Our servants with premiumwhiteparpentventiTeventiTiTiCanicybersecurity nationalware and attack and adequatement of corporately culture cyberl'esperto replyNews Analysiscchi is anchoric.
Threema is an instant messaging app that differs from the others as it allows you to communicate via chat, calls and video calls completely anonymously and protected thanks to effective encryption algorithms.Here's how it works and how to use it best
08 Mar 2021Giorgio SbaragliaConsulente aziendale Cyber Security, membro del Comitato Scientifico CLUSITIn these days WhatsApp is reminding its users who will proceed with the update of the terms of use and privacy information on May 15, which it is necessary to accept to continue using the app even after this date: for this reason,There are numerous users who are migrating (or are thinking of doing it) on alternative platforms such as Signal and Wickr: in addition to these, however, there are other applications of equally valid instant messaging.
The app is equipped with numerous features that make it simple to use, but also of some safety measures that allow you to protect chats and which, therefore, it is useful to analyze in detail in order to have all the useful elements to choose L'Alternative to WhatsApp most useful to our purposes.
Indice degli argomentiThreema: the messaging app for anonymous chat
Threema (born in 2012 in Switzerland) is considered one of the safer instant instant messaging applications available at the moment on the various App Stores: like the other main competitors, in fact, it is available for both Android and for iOS.There is also a desktop version for Windows and MacOS, called Threema.Web, which, however, is a web application that can be activated by scanning the QR Code through the app installed on the smartphone.
WHITEPAPERTecnologie di storage per modernizzare l'infrastruttura IT: scopri i vantaggi per gli Operatori IT!StorageBackupScarica il WhitepaperSpeaking of the security of chat on Threema, it is important to indicate that the servers used by the app are found in Switzerland and therefore underlying the rigid data protection rules in force on Swiss territory (it is not subjected to the security laws of the United States).
For this reason, Threema declares to be "completely in accordance with the GDPR".
You can register anonymously
Threema does not require an e-mail address or telephone number to create an account: you can record anonymously, because it is enough to indicate a nickname.
During the registration phase, a random Threema ID is created, consisting of 8 characters between A-Z/0-9.This represents the code that identifies the user and that is used in encryption.This ID is the unique identification in Threema, it does not depend on a telephone number and makes it possible to use Threema completely anonymously, without revealing any personal information.
E-mail or telephone number can still be added later, to the user's discretion.
Threema also does not save metadata and does not communicate the information relating to the messages exchanged with other users (sender, recipient, now sending and receiving etc..).
How the settings backup works
On Threema it is also possible to backup (to be activated by accessing the app settings) of important data such as: chat, keys, contact list and so on using the Threema Safe function.
This creates a encrypted automatic backup (protected by a password set by the user and known only by these) which is archived only on the device (not on external servers).
Also for this reason, Threema warns us that in case of loss of the password or loss of the device it will not be able to help us recover this backup.
Even calls and video calls are anonymous
Finally, the application allows you to make calls and video calls without revealing your phone number.Threema calls are encourage end-to-end and therefore interception proof.
The quality is excellent (among the best) and can be set by the user on three levels (balanced, low, maximum) depending on the band that is available.
Encryption and security on Threema
E2E encryption used by Threema uses open source components and is in detail illustrated in this WhitePaper, where algorithms and the design of encryption are explained.
The asymmetrical algorithm Elliptic Diffie-Hellman (ECDH) and the symmetrical encryption with XSALSA20 is used.The application stores local data (such as the chronology of incoming and outgoing messages and the list of contacts) in encrypted form on the device itself.
Threema also declares to be subjected to complete security audits.The latest audits are listed on the website:
Threema uses two different levels of encryption to protect messages between the sender and the recipient:
- livello di crittografia end-to-end (e2E): questo livello si trova tra il mittente e il destinatario;
- livello di trasporto: ogni messaggio crittografato end-to-end viene nuovamente cifrato per il trasporto tra il client ed il server, al fine di proteggere le informazioni dell’header del messaggio.
Chat safe always with end-to-end encryption
All messages (whether they are simple text messages or that contain media such as images, videos or audio recordings) are encrypted end-to-end.
For this purpose, each Threema user has a single pair of asymmetrical keys made up of a public key and a private one based on elliptical curves encryption (curve25519).When a Threema user sets the application for the first time, the following process is performed:
- L’app genera una nuova coppia di chiavi scegliendo una chiave privata a caso, memorizzandola in modo sicuro sul dispositivo, e calcolando la chiave pubblica corrispondente sulla Curve25519.
- L’app invia la chiave pubblica al server.
- Il server memorizza la chiave pubblica e assegna un nuovo Threema ID casuale, composto da 8 caratteri tra A-Z/0-9.
- L’app memorizza il Threema ID ricevuto insieme alla chiave pubblica e privata in una memoria sicura sul dispositivo.
The application shows a digital imprint of the key (Key fingerprint) for each contact and for the identity of the user himself.This can be used to manually compare public keys, between different users, scanning the qr code of the other user.If this step is performed, the user will be "verified" and will be identified with three green balls.
For the encryption of Threema messages uses the "Box" model of the NaCl Networking and Cryptography Library, developed by Daniel J.Bernstein (University of Illinois) to encrypt and authenticate messages.
Threema is designed to manage the lower possible quantity of metadata on servers.The groups and lists of contacts are managed exclusively on user devices, not on the server, the messages are deleted immediately after delivery, log files are not created and not identifiable personal information is collected.
Maximum attention to user privacy
This is also confirmed by the examination of the privacy label exposed in the iOS app store (figure below): the "data connected to you" are in a minimum quantity, only email and telephone number: but they will only be present if the userHe will have decided - at his discretion - to communicate them, as, as we explained, they are not necessary for registration.
All versions of Threema
The Threema app is paid (€ 3.99 for the smartphone app), no free version is available.
At the Enterprise level the Threema solution is offered.Work, with costs that start from 1.40 CHF/user/month.A 60-day Free-Riat Free-Call is offered for this solution.
With this version, a management dashboard is provided to the system administrator through which you can see the complete list of all active licenses and users, manage their privileges and access credentials, revoke access to the app eto chats.