Hacker News new | past | comments | ask | show | jobs | submit login
Threema – Seriously secure messaging (threema.ch)
104 points by octosphere on Jan 6, 2019 | hide | past | favorite | 92 comments

Here's the obligatory reference to the source code not being fully open:


Yes, they sent some source code for security review in 2015, but there is no guarantee that the binary you download is related to that source code at all.

Nowadays I'd expect a secure messaging app to not just be open source, but also have reproducible builds (checked by third parties). It would be nice to have Binary Transparency too, so that people can check that they are being offered the same binary as other users are getting.

Binary transparency would be nice to see even with Signal. A notification is sent from one client to the next encrypted if either party is not up to date sent to both parties in the convo, and another if their apps are not properly sourced. Since these notifications would be sent end to end encrypted only both parties should in theory know. Then if the feature ever got removed... It would be a canary of its own. Could be applied to any other app that attempts to do end to end encryption.

With Gliph for iOS, we tried binary transparency by trying to track a hash of the app binary after building. The idea is we'd publish the hash with each version increment or include the hash in the description of the updates.

However, I believe we found that Apple would alter the binary prior to release so we couldn't even guarantee the binary Apple was producing was ours. So it was not possible to allow users a way to validate even from the time of our closed-source build.

If this is important to you I’d suggest filing a bug report. Apple is very sensitive to privacy needs and such a need us likely not on the radar.

"Nowadays I'd expect a secure messaging app to not just be open source, but also have reproducible builds (checked by third parties). "

Alternatively, they can make it paid, shared source to allow inspections while simultaneously making money. If aiming for contributions to paid source (eg bug fixes or feature improvements), they can make the licenses irrevocable per version with the OS interfacing parts permissive, open source with allowance to swap them out as desired. So, the old version could be updated legally for new platforms giving potentially, perpetual ROI. People wanting upgrades or security fixes have to buy the new version or maintain a subscription.

I mean, nothing would stop people from just doing that themselves with the source shared. I just figure lots of paying customers will stay paying customers switching for reasons having nothing to do with source license. They move for all kinds of non-security, non-philosophical reasons.

Are there best-practices public platforms for generating and/or verifying reproducible builds? I'm not aware of this as a feature with GitHub or similar.

There is some documentation about the cross-distro effort to produce reproducible package builds here:


and this is a good explanation about Mozilla's plan for logging Binary Transparency results:


At this time, their 'No Ads, No Investors, No Conflicts of Interest' phrase (and a very polished product which even runs great on my Jolla), is more important for me than source.

Of course, not being FOSS is a pity, a trade-off. But I believe their 'solid business' would be made impossible then. (Unless someone invests $50 million or so - but frankly I prefer the status quo).

Yes, this was one the point that was me over when look to migrate from WhatsApp. Another winning point: it’s not tied to your phone number. So far it’s working great and I brought a kernel of friends with me.

> No Investors

Uhm... Would one be able to verify that? Threema is a swiss company, and Switzerland is known for their high standards in terms of privacy. Would it be possible to see who owns the shares of Threema the company?

There are no shares. It is a GmbH, which means a group of people(1-x, persons or other legal identidies) owns the company... There should be public records of owners you can follow. Understanding German and swiss law is probably helpful.

The startup scene in Switzerland is quite different from silicon valley. There are still a lot of "classic small company" startups that start with a business idea, try to become self-financed as soon as possible and then slowly build upon that. It's a very sustainable model, you add more people once you can pay them, and most people that fund a company like that are in it for the long term.

In contrast, the silicon valley idea of a startup is "get as much investor money as you can get, grow your team quickly, become a unicorn, sell your company and cash out, rinse and repeat".

Both have their advantages and disadvantages, but especially for privacy focused products I prefer to get those from companies that finance themselves, and that don't have big VC investors which will want to see big ROI sooner or later. If the startup behind a free product I use is sold, then my user data is sold with the company. And usually financial interests stand above privacy considerations. (Obviously, otherwise the investors wouldn't invest.)

Money is power. Ideally your money comes from your users.

Those public records are the Commercial Register: https://sz.chregister.ch/cr-portal/auszug/auszug.xhtml?uid=C...

