Threema is an end-to-end (E2E) encrypted mobile messaging app. Unlike so many other secure apps, this one doesn’t require you to enter an email address or phone number to create an account. This allows you to use the service with a very high level of anonymity.
What can you do with this anonymous service? Text and voice messages? Of course. Voice and video calls? No problem. File transfers? Yeah, those too. And all of this is done end-to-end encrypted for excellent security.
Additionally, Threema goes beyond many other services in minimizing your footprint on the servers that route traffic. They do this by storing contacts and messages on each user’s device, instead of on the server. Likewise, your public keys reside on devices instead of the central servers. Even if someone were to somehow get access to all the data on the servers, there would be little of use to them.
Threema is GDPR compliant, and offers a range of versions optimized for various use cases.
In this review, we’ll cover the pros and cons of the service, along with its features and capabilities. By the time we are done, you should have a good idea of whether this is a service you want to invest some time (and a tiny bit of money) in.
Threema pros & cons
Here’s a quick summary of the pros and cons we encountered while reviewing this service.
- End-to-end (E2E) encryption
- Encryption algorithms: NaCl (open source cryptographic library)
- No telephone number or email address needed; no central user account
- Text and voice messages; voice and video calls; groups and distribution lists
- Mobile apps plus browser-based, secure desktop chat
- File sharing
- Group polling
- Transitioning to Open Source
- Does not log IP Addresses or metadata
- GDPR compliant
- Relatively small number of users
- Does not support 2FA (two factor authentication)
- No free trial
Now we’ll examine the key features of Threema messenger.
Threema feature summary
Here are features you’ll want to consider when evaluating Threema:
- E2E encryption with fully anonymous usage for great security and privacy
- According to the company, the code will soon be Open Source
- Clients for Android, iOS, and major web browsers
- Specialized versions for various use cases
Threema company information
Threema is a product of Threema GmbH, a small, Switzerland-based company. The team released their first version of the product in December 2012, and formally founded the company in 2014. They launched Threema.Work (a version designed for organizational use) in 2016, and additional versions since then.
Where is your Threema data stored?
To the maximum extent possible, data is stored only on the relevant devices. The minimum amount of metadata necessary to move messages to their proper destinations is stored on Threema servers only as long as needed to do its job.
The company’s servers are physically located in two Zurich, Switzerland data centers of an “ISO 27001”-certified colocation partner. They are protected by security systems that include biometric access control, video surveillance, emergency power systems, fire protection, and more.
Storing all your data on your local device is very safe… unless you lose access to your device. This is where Threema Safe comes into the picture. It is a platform-independent system for anonymously and securely backing up your unique Threema ID (more on this later), any of your contacts that you optionally synched, your groups, and other bits of data (you can see the full list here).
Okay, so where does Threema Safe store things? That’s up to you. By default, it will store the data on the company servers. However, you can configure it to store this data on any server you choose.
Third-party testing and audits of Threema
Threema is audited regularly. This third-party testing by independent security experts covers all aspects of the service’s security. At the time of this review, the most recent audit was performed by the IT Security group at Münster University of Applied Sciences.
You can read the entire document here if you wish, but for us, this line from the executive summary says it all:
In summary, Threema performs as specified in the published documentation and its security and privacy features are intact and effective.
We did our hands-on testing by installing the app on two Android phones. We also tested the web client, which needs to be connected to an instance of the mobile app.
We downloaded the apps from the Google Play store, paying the $2.99 fee (plus tax where applicable) for each phone.
Installing and configuring the Android app
Installing Threema from the Google Play store didn’t require any special procedure. When you launch the app for the first time, you’ll need to create your Threema ID. You do this by moving your finger randomly on a designated area of the device screen. This generates the ID, as well as helping create a unique asymmetric key pair that the app will use to encrypt/decrypt your messages.
A copy of your public key is automatically stored on the Threema servers. People communicating with you will use that to encrypt messages they send to you. Your private key remains on your device at all times, and no one, not even Threema, can see it. Because of this, no one else can read your messages unless they somehow get access to your device.
