Product review: Threema
Over the past few months, I’ve been playing with an app called Threema.
What’s Threema, I hear you ask? It’s an instant messaging / chat application for mobile devices. At this point, you (and, honestly, I as well) was wondering what the point is. After all, we already have text messaging, iMessage, Yahoo, Skype/MSN, Facebook chat, Google talk, SnapChat, ICQ, Blackberry Messenger and many others. Do we need another?
The difference is that Threema has full end-to-end security: the messages are encrypted (using public/private key encryption) before they leave the device. Unlike the other offerings above, the messaging server (which, incidentally, is located in Switzerland, not the U.S.A.) does not have the decryption key – no one but the recipient can read the message.
One of the things I like about this system is that it uses a simple one, two or three dot system to show you how “verified” the other person is. One dot means you’ve just received a message from them. Two dots means that their identity matches their details in your phone’s contact list (if they’ve chosen to share their email address or phone number. It’s not required.)
Three dots is reserved for someone you have met in person: when you meet, you use your phone’s camera to snap a photo of a QR code on the other party’s device. They do the same for you. You can now be 100% assured that the messages you are receiving are from the person you met. (Provided their device isn’t stolen or compromised.)
Once you get your head around this, the system pretty much just “works”. Which is ultimately what you need for a messaging system. The interface is clean and easy to use and the messages come through with no noticeable delay.
The only issue I’ve found so far is that, when I upgraded my iPhone, I needed to re-verify my contacts. Which is a pain, but it makes sense: the keys aren’t backed up when you do a phone backup (if they were, it would be possible for Apple to obtain/disclose them), so it would be conceivable that an attacker could buy a new phone, restore one of your backups using your Apple ID and then impersonate you. Threema, by design, won’t fall for this.