Today we're going to look at Threema, a secure, anonymous messaging app from Switzerland. While Threema has never achieved the notoriety of apps like Signal or Telegram, that doesn't mean that it's not worth your attention. In this Threema review we'll show you everything this secure messaging app has to offer.
Threema is easy to use and has the full range of features you would expect from a secure messenger app. It offers text and voice messages, voice and video calls, groups and distribution lists, and the ability to share files, media, and locations. Everything is end-to-end encrypted, including the items you share.
Threema also lets you conduct polls, have private chats that are protected by a PIN or fingerprint, verify contacts to prevent man-in-the-middle attacks, and quote text messages. Because you don't need to enter your phone number or email address when creating a Threema account, you can use the service completely anonymously. This is a big difference from Signal and Telegram, as we noted in our Signal review.
The company behind Threema
Threema GmbH, a small, Swiss company, publishes Threema. Although they released the first version of Threema in December 2012, they didn't formally found the company until 2014. Since 2016, the company has released several versions of Threema aimed at different markets.
With full-time E2E encryption and the absolute minimum of unencrypted data ever reaching the company servers, this is definitely a secure messaging app. Anything that does get stored on company servers (messages in transit for example, or metadata needed to route those messages) is there temporarily. As soon as a message is delivered, the message itself, along with the related metadata, is deleted from the servers.
Threema owns all servers, which are physically located in two secure data centers. These data centers are in Zurich, Switzerland, which means they are subject to Swiss data protection laws.
Late in 2020, Threema completed the transition of all their apps to Open Source. This means anyone who wishes can analyze their code and confirm for themself that the code is secure.
Threema stores as much of your data as possible on the relevant devices. The system does need to store a minimal amount of metadata on its servers to get messages delivered to their destinations. Once that happens the metadata is deleted.
The data stored on devices is AES-256 encrypted for maximum security. This includes media files that have been sent through the Threema network.
Third-party audits and testing
Threema has regular audits conducted to confirm that the service is secure. The most recent audit was done by Cure53 in 2020. The audit described the code quality and general structure of Threema as, “unusually solid.”
Threema has been publishing a running transparency report since 2014. I like the way they present this information. Instead of simply stating that they had received a certain number of requests, the report shows much more information, including the kind of information they may provide to the authorities. Here's a capture of the portion of the transparency report showing the key info:
Looking at this capture you'll see that, aside from the Threema ID, there isn't much that anyone can find out, even if they do succeed in forcing Threema to turn over your information. According to Threema, the available data they can provide is restricted to the following items “if the legal requirements are fully met”:
- Hash of phone number, if provided by the user
- Hash of email address, if provided by the user
- Push token, if a push service is used
- Public key
- Date (without time) of Threema ID creation
- Date (without time) of last login
Note: Threema will have even less data if you do not provide a phone number or email address when registering.
Using Threema messaging apps
I tested Threema by buying and installing it on two Android smartphones. Additionally, I tested Threema.Web (the Threema web app) by linking it to one of the phones. The app is available in the Android and iOS stores for $2.99 US.
Installing and using the Threema Android app
Aside from having to pay to download the Threema app (most messenger apps are free), there is another unusual aspect to installation. Because Threema doesn't use your phone number or email address to identify you, the first thing you need to do is generate a Threema ID.
You generate this 8-digit ID by starting the app and moving your finger randomly in an area of the screen. This generates the ID and also helps generate a unique asymmetric key pair that the Threema app will use to encrypt and decrypt messages.
Note: You of course will also need to generate a username and password that you will enter when you want to log in to the app.
The app sends a copy of your public key to be stored on the Threema servers. When another Threema user sends you a message, their app will use your public key to encrypt it.
The Threema app keeps your private key securely on your device. The Threema app uses your private key to decrypt messages sent to you. The private key never leaves your device, and even the engineers at Threema can't get access to it. That means no one else can read your messages unless they get physical access to your device, and coerce you into telling them your username and password.
Note: During the installation and configuration of the app you'll have the option to enter your email address or phone number so the app can see your contacts. For the most privacy and anonymity, I recommend that you don't give the app your phone number or email address. You can enter your contacts manually later.
With all that stuff out of the way, you should see the Threema mobile interface. It'll look something like this:
In my testing, the Threema Android app worked perfectly. It offers all the standard messenger app features you would expect. And the February 2021 update to Threema 4.5 added a number of new features to the Android app. Here are some of the big ones:
With the new global search function, you can search across all your chats at once, instead of searching each chat individually. This is ideal for those times when you know that you were talking to someone about say, The Magilla Gorilla Show, but you can't recall who.