You must do the finger-wiggling process to create your ID, and must create a username and password to log into the app, the other settings (entering an email address or phone number, giving the app access to your contacts) are optional. Unless you have a strong reason to do so, we suggest you skip these options and use the service anonymously, with only your random ID for the rest of the world to see.
Working with the Android app
If you’ve ever used Whatsapp or similar messaging apps, you already know how to use Threema. If you followed our suggestion to not give the service access to your contacts, you’ll need to enter people’s Threema IDs manually the first time you message them. But that’s a small price to pay for maximizing your privacy.
I (Heinrich) did the testing with my friend Bill. We found the Android app to work very well. No problems, no glitches.
We exchanged voice and text messages, conducted voice and video calls, and shared files without any issues whatsoever.
We also tested the web client.
The web client
The Threema web client is a browser-bsed interface to a mobile device running the Threema app. It is not a stand-alone product with its own Threema ID. It is not a way to have an additional Threema instance that is not connected to a mobile device.
Where the web client comes in handy is it gives you access to the resources of any desktop, instead of a particular phone or other mobile device. For some activities, a full keyboard and the storage capacity and other resources of a desktop device can make Threema much more user friendly.
The Threema Support center consists primarily of a large, searchable FAQ, with helpful answers to the 150+ most frequently asked questions about their product.
You can also contact the Support Team directly, although they request you confirm the answer to your question is not already covered in the FAQ before doing so. We sent them a few test messages and found the team to be very helpful. The turn-around time could have been faster, but that is a common issue in the annoying lockdown world we inhabit today.
How private & secure is Threema?
Now let’s directly address the strength of the privacy & security provided by this messenger app.
Without strong encryption of your messages, a messaging app cannot protect your privacy. Threema has that angle covered.
But private information can exist outside the messages themselves. Threema protects your privacy here too. You can use the service without providing any personal information whatsoever. The randomly-generated Threema ID can be your only ID in the system, giving you full anonymity.
Note: You can link a phone number or email address to the service, but that is optional.
The very act of using a messaging service can generate metadata. This is data about your use of the service, such as who you send messages to, your physical location, and so on. To guard against this, Threema generates as little metadata as possible, and discards it as soon as it serves its intended purpose. The less metadata that exists about your online activities, the less of a threat it is to your privacy. The best VPNs for Android take this same approach by operating their services without any user logs.
Finally, while you can link your mobile device contacts to the app, you don’t need to. Threema will work perfectly fine without giving it access to the data about your contacts.
In other words, this app protects your privacy.
While it is impossible to guarantee anything is 100% secure and will remain so forever, as far as we can ascertain, Threema really is secure. They apply strong, end-to-end (E2E) encryption to everything.
Additionally, Threema is designed to generate as little data on servers as technically possible. Groups and contact lists are solely managed on the users’ devices, not on the server, messages are deleted immediately upon delivery, no log files are created, and no personally identifiable information is collected.
The only exceptions are centrally managed groups from Threema Broadcast, and Threema Safe data, if you choose to store it on their servers.
To ensure that everything works as advertised, Threema conducts regular, third-party audits of their service. You can see the most recent audit here.
Special versions of Threema
As we alluded to before, there are additional versions of Threema. They number 4 currently. While these aren’t the focus of this review, we should touch on them, as one of them may be exactly the motivation you need to start testing the basic messenger app.
Designed for organizations of all sizes, Threema Work lets you formalize and manage the use of instant messaging at work. It is virtually certain that there are people in your organization using personal messaging apps to communicate at work. But that presents a plethora of problems for you, from the possibility of proprietary data leaking out of the organization, to inadvertent violation of privacy regulations or other laws governing your organization.
Work can eliminate these problems by giving your employees a centrally-managed, secure messaging service to use for company business.
To learn more about Threema Work, you can read the full Product Presentation.
