Insights For Success

Strategy, Innovation, Leadership and Security

The most secure smartphone messaging app

technologyEdward Kiledjian
Threema1.png

During the NSA leaks earlier this year, we heard rumors that Apple's iMessage employs end-t-end encryption making covert interception difficult. Anytime you add a new device to your account, your iMessages are automatically downloaded which means Apple could (if compelled by a competent court) hand over an unencrypted list of your messages.

 

I know many of you have nothing to hide but privacy isn't just for the "bad guys". We should all try to be as private as possible and this instant messaging app helps with that. The app (IOS and Android versions are available) is called Threema (link) and its a great piece of code.

 

Threema provides end-to-end encryption and employs a varying trust model for each contact. A contact for whom a key has been retrieved from the server shows up as 2 yellow dots and a contact for whom the key was retrieved by scanning the users bar code from their device gets 3 green dots.

Installing the App

You download the app from the appropriate store (iTunes or Google Play) and install it. As soon as you start it up, you randomly drag your finger on the screen to help generate a random seed so the app can create your truly unique private / public keypair (don't worry, it is super simple even for non technical users).

If you allow it, Threema can scan your address book to find contacts that are already using the app (to be honest, I doubt you'll find too many unless you work with security conscious people).

For the most secure communication possible, scan the other person's public key when you physically see them.

Threema2.png

This is how the other party exposes their public key during a physical meetup.

Threema3.png

Above you see a Threema contact and because this one has a verification level with 3 green dots, we know the person's public key was physically scanned (meaning it is the highest level of trust for the key exchange).

Saving your private key

After everything is setup, you can export your private key via email for safekeeping so you can easily restore it if the app has to be re-installed. Because Threema uses true end to end encryption you control, they do not have your private key and cannot recover it.

Know the status of your message

Threema offers these message indicators

Threema5.png

Which means you will always know what happened with your message. Was it received? Was it read?

What can you send?

Threema is great because it allows you to send text messages, Emoji (handled by your OS), photos, videos and current location.

It handles everything you may want to send.

More technical stuff

Threema uses Elliptic Curve Cryptography (ECC) with the NaCl Cryptography Library. Which is fast and super secure. Threema uses asymmetric ECC based encryption with a strength of 255 bits (which would be the equivalent of a 2048 bit RSA key). Threema provides this additional clarification about the encryption:

"ECDH on Curve25519 is used in conjunction with a hash function and a random nonce to derive a unique 256 bit symmetric key for each message, and the stream cipher XSalsa20 is then used to encrypt the message. A 128 bit message authentication code (MAC) is also added to each message to detect manipulations/forgeries."

Threema actually has 2 layers of security protection:

  1. End to end encryption between the participants (participants hold the private keys)
  2. Protection for all communication between a client and the server

Threema has an encryption validation feature which allows anyone to verify the encryption quality . You can read up on how to log the encrypted stream and them validate it here (link). This is a good thing because it gives you piece of mind that they are doing what they say they are doing.

Verdict

I've spent the last 2 months looking at the various cross platform instant messaging apps trying to find one that was secure and easy. Threema is the only one that fit all my requirements. It does cost $1.99 but it is well worth the small investment.