Hey, thank you for your reply. My post wasn't meant to provoke or to imply anything, it really was an honest question.

> reproducible builds

Are there any IMs that actually have these?

Since they haven't come up yet, and since the website obviously contains primarily marketing content, here are a few relevant links that might be of interest to the HN crowd:

- Cryptography whitepaper: https://threema.ch/press-files/2_documentation/cryptography_... Covers the technical aspects.

- Transparency report: https://threema.ch/en/transparencyreport Covers the legal aspects.

- Reverse engineering of the protocol (33c3): https://media.ccc.de/v/33c3-8062-a_look_into_the_mobile_mess...

- Third party open source re-implementation of Threema for the desktop (Qt): https://openmittsu.de/

- Source code of the web application: https://github.com/threema-ch/threema-web/

- Protocol developed to enable trustless WebRTC signaling between app and browser: https://saltyrtc.org/

Obligatory disclaimer: I'm working for Threema as a developer.

My personal experience with Threema seems to differ from the general view on it: We use Threema for private communication within my team at work. I am the group admin. When my iPhone broke two years ago I had to do a full backup, because there is no other way on iOS to move to another phone with Threema. This has not changed since then, because I had the same issue when I upgraded to a new phone 2 months ago. It was not even possible to assign an additional admin nor to pass my permissions. A colleague had to clone the group (at least there is a function for that). Of course I still get push notifications for the old group- even though there is no way to join it from my new phone. The only thing that I like about it is the integrated poll feature.

I believe this is going to be fixed with Threema Safe: https://threema.ch/en/blog/posts/threema-safe-en. It is already rolled out for Android and iOS should be soon according to the blog.

HighSide is an alternative which doesn't suffer those problems- it lets you move your account to a different device by typing your 14 word "import key" on your new device similar to how some Bitcoin wallets work. The two devices sync from then on.

I haven't looked at Threema for a few years now. So I checked the website and browsed through the FAQs.

I like that it doesn't need a phone number or email address to create an account, and thus offers a better degree of anonymity compared to other popular apps like Telegram, Wire, WhatsApp and Signal.

A few downsides I noticed are:

* It doesn't offer a desktop client (unlike say, Wire).

* Threema web uses the phone as a proxy and is not independent.

* Probably the worst thing, which is a weak point (in the users' eyes) that it shares with Wire, is that the chat data backups are not cross platform. If you backup your chat on Android, you can only import it back on Android (and similarly for iOS). [1] If you switch platforms, you can "export" your chats, but that cannot be imported to preserve continuity.

I'll still try it out to see how good it is, but I don't think this will get anywhere close to being my go to chat app anytime soon.

[1]: https://threema.ch/en/faq/data_backup

Since December there's a new cross-platform server based backup: https://threema.ch/en/blog/posts/threema-safe-en The design is documented in the crypto whitepaper: https://threema.ch/press-files/2_documentation/cryptography_...

Because the backup must be automatic, in the background and reliable, it is limited to a small size, which means that chat contents aren't backed up. But everything else (contacts, groups, key verification levels, privacy settings etc) are.

You can host your own backup server. The protocol is WebDAV compatible, alternatively you can use projects like this Rust based backup server that I wrote: https://github.com/dbrgn/sekursranko/

> Because the backup must be automatic, in the background and reliable, it is limited to a small size, which means that chat contents aren't backed up. But everything else (contacts, groups, key verification levels, privacy settings etc) are.

Chat contents not being backed up is practically useless for me, and I'd guess for many other common users. While security is important, convenience is more important. Allowing backup of chat content to iCloud or iTunes or the Google account would make this more attractive. I also don't think normal non-techie users would really (want to understand) what's a Threema ID backup, Threema Safe, and all the other variations of managing data and keeping it alive over time. I'd suggest that your team focus on simplifying is part.

If convenience is more important than privacy, then by all means, use WhatsApp! It backs up your data unencrypted to the Google cloud. Or use Telegram. It backs up your conversations to Telegram servers, where Telegram can read them. Convenient, yes.

Threema values convenience, but only if it's not in violation of your privacy.

As an example of this, the Threema Safe backups are anonymous. We don't know which backup file belongs to which user. This has some usability downsides, but the obvious huge upside that we don't know which backup file belongs to which user.