Note: Threema Broadcast and Gateway are included in Work, but are also available separately.
Threema Broadcast is a web interface that lets you broadcast to distribution lists, centrally-managed groups, feeds (dynamic newsletters), and bots, which can retrieve information through Threema. A Private Broadcast option allows you to prevent outsiders from subscribing to feeds.
Threema Gateway is a collection of an API (Application Program Interface) and SDKs (Software Development Kits) that allows you to send messages from your own software to Threema users. You can register for the Gateway and do some free testing before committing to use the Gateway.
Threema Education is actually a variant of Threema Work. What makes it different is that the company offers special pricing for educational institutions.
The basic Threema app (the one we tested for this review) is available for a one-time fee of $2.99 from Google Play or the iPhone and iPad App Store. The app gets a rating of 4.6 out of 5 stars on the Google Play store:
As for the other versions, you’ll want to check out their specific pages for pricing and other details. Here are the links you’ll need:
- Threema Work: Offers and Prices
- Threema Broadcast: Prices
- Threema Gateway: Offer
- Threema Education: Offer
Here are some of the most frequently-asked questions about Threema…and our answers to those questions.
Can Threema be hacked?
As we pointed out in the body of the article, no one can guarantee that a service is now and forever 100% secure. That means it is possible that Threema could be hacked. That said, with strong E2E encryption, and frequent audits of their code, it seems very unlikely that Threema will be hacked.
Is Threema more secure than WhatsApp?
Both Threema and WhatsApp are end-to-end encrypted, which makes them very secure to start with. However, WhatsApp stores some metadata about who is communicating with whom and when they do it, while Threema doesn’t. In addition, WhatsApp is now owned by Facebook, a company that doesn’t have the best reputation for respecting their user’s rights.
Put it all together and we would guess that Threema is at least as secure as WhatsApp, and possibly more secure.
Can I use Threema without a SIM card?
Yes, you can use Threema without a SIM card. That’s because Threema doesn’t use your phone number as an ID. Instead, it uses a randomly-generated Threema ID, which is not related to your personal data in any way.
How does Threema Web work?
Threema Web is really nothing more than an interface between your web browser and the Threema app running on your mobile device. As soon as you finish your Threema session, the browser deletes all synchronized messages, thereby preventing your browser from becoming a security risk.
Threema review conclusion
We were impressed with Threema. It is a fully-featured service that worked well, presenting us with no bugs or other unpleasant surprises during our testing. The availability of Threema Work and Education make it worth considering for those kinds of large organizations, while Broadcast and Gateway expand the product’s uses as well.
We did see one big potential drawback to using Threema: the network effect. For communication systems such as messaging apps, their value is intimately tied to the number of users they have. The more users, the higher the value.
Based on the most current numbers we have seen, Threema has a user base of somewhere north of 5 million users. While that may sound like a lot, it is dwarfed by other secure messaging apps. For example, as of July 2019, Telegram had 200 million users, Viber had 260 million, and WhatsApp had 1,600 million users.
In general, the odds of finding people to connect to, and reasons to actually use the service, are much higher for other messenger apps than for Threema.
Is Threema right for you?
Given the above, you might expect us to say to avoid Threema. But there are several situations where Threema may be an ideal choice for you:
- If you need to connect a group of people who can be compelled to install and use the service. In this case, it doesn’t much matter how many outsiders are using the service, as long as your group of insiders will do so.
- If you want an under-the-radar secure messaging service. Censors, hackers, and other bad actors tend to focus their efforts on the biggest targets, leaving the smaller ones alone. Why try to mess with a small, extra-secure service like Threema, when there are potentially easier targets with tens to hundreds of times as many users?
- You need one of the specialized capabilities that Threema provides, such as the enterprise capabilities of Work, or integration with your own software like that provided by Gateway.
These are just some of the use cases where Threema could be the ideal solution.
If you want to continue searching for the best secure messaging app for your circumstances, we recommend you check out other secure messenger services we’ve tested.