openmittsu.de/ is a thing. (Note that the developer of OpenMittsu does not offer the option of generating an identity in the software itself, instead you generate an identity on your phone and then transfer it to OpenMittsu through an ID backup.)
(Edit: Almost forgot: The "Threema Web protocol" has also been officially documented: https://threema-ch.github.io/app-remote-protocol/ I would love to see alternative clients that implement it, to allow using your Threema app from other platforms.)
People does pay for apps (and software in general), so ultimately, it's a matter of perceived value vs. cost.
Given (at least) the relatively low cost (between 3 and 4 USD) and the mediatic pressure about messaging security, in cultures/countries that are more privacy-concerned, Threema does have a market.
anyway already have plenty people on board Signal, waiting for years for ability to send photos (plural) which it's eliminating everything else making signal just SMS app next to default WhatsApp
The iOS integration is still in Beta, but will be released soon. Windows Phone will also support this.
Even Wire doesn't allow cross platform data backup and restore.
On the upside, I like that they have a business model ("Threema Work") and features that can make it viable for business use, though being European I don't know if they've bothered with anything related to HIPAA and I wouldn't expect them to support BAAs if required.
At the time there wasn't much out there, and nothing run by Facebook was even going to pass the initial sniff test as an option.
The downside that you get no alerts someone responded but I like it. I check on my own time.
Oh and of course the open source go library https://github.com/o3ma/o3
Bought threema a few years ago. I got only two people that actually use it and I really prefer signal, but I like some design decisions threema made :) (for instance the verification+verificatiin indication)
Oh yeah and openmittsu was ok, but last time I tried it I could only use this or my phone, so not really useful....
Also, I assume I have to trust the company, which is sadly normal in these cases. I can't run a server on my own?
Edit: Not using phone numbers also comes at an additional usability cost - you need to back up your ID and key information in order to be able to transfer it to a new device. If you don't do that, and if your existing phone dies, you need a new identity.
And in their FAQ you can find you can use phone number if you want, exactly for described purposes.
But as someone who was living in country where you can't trust your government, I can't trust messengers where phone number is a requirement.
If the existing user is still logged in to the Signal account with the old number, you're effectively locked out. Otherwise, you'll be able to claim the number after a week.
You don’t get to know who the previous person was messaging, see their contact list or have access to any of their messages. But if they message you thinking it’s still the previous person and ignore the ‘safety number’ warning, you could potentially impersonate them.
which apps detect that case and give a safety warning?
The last section of that post specifically talks about the notification shown after a reinstall (i.e., safety number change)
also interesting what they write about the perception of finger-prints. i agree with their assessment and conclusion that using the term finger-print may confuse people because they think finger-prints should be secret. but i feel that the real problem is the public perception of what a finger-print is. we are leaving finger-prints all over the place, to they are something very very public, and not at all secret, and this the analogy of a crypto-finger-print and a real finger-print is much better than what public opinion would have us believe.
In saying that, the previous behaviour can be restored (for you) but you can't force it onto users who are communicating with you.
assuming that she ignores the change, the failure would be noticed when bob sends another message to alice as now the finger-print would change back to bobs, marking teds as coming from a different identity. this would be detectable in the client.
unclear is how did ted get into bobs account? if bob changed the phone number. i am assuming that shouldn't even be possible, so i believe we can in fact ignore this threat.
it looks differen't though if bob can not reactivate his old account, in which case alice will connect to bobs new account, and hopefully disconnect the old one.
if ted gets the number and reactivates bobs old account
then if alice did disconnect, she would notice a reconnect attempt from a new id and treat it like any new connect. if the connect verification doesn't involve the senders phone number then having bobs old number doesn't give ted any advantage.
if alice did not disconnect the old account, she will notice the account being reactivated, and now have two bobs talking to her, raising suspicion.
so it appears the only threat is coming from the case where bob looses his number and does not reconnect to alice with a new number. so alice is unaware that bob changed his number.
this can happen if bob and alice communicate rarely...
For the past couple years here in the US, scammers have been calling with stolen numbers that match your prefix more than a random caller probably would. So for ABC-DEF-GHIJ all of ABC-DEF matching is a pretty good sign it's a spammer if you live in a large metropolitan area. Unfortunately it makes them nearly impossible to track back, because when you call the number back, it's some random private number that didn't even make the call and has no idea what you're talking about. I've had a couple very angry people call me and yell to stop trying to sell them credit cards.
> That doesn't affect 2FA
You can use the same techniques to say "I am 555-111-2222, route all sms for that number to me".
> that won't show up as "me" on my friends' phone screens when they call
They absolutely can do that.
It's not that they bought numbers in each of the prefixes, it's that they're forging the signaling information for another number in your prefix dynamically, based on your number.
About practice - one of Telegram users was comprised using his phone number, because russian government just ordered to mobile operator to do this. It was much more simple than copying sim card :)
Or is there a way to copy SIM card remotely???
As for state-level adversary, I get it. I'm even less concerned here :)
This is already "practical" if you have a capable enough adversary; for example, there have been reports of attackers subverting SMS-based 2FA.
This could be based on cooperation of the carrier, or perhaps SS7 attacks, or IMSI catchers.