Another example: Your avatar is not stored on any server. Instead it's sent along with your messages if it changes. This has the usability downside that people won't immediately see your changed avatar if you don't exchange any messages. However, it has the advantage that we don't know how all our users look like (in case they use a picture of themselves as avatar).

As a service provider, user data becomes a liability. The less you have, the better :) In German, there's a word called "Datensparsamkeit" (data frugality) that describes this concept well.

Not available for iOS, though.

Already in beta, will probably be released in the coming days.

I think Wire is my favorite out of all of them since they are properly open sourced and like you said dont require a phone number or email. You can also nuke all your messages and your account. Sadly it lacks many people having heard of it.

Threema is “big” in German speaking countries - they’re usually high up the paid app charts in Germany, Austria and Switzerland and may have reached a level where (social) network effects are working in their favor.

They got a significant boost in German press and downloads when Facebook bought WhatsApp which seems to have propelled them ever since.

What’s interesting about this is it shows that while the majority “don’t care about privacy” a significant minority do care - enough to allow a company to thrive.

Being "Swiss made" does not make me trust you more if you are proprietary. Privacy and proprietary software are mutually exclusive.

That's a big disadvantage you have in front of Signal, Matrix and alternatives.

Have they fixed their forward security yet? Being "froward secure on the https layer" doesn't really cut it in this day and age. If I delete messages on my phone I don't want an messages retained on the server to be easily decrypted if someone gets my key. It is a rather simple trust issue.

It does not seem so according to their whitepaper, which I downloaded today. Unless this is out of date. They also describe the prekey mechanism used in Signal, WhatsApp, Wire etc as experimental and unreliable, which is an interesting assertion to make given the success of the protocol underpinning these clients.

Not that I know enough about crypro to make an authoritative statement but generally speaking, more often than not, if something's successful it primarily means it's accessible and easy to use, rather than being robust and secure. (That is not to say that that's mutually exclusive.)

I don't quite understand what you're replying to. The experimental and unreliable scheme they describe is used by WhatsApp, who have probably an order of magnitude or two more daily users.

I'm not saying threema is unsuccessful. I am saying their justification for not providing end-to-end forward secrecy isn't really valid.

While I use Signal and am a proponent of secure messaging in general, it would be valuable to discuss the threat models for different messengers and privacy techs.

Threema looks smart, and I what I think is missing from the material is what threats it addresses and how.

Does it:

- protect the content of your messages from mass interception? (appears to, barring crypto errors)

- protect the anonymity of you and your correspondents from network operators and their staff and admins?

- protect your contacts and messages from reading and exfiltration by other apps on your phone?

- protect content of your messages from corporate mobile device management tools?

- protect anonymity of correspondents and contents of messages from targeted malware that has rooted or jailbroken the device? (probably not, but wickr's aliases can mitigate it somewhat)

- protect anonymity of you and your correspondents from captive portals? (+ message secrecy/integrity)

- protect message content and correspondent anonymity from theives/attackers/co-workers with phone imaging forensic tools?

- protect group membership from infiltration using unauthorized, stolen, or cloned app memory images?

This isn't a complete threat model (I generate these for a living), but having short answers to these would go a long way to making a case for a secure messaging product.

Used to be a fan of threema until they were subjected to. The revised Swiss Federal Act on the Surveillance of Postal and Telecommunications Traffic in or around 2016.

Backdoors introduced by law, as far as I've gotten into it. I no longer can recommend it.

Even under the revised BÜPF, the government has no power to ask for backdoors. They can only ask for data that is already stored (which is very little metadata in the case of Threema, since collecting as little data as technically possible is the guiding principle for Threema).

More information can be found in the transparency report: https://threema.ch/en/transparencyreport

(Disclaimer: Threema dev)

Since you outed yourself: does your company have an official stance on 3rd party clients?

I can't give you any official answer (I'm here privately and don't speak for the company), but the terms of use of Threema don't disallow reverse engineering. As long as third party clients don't actively undermine the business model or trademarks, this shouldn't be a problem. In doubt, just send an e-mail to info@.

After all, https://openmittsu.de/ is a thing. (Note that the developer of OpenMittsu does not offer the option of generating an identity in the software itself, instead you generate an identity on your phone and then transfer it to OpenMittsu through an ID backup.)