Integrated media gallery with Image Search
The new integrated media gallery makes it easy to send images or videos by displaying them all in an easy-to-use format. You can also add captions or edit the images before sending them.
Image Search is an optional feature that uses an image recognition system to let you search for images by entering keywords. Enter ‘dog' and Image Search will return all images that have a dog in them. It is important to note that image recognition is carried out locally on your device. No images get sent off to some outside site for analysis.
The Android app catches up with the iOS app by now supporting groups with up to 256 members and allowing you to quote all message types. The iOS app received these capabilities in the 4.6.4 update released in January 2021.
Threema.Web – Use Threema on the desktop
Unlike many of its competitors, Threema does not offer stand-alone desktop apps. Instead, they provide Threema.Web. Threema.Web is a web browser-based interface to a Threema-equipped mobile device. You configure Threema.Web to work with a particular mobile device running the Threema app. This isn't a stand-alone product with its own Threema ID. It is just a way to control the Threema app on your phone using your computer.
Note: It isn't just a different way to control your phone. When you run Threema.Web on a computer, you also get access to the disk drives of the computer. Whether you want to type on a real keyboard, or move lots of files back and forth, Threema.Web can make using Threema a lot easier.
One last thing. If you are going to use Threema.Web, you should be sure to use a secure web browser. Threema uses E2E encryption in the Threema.Web to secure its messages so you should be fine. And if you are looking for a full desktop client, check out our Telegram review here.
Other flavors of Threema
Many popular messenger apps (such as Signal or Telegram) offer only a single version of their product. Threema takes things one step further by offering specialized versions of Threema for different audiences. Let's quickly touch on these different versions before closing out this review.
Threema.Work is a centrally-managed secure messaging service for the business. By requiring employees to use Threema Work instead of their personal messaging apps, you can protect against proprietary data loss and minimize the risk of violating relevant privacy regulations or other laws, such as GDPR. This document provides a more detailed explanation of Threema.Work.
Threema Broadcast provides a web interface you can use to broadcast to distribution lists, groups, and news feeds. You can even create interactive chatbots that communicate on Threema. Threema Broadcast is included in Threema.Work, but is also available separately.
Threema Gateway is an API you can use to integrate Threema with your own software. Threema Gateway is included in Threema.Work but also available separately.
Threema Education is a special educational pricing plan for Threema Work. It is reserved for public educational institutions only.
Like Telegram, Threema's support site consists of a large collection of frequently asked questions and answers. You can search for a specific answer, or select a category and browse through all the related entries.
You can also contact the Support team, but they would like you to confirm that the answer to your question isn't already in the FAQ before contacting them. I found the support staff to be knowledgeable and helpful, but I would have liked faster responses. It behooves both you and them if you consult the FAQ before talking to the support team.
As noted previously, the base Threema messaging app is not free software. It costs $2.99 to download from the Google Play store or the iPhone and iPad app store.
The other versions of Threema each have their own price plans, as we noted above.
Here are the answers to some common Threema questions that aren't addressed elsewhere in the review.
As of now, it is safe to say that Threema and WhatsApp are equally secure. They both use end-to-end (E2E) encryption with strong cryptography to protect the contents of your messages. No one can read them except the intended recipient.
However, the big difference is privacy. Threema collects as little data as possible. WhatsApp collects a lot more data and shares it with the parent company (Facebook) and their partners.
Can someone hack Threema?
It is impossible to guarantee that no one can hack Threema (or any other piece of software for that matter). But given that Threema has been audited several times by outside security experts, and all communications are E2E encrypted using strong cryptography, the chances are very small that someone can hack Threema.
Do I need a SIM card to use Threema?
No. You do not need a SIM card to use Threema. Threema doesn't use your phone number to identify you. Instead, it uses a randomly-generated Threema ID. This ID is not related to your phone number or any other personal data.
Threema review conclusion
Threema is an excellent secure messaging app. One of the few that lets you use it anonymously, it works well and provides all the features you would expect of a leading messaging service.
The fact that you need to pay for the app is actually a plus in my mind. Every company needs some way to pay its bills. If a messenger app is free, they have a lot of incentive to find a way to monetize the user base, which can lead to problems. Because Threema charges for their apps, they don't have these issues to face.
The one thing that gives me pause about Threema is the fact that its user base is so small. They only have a few million users, compared to the tens or hundreds of millions of users of competing apps. This is also a concern we noted in our Wickr review.
When selecting a secure messaging app for your needs, there are always tradeoffs and features to consider. Threema has a lot to offer and it scores high marks for security and privacy.