Мессенджер Threema является одним из немногочисленных платных приложений для отправки сообщений и совершения звонков. Оно соответствует швейцарским стандартам защиты данных. При этом стоит понимать, что платите вы единоразово, никакие пакеты услуг приобретать не нужно.
Содержание
Особенности
Основной акцент разработчики сделали именно на безопасности данных пользователей. На внешних серверах хранится самый минимум информации. Основная ее часть содержится на устройствах пользователей. Сообщения никуда больше не загружаются и удаляются из облака сразу же после отправки. Такой подход очень эффективен для защиты.
Помимо приложений для мобильных устройств, имеется Threema Web. Это онлайн-версия сервиса. Но стоит понимать, что для ее использования необходимо пройти авторизацию со смартфона или планшета. Заключается она в сканировании QR-кода.
Все пересылаемые сообщения, файлы, звонки и даже статусы шифруются в момент пересылки. Соответственно, на сервера они поступают в виде непонятных кодов. А расшифровка происходит на устройстве получателя.
При этом пользователю нет нужды по-особенному пытаться защититься, он не заметит все наложенные барьеры безопасности. Для него Threema — продвинутый мессенджер с высокой скоростью работы и обилием полезных функций (создание опросов, групповые чаты, пересылка файлов и многое другое).
Вопросу анонимности тоже уделено особое внимание. Обычно в программах для общения связаться с человеком можно по его номеру телефона, имени с фамилией или электронному ящику. Здесь же идентификатором служит наугад сгенерированный номер ID.
А чтобы убедиться, что вы общаетесь с нужным человеком, доступно сканирование по его QR-коду. Так злоумышленник не сможет кого-либо обмануть. Аналогичная операция доступна и по отпечатку пальца.
Немаловажно и то, что за разработку программы отвечает независимая компания, расположенная в центре Швейцарии. Ее никто не спонсирует, и правительство ни одной из стран не может на нее повлиять. А обычно такое происходит с целью получения личных данных.
Доступность
Приложение распространяется на платной основе. Достаточно его единовременно приобрести в App Store для гаджетов Apple, в Google Play для смартфонов на Андроиде или в Microsoft Store для устройств под управлением Windows Phone. Помимо этого, имеется ограниченная веб-версия.
Подробности о настройке и первом запуске сервиса изложены в статье «Как пользоваться Threema».
Android
Скачать бесплатно приложение Threema для Андроида на русском из Play Market не выйдет. Там оно доступно только для приобретения за 199 рублей. Платеж одноразовый, никакую подписку продлевать не нужно.
Купить в Google Play
iOS
А вот на iPhone, iPod Touch и iPad так просто установить сервис не выйдет. Остается только поставить его через jailbreak (крайне небезопасный вариант) либо же купить в App Store за 229 рублей.
Купить в App Store
Windows Phone
Прошедший проверку софт для телефонов на платформе WP размещается в магазине Microsoft Store. Это относится и к данному мессенджеру.
Загрузить в Microsoft Store
ПК
Скачать бесплатно на компьютер сервис Threema тоже не выйдет. Но для доступа к его функциям можно воспользоваться веб-версией, которая работает только в связке с мобильным гаджетом на Android. Чтобы открыть ее, перейдите на сайт https://web.threema.ch/#/welcome/ и отсканируйте штрих-код из приложения.
Threema Web is a web client for Threema, a privacy-focussed end-to-end encrypted mobile messenger hosted and developed in Switzerland. With Threema Web, you can use Threema on your Desktop without compromising security.
https://web.threema.ch/
Threema Web establishes a connection between Desktop and mobile device using WebRTC (Android) or encrypted WebSockets (iOS). Signaling and data is end-to-end encrypted with SaltyRTC.
For more information, see the Threema Cryptography Whitepaper.
If you find a bug in Threema Web or want to request a new feature, feel free to open an issue on GitHub. Please make sure that your bug report or feature request hasn’t already been filed by using the search function.
Express your personal opinion regarding priority by reacting with 👍 in a particular issue, such as this one. We will factor this in when scheduling what to do next.
We may occasionally deploy experimental branches on https://web-beta.threema.ch which you are encouraged to test. If you encounter problems, please open an issue and include the experiment’s version number (e.g. 1.2.3-experiment-beta4).
If you want to help translating Threema Web to your language, please check out TRANSLATING.md!
Protocol
The protocol used to communicate between the Threema app and Threema Web is documented here.
Threema Web is written using TypeScript and AngularJS 1. Dependencies are managed with npm. You currently need Node.js 8 or later to build Threema Web. (Note that Node.js is only a build dependency, the result is plain old client-side JavaScript.)
Install development dependencies:
npm install Run the dev server:
npm run devserver Then open the URL in your browser:
firefox http://localhost:9966 (Note that this setup should not be used in production. To run Threema Web on a server, please follow the instructions at docs/self_hosting.md.)
To run unit tests:
npm run build:unittests && npm run testserver firefox http://localhost:7777/tests/testsuite.html To run UI tests:
npm run build # Required for CSS to be rebuilt npm run test:ui For example:
npm run test:ui firefox npm run test:ui chrome You can also filter the test cases:
npm run test:ui firefox emoji To run linting checks:
npm run lint You can also install a pre-push hook to do the linting:
echo -e '#!/bin/shnnpm run lint' > .git/hooks/pre-push chmod +x .git/hooks/pre-push The configuration of Threema Web can be tweaked in src/config.ts:
General
SELF_HOSTED: Set this totrueif this instance of Threema Web isn’t being hosted onweb.threema.ch.PREV_PROTOCOL_LAST_VERSION: When the Threema Web protocol version changes, this can be set to the last version of Threema Web that supported the previous protocol version. If set to something different thannull, a message will be shown to the user if reconnecting fails.
SaltyRTC
SALTYRTC_HOST: Set this to the hostname of the SaltyRTC server that you want to use. If set tonull, the hostname will be constructed based on theSALTYRTC_HOST_PREFIXand theSALTYRTC_HOST_SUFFIXvalues.SALTYRTC_PORT: The port of the SaltyRTC server to be used.SALTYRTC_SERVER_KEY: The public permanent key of the SaltyRTC server. Set this value tonullif your server does not provide a public permanent key, or if you don’t want to verify it.
ICE
ICE_SERVERS: Configuration object for the WebRTC STUN and ICE servers.
Push
PUSH_URL: The server URL used to deliver push notifications to the app.
For instructions on how to host your own version of Threema Web, please refer to docs/self_hosting.md.
Contributions to Threema Web are welcome! Please open a pull request with your proposed changes.
Every Threema Web release will be tagged. The git tags are cryptographically signed using the following PGP key:
pub rsa4096 2016-09-06 [SC] [expires: 2026-09-04] E7AD D991 4E26 0E8B 35DF B506 65FD E935 573A CDA6 uid Threema Signing Key The public key can be found on Keybase.
If you discover a security issue in the Threema Web, please follow responsible disclosure and report it directly to Threema instead of opening an issue on Github. You can find the security e-mail as well as the PGP public key at https://threema.ch/en/contact.
Threema Web license:
Threema Web. Copyright © 2016-2019 Threema GmbH (https://threema.ch/). This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. You should have received a copy of the GNU Affero General Public License along with this program. If not, see .
For third party library licenses, see LICENSE-3RD-PARTY.txt.
Jump to navigationJump to search
Threema
Developer(s)
Threema GmbH
Initial release
December 2012 (2012-12)[1]
Stable release
iOS
4.3.2 / August 13, 2019 (2019-08-13)[2]
Android
4.11 / August 19, 2019 (2019-08-19)[3]
Written in
Objective-C (iOS), Java (Android), C, .NET (Windows Phone)
Operating system
iOS, Android, Windows Phone
Available in
English, German, French, Spanish, Italian, Russian, Brazilian Portuguese, Polish, Rumantsch Grischun
Type
Encrypted instant messaging
License
Proprietary[4]
Website
Threema is a proprietary, end-to-end encryptedinstant messaging application for iOS, Android and Windows Phone.[5] In addition to text messaging, users can make voice calls, send multimedia, locations, voice messages and files.[6]
The Threema app can be used anonymously as it does not require any personally identifiable information, such as a phone number or e-mail address.[7]
Threema is developed by the Swiss company Threema GmbH.[8][9] The servers are located in Switzerland and the development is based in the Zürich metropolitan area. As of April 2017, Threema had 4.5 million users.[10]
History[edit]
Threema was founded in December 2012 by Manuel Kasper.[11] The company was initially called Kasper Systems GmbH.[12] Martin Blatter and Silvan Engeler were later recruited to develop an Android application that was released in early 2013.[13]
In Summer 2013, the Snowden leaks helped create an interest in Threema, boosting the user numbers to the hundreds of thousands.[14] When Facebook took over Whatsapp in February 2014, Threema got 200,000 new users, doubling its userbase in 24 hours.[15] Around 80% percent of those new users came from Germany. By March 2014 Threema had 1.2 million users.[13]
In Spring 2014, operations have been transferred to the newly created Threema GmbH.[12][16]
In December 2014, Apple listed Threema as the most-sold app of 2014 at the German App Store.[17]
Features[edit]
Threema uses a user ID, created after the initial app launch by a random generator, instead of requiring a linked email address or phone number to send messages. It is possible to find other users by phone number or e-mail address if the user allows the app to synchronize their address book.[18] Linking a phone number or e-mail address to a Threema ID is optional. Hence, the service can be used anonymously. Users can verify the identity of their Threema contacts by scanning their QR code, when they meet physically. The QR code contains the public key of the user, which is cryptographically tied to the ID and will not change during the lifetime of the identity.[19] Using this feature, the users can make sure they have the correct public key from their chat partners, which provides additional security against a Man-in-the-middle attack. Threema knows three levels of verification (trust levels of the contact's identity). The verification level of each contact is displayed in the Threema application as dots next to the corresponding contact.
Users can make voice calls and send text messages, multimedia, locations, voice messages and files of any type (up to 50 MB per file).[6][20] It is also possible to create polls in personal or group chats.[21] With Threema Web, a client for web browsers, Threema can be used from other devices like desktop computers. Threema optionally supports Android Wearsmartwatch and Android Auto.[22]
Related products[edit]
On March 20, 2015, Threema released a gateway for companies. Similar to an SMS gateway, businesses can use it to send messages to their users who have Threema installed.[23] The code for the Threema Gateway SDK is open for developers and available on GitHub.[24]
On May 25, 2016, Threema Work, a corporate version of Threema, was released. Threema Work offers extended administration and deployment capabilities.[25]
Privacy[edit]
Since Threema's servers are located in Switzerland, they are subject to the Swiss federal law on data protection. The data center is ISO/IEC 27001-certified.[26] Linking a phone number and/or e-mail address to a Threema ID is optional; when doing so, only checksum values (SHA-256HMAC with a static key) of the e-mail address and/or phone number are sent to the server.[27] Due to the small number of possible digit combinations of a telephone number, the phone number associated with a checksum could be determined by brute force. The transmitted data is TLS-secured. The address book data is kept only in the volatile memory of the server and is deleted immediately after synchronizing contacts.[28] If a user chooses to link a phone number or e-mail address with their Threema ID, they can remove the phone number or e-mail address at any time.[29] Should a user ever lose their device (and their private key), they can revoke their Threema ID if a revocation password for that ID has been set.[30]
Groups are solely managed on users’ devices and group messages are sent to each recipient as an individual message, encrypted with the respective public key. Thus, group compositions are not exposed to the server.[31]
Data (including media files) stored on the users’ devices is encrypted with AES 256. On Android, it can be additionally protected by a passphrase.[32]
Since 2016, Threema GmbH publishes a transparency report where public authority inquiries are disclosed.[33]
On 9 March 2017 Threema registered itself in the "Register of organizers of information dissemination in the Internet" operated by the Federal Service for Supervision of Communications, Information Technology and Mass Media of the Russian Federation.[34] According to the Russian Federal Law of 6 July 2016 No. 374-FZ "On Amending the Federal Law on Counteracting Terrorism and Other Legislative Acts of the Russian Federation in terms of Additional Measures on Counteracting Terrorism and Maintaining Public Safety" from 1 July 2018 organizers of information dissemination will be obliged to retain in the territory of the Russian Federation the Internet users' text messages, voice information, images, sounds, video and other electronic messages for up to six months following the end of their reception, transmission, delivery and (or) processing (i.e. shall retain the content of communication). Organizers of information dissemination shall disclose this information to authorized state agencies that perform investigative activities or ensure national security.[35]
In a response, a Threema spokesperson publicly stated: "We operate under Swiss law and are neither allowed nor willing to provide any information about our users to foreign authorities."[36]
Architecture[edit]
The entire communication via Threema is end-to-end encrypted. During the initial setup, the application generates a key pair and sends the public key to the server while keeping the private key on the user's device. The application then encrypts all messages and files that are sent to other Threema users with their respective public keys.[38][39] Once a message is delivered successfully, it is immediately deleted from the servers.[40]
The encryption process used by Threema is based on the open-source library NaCl library. Threema uses asymmetric ECC-based encryption, with 256-bit strength. Threema offers a "Validation Logging" feature that makes it possible to confirm that messages are end-to-end encrypted using the NaCl Networking and Cryptography library.[41] In August 2015, Threema was subjected to an external security audit.[42] Researchers from cnlab confirmed that Threema allows secure end-to-end encryption, and claimed that they were unable to identify any weaknesses in the implementation. Cnlab researchers also confirmed that Threema provides anonymity to its users and handles contacts and other user data as advertised.[43][44]
Reception[edit]
In February 2014, German consumer organisation Stiftung Warentest evaluated several data-protection aspects of Threema, WhatsApp, Telegram, BlackBerry Messenger and Line. It considered the security of the data transmission between clients, the services' terms of use, the transparency of the service providers, the availability of the source code and the apps' overall availability. Threema was the only app rated as 'non-critical' (unkritisch) in relation to data and privacy protection, but lost marks due to its closed-source nature.[45]
Along with Cryptocat and Surespot, Threema was ranked first in a study evaluating the security and usability of instant messaging encryption software, conducted by the German PSW Group in June 2014.[46]
In October 2014, Threema won the "connect App Awards 2014" for being the best app of the year.[47]
As of November 2015, Threema has a score of 6 out of 7 points on the - now withdrawn - Electronic Frontier Foundation's "Secure Messaging Scorecard". It has received points for having communications encrypted in transit, having communications encrypted with keys the provider doesn't have access to (i.e. having end-to-end encryption), making it possible for users to independently verify their correspondent's identities, having past communications secure if the keys are stolen (i.e. implementing forward secrecy), having its security design well-documented and having completed an independent security audit. It is missing a point because its source code is not open to independent review (i.e. it is not open-source).[48]
See also[edit]
Threema Web is a web client for Threema, a privacy-focussed end-to-end encrypted mobile messenger hosted and developed in Switzerland. With Threema Web, you can use Threema on your Desktop without compromising security.
Threema Web establishes a direct connection between Desktop and mobile device using WebRTC. Signaling is end-to-end encrypted with SaltyRTC. If both devices are in the same network, no server is involved when synchronizing messages between the devices, and the digital footprint is reduced to the bare minimum.
For more information, see the Threema Web Whitepaper.
Development
Threema Web is written using TypeScript and AngularJS 1. Dependencies are managed with npm.
Install development dependencies:
npm install
Run the dev server:
npm run serve:live
Then open the URL in your browser