Reading Time: 6 minutes Made in Switzerland Threema is essentially very similar to WhatsApp but with more focus on security, anonymity and free from advertising. Hence, with the explosion of online social interaction, mainly through our smartphones, digital privacy has become a key concern. Relying on the word and servers of big companies like Apple and Facebook (which owns …
Threema users decide about Security
At WhatsApp, a security problem arises from reading the address book. Threema leaves this decision up to you, the user:
Basically, you can use the Messenger also without access to the address book. If you switch off synchronisation, the app does not read any address book data. You then have to enter your Threema contacts manually – via ID input or QR code scan. If you opt for synchronisation, the e-mail addresses and telephone numbers get hashed out of your address book, i.e. one-way encrypted.
The transmission of data to the Swiss servers utilises additional SSL security. They delete the hashes from their working memory as soon as the list of matching IDs has been determined. Threema itself ensures that it writes neither hashes nor matching results to a disk.
What Threema can do is missing in WhatsApp
It’s not easy to combine security and ease of use. While WhatsApp chose ease of use, Threema’s healthy mix of both works quite well. For example, to create the secret key pair during app setup, Threema is offline. The private and public keys don’t leave the phone during installation – everything happens locally. While the public key must get distributed so that encrypted messages can be sent, the private key remains on the device used. From both key pairs, the recipient’s public key and the sender’s private key, the app calculates a third key that encrypts the message itself.
The message recipient decodes a message with his private key. The Threema Server does not decrypt information, so they cannot be given to any authorities. So if a Swiss court orders report according to Swiss law, this information cannot consist of sent messages. And the data would also otherwise look rather meagre: If the recipient retrieves messages, they get deleted from the server. IP addresses or traffic data (who sent which message to whom and when) are also not stored. If the user decides not to link the e-mail address and mobile phone number to his ID, this data is not stored on the servers either.