(Edit: Almost forgot: The "Threema Web protocol" has also been officially documented: https://threema-ch.github.io/app-remote-protocol/ I would love to see alternative clients that implement it, to allow using your Threema app from other platforms.)

I don't like that the source code is not fully open so I prefer Signal. I think the only thing holding Signal back is a proper UI. I use it with few people but for most people it's just unusable.

Unusable in what way? My mom is using it just fine, sending pics, doing encrypted voice, etc. Are you referring to some more advanced features?

I'll never talk my friend and vendors into pay up front for an app, and that is why this isn't likely to succeed. You need to change the purchase model - perhaps allow an individual to buy several licenses they can distribute with one charge.

It is actually popular in some countries.

People does pay for apps (and software in general), so ultimately, it's a matter of perceived value vs. cost.

Given (at least) the relatively low cost (between 3 and 4 USD) and the mediatic pressure about messaging security, in cultures/countries that are more privacy-concerned, Threema does have a market.

Paid apps indicate a more sustainable business model than venture capital. As developer, you are only obliged to your customers, which in this case are the users, not the investors. Threema has no external investors.

You can buy as many (distributable) licenses as you want in the Threema shop and will get a self-updating APK download: https://shop.threema.ch Unfortunately only for Android, because Apple doesn't really like it of you circumvent their app store...

i would go old WhatsApp way, let people use it first year for free which it's plenty of time for social networking effect to work and decide if it's worth few bucks after year or close account (though it could be abused without linking to phone number or email), but for sure ain't gonna pay upfront for deserted app, switching friends/family over takes time...

anyway already have plenty people on board Signal, waiting for years for ability to send photos (plural) which it's eliminating everything else making signal just SMS app next to default WhatsApp

I solved that by offering to reimburse them. So far I haven’t been asked for money.

Threema is a nightmare, if you switch from iOS to Android or vice-versa there is literally no way to migrate your data, and this fact is extremely obfuscated by the help docs which mention "export" but surprise! There's no importer. Its push notifications are extremely annoying as well, either just not working at all, or notifying for every message in a huge group. Use Signal instead.

As already mentioned in another comment, since December there's a new cross-platform server based backup that will allow you to transfer your ID, settings, contacts and groups to other devices: https://threema.ch/en/blog/posts/threema-safe-en The design is documented in the crypto whitepaper: https://threema.ch/press-files/2_documentation/cryptography_... You can also host your own backup server.

The iOS integration is still in Beta, but will be released soon. Windows Phone will also support this.

But no actual content. Normal people don't care about this nonsense, they just want to talk to their friends, and I get to explain to them why the only way they can read their old messages is via a zip file full of TXT documents.

People that don't care about this just use WhatsApp, Facebook Messenger, etc. They are well served, so not sure what exactly are you complaining about.

They don't though. They get lured in by news of the "NSA spying on them", install this app, and later find out all of the caveats after they're committed and end up losing data. It sucks.

At least Threema allows manually backing up and restoring the data on the same platform. Signal doesn't even allow backing up your conversations on iOS. Signal is coded to actively block backing up the data to iTunes or iCloud! Your chats are all gone the moment you move to a newer device (be it Android or iOS). If keeping conversations over time and having continuity is important, Signal is the last platform in this world you should be looking at.

Even Wire doesn't allow cross platform data backup and restore.

That's Unfortunate, on Android you can restore your messages in Signal

I love this, It's how such apps should work (pay directly, get what you expect). Fortunately the vast majority of people I interact with think everything should be free, don't care about or know about online privacy and couldn't care less about getting an ad shoved in a their face from time to time.

Last I heard Threema was kind of third-place option behind Signal and WhatsApp, at least in terms of use in English-speaking countries. I had the impression it was significantly more popular in Germany, but I don't know anyone in my circles using it.

On the upside, I like that they have a business model ("Threema Work") and features that can make it viable for business use, though being European I don't know if they've bothered with anything related to HIPAA and I wouldn't expect them to support BAAs if required.

Huh? WhatsApp is by far the biggest, with Telegram trailing a distant second place, and other messengers even further behind. There is a case for counting Facebook Messenger as second place, but afaik the only reason most people even use it (and they do it begrudgingly) is because Facebook forces them by excluding messaging from the main app.

I phrased it badly, and I have a slightly odd niche - when I last looked at this a few years ago I was trying to find ways to get doctors to stop sending group SMS messages between themselves for patient handoffs.

At the time there wasn't much out there, and nothing run by Facebook was even going to pass the initial sniff test as an option.

You can use a third party Facebook app like Material or Tinfoil Hat that has messaging built in by simulating an old web browser. It's a little clunky but it at least isn't always running and has no access to your address book or contacts.

The downside that you get no alerts someone responded but I like it. I check on my own time.

https://media.ccc.de/v/33c3-8062-a_look_into_the_mobile_mess... For everyone interested in the protocol itself.

Oh and of course the open source go library https://github.com/o3ma/o3

Bought threema a few years ago. I got only two people that actually use it and I really prefer signal, but I like some design decisions threema made :) (for instance the verification+verificatiin indication)

Oh yeah and openmittsu was ok, but last time I tried it I could only use this or my phone, so not really useful.... https://github.com/blizzard4591/openMittsu

If you are currently using an Instant Messenger like WhatsApp, Viber, LINE, Telegram or Threema, you should pick an alternative here.


It's proprietary.

It says "full anonymity" but only mentions an ID. So an ISP can tell I'm using it and what time as opposed to Tor or something which obfuscates the network of whatever messenger? Surely on digital networks we've come to a better definition of "full anonymity".

Also, I assume I have to trust the company, which is sadly normal in these cases. I can't run a server on my own?

Should add the line, “As secure as we proclaim.”

Eight digits of ID space isn't that many. What stops someone from just registering all of them?

Edit: Not using phone numbers also comes at an additional usability cost - you need to back up your ID and key information in order to be able to transfer it to a new device. If you don't do that, and if your existing phone dies, you need a new identity.

I'm so happy to see messenger without fucking phone number requirement. If you think your phone number can't be stolen - you don't know real things.

And in their FAQ you can find you can use phone number if you want, exactly for described purposes.

But as someone who was living in country where you can't trust your government, I can't trust messengers where phone number is a requirement.

Signal does at least allow you to require a pin which must be known in order to re-register your phone number. Does this mitigate your concern about phone numbers being stolen?


What if I get a new number whose previous owner had registered it with Signal?

The lock expires after 7 days of inactivity.

If the existing user is still logged in to the Signal account with the old number, you're effectively locked out. Otherwise, you'll be able to claim the number after a week.

and take over their account?

The number is yours at that point, think of it as creating a new account with that old number.

You don’t get to know who the previous person was messaging, see their contact list or have access to any of their messages. But if they message you thinking it’s still the previous person and ignore the ‘safety number’ warning, you could potentially impersonate them.

the latter is what i was thinking of.

which apps detect that case and give a safety warning?

Signal does this. It’s explained in detail at https://www.signal.org/blog/safety-number-updates/.

The last section of that post specifically talks about the notification shown after a reinstall (i.e., safety number change)

ok, so that's like the change of an ssh-key. i feel it's to easily ignored, yet at the same time i have no better idea how to make this more safe without being annoying. it's at least better than nothing.

also interesting what they write about the perception of finger-prints. i agree with their assessment and conclusion that using the term finger-print may confuse people because they think finger-prints should be secret. but i feel that the real problem is the public perception of what a finger-print is. we are leaving finger-prints all over the place, to they are something very very public, and not at all secret, and this the analogy of a crypto-finger-print and a real finger-print is much better than what public opinion would have us believe.

Yeah, I agree. The older versions would pop up a warning and force you to acknowledge it, but it felt like something that would have driven away casual users who maybe didn't understand or care about the implications.

