Review: Threema Secure Messenger

Threema

It seems that encrypted messaging systems are all the rage these days.  I’m not complaining – this is a very good thing.  Even WhatsApp recently announced it would implement strong end-to-end encryption using Signal’s excellent protocol.  I think this is great – a billion users will be using end-to-end encryption by default.  There is still room, however, for dedicated secure messaging apps.  Threema Secure Messenger is one of those apps.  While many of the features mirror apps like Signal and Wickr, there is still room on my phone for Threema.

THREEMA SECURE MESSENGER

This app incorporates all the standard fare: you can use it over Wi-Fi.  It supports audio messaging, sharing photos and files, and your location.  Threema also allows you to initate a poll.  This might be useful when trying to wrangle a group of friends to dinner at one of three restaurants.  Threema also allows you to enable (or disable) read receipts and the typing indicator, and you can backup your messages.  And obviously, Threema Secure Messenger encrypts all of your messages end-to-end.

The feature that it does offer that most other messaging systems don’t however, is privacy in identity.  Unfortunately Signal requires that you associate your phone number to activate the app.  The implication of this is that you must now give out your phone number as your Signal “username”.  Further, Signal won’t authenticate “anonymous” numbers like Google Voice or Burner numbers.  This is a major issue for me – I don’t like giving out my real, subscriber phone number to anyone since it correlates to attack surface.

My favorite feature of Threema: it issues a pseudorandom, 8-digit “Threema ID”.  This ID can be given out to contacts and will not reveal your phone number or other sensitive information.  You may assign a Public Nickname that users will see when they receive messages from you, but this is not necessary. This makes Threema one of the most anonymous messengers I have found.  You can also revoke your Threema ID at any time, in the event your key or device is compromised.  This requires the creation of a revocation password in Threema’s settings.  The app also issues you a QR code containing your ID and device fingerprint.  If you meet in person with another Threema user, he or she can scan this QR code with the app.  This will prevent anyone from impersonating your device in the future.

Threema Secure Messenger

I have used Threema extensively for the past three months.  I have used it with individuals across three continents, over VPNs, and over mobile data and Wi-Fi only.  Threema secure messenger is available for Android, iOS, and Windows devices. The only downside of Threema is that it is a paid application.  It costs $2.49 (Android), $2.99 (iPhone/iPad), or $1.99 (Windows Phone).

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

Leave a Reply