In saying that, the previous behaviour can be restored (for you) but you can't force it onto users who are communicating with you.

what is the actual threat here? if bob looses his number either he is able to somehow change the number on his account before that happens, in which case alice will get a fingerprint change once, and then when the old number is reactivated by ted and he manages to break into bobs account and then sends a message to alice, then alice would get another finger-print change from bobs account.

assuming that she ignores the change, the failure would be noticed when bob sends another message to alice as now the finger-print would change back to bobs, marking teds as coming from a different identity. this would be detectable in the client.

unclear is how did ted get into bobs account? if bob changed the phone number. i am assuming that shouldn't even be possible, so i believe we can in fact ignore this threat.

it looks differen't though if bob can not reactivate his old account, in which case alice will connect to bobs new account, and hopefully disconnect the old one.

if ted gets the number and reactivates bobs old account then if alice did disconnect, she would notice a reconnect attempt from a new id and treat it like any new connect. if the connect verification doesn't involve the senders phone number then having bobs old number doesn't give ted any advantage.

if alice did not disconnect the old account, she will notice the account being reactivated, and now have two bobs talking to her, raising suspicion.

so it appears the only threat is coming from the case where bob looses his number and does not reconnect to alice with a new number. so alice is unaware that bob changed his number.

this can happen if bob and alice communicate rarely...

Guess you better contact the Signal team in that case.

This is interesting, how exactly can a phone number be "stolen"? I mean a practical reality. I'm in Poland, have had the same number for >10 years with several carriers in a row, contract-based. How can anyone "steal" it / take it over?

SS7 is horribly secured, and you can pretty easily forge that signaling information.

For the past couple years here in the US, scammers have been calling with stolen numbers that match your prefix more than a random caller probably would. So for ABC-DEF-GHIJ all of ABC-DEF matching is a pretty good sign it's a spammer if you live in a large metropolitan area. Unfortunately it makes them nearly impossible to track back, because when you call the number back, it's some random private number that didn't even make the call and has no idea what you're talking about. I've had a couple very angry people call me and yell to stop trying to sell them credit cards.

I don't fully follow the prefix thing. So a scammer makes a call from a number that's a prefix of my number? That doesn't affect 2FA, that won't show up as "me" on my friends' phone screens when they call, etc... how is that an issue?

The scammer is able to forge the signaling and routing. It's not that they have numbers for your prefix, they're just able to connect to SS7, know that they're calling 555-111-2222, and forge the signaling information for say 555-111-3333 hoping that you're more likely to pick up the phone, and you have no way to call them back as they'll not be associated with that number once the call is done.

> That doesn't affect 2FA

You can use the same techniques to say "I am 555-111-2222, route all sms for that number to me".

> that won't show up as "me" on my friends' phone screens when they call

They absolutely can do that.

It's not that they bought numbers in each of the prefixes, it's that they're forging the signaling information for another number in your prefix dynamically, based on your number.

Thanks :)

As another commenter pointed out, the mobile network signaling system sucks. You can just read other peoples SMS by becoming part of the SS7 network. It's that easy. Watch these two talks on the subject:



I can't follow this, it's too technical for me. Are you saying anyone here on HN who watches the talk (and is technical enough) could just read text messages of the people who are in the area around their BTS? How is that NOT done en masse then?

For starters, you can copy sim card, entirely.

About practice - one of Telegram users was comprised using his phone number, because russian government just ordered to mobile operator to do this. It was much more simple than copying sim card :)

Right. So if you need physical access to my phone to be able to copy my keycard, I'm not too worried. I'll find out very quickly I don't have it, within minutes typically (hours at most). If someone is an incredibly smart adversary, steals my phone, gets the SIM card, copies it, and gives it back without me noticing, I'm f*ed anyway.

Or is there a way to copy SIM card remotely???

As for state-level adversary, I get it. I'm even less concerned here :)

Physical access is not needed.

I think it depends on the carrier and the adversary. For example, a government could ask the carrier to give them a copy of traffic to your number, or to cancel your number, or to let them send data as you.

This is already "practical" if you have a capable enough adversary; for example, there have been reports of attackers subverting SMS-based 2FA.


This could be based on cooperation of the carrier, or perhaps SS7 attacks, or IMSI catchers.

One common scam in the US is to walk into a retail store, say that you lost your phone, ask for a replacement SIM card, and trick the minimum-wage employee into giving it to you (fake IDs, yelling, whatever).

if you loose your simcard, or it expires for some orhe reason, it will eventually be reassiged. then someone else has your old number and may recover your old account if you weren't able to change the number on it.

How do these apps generate revenue? Do they sell stickers etc?

This app in particular costs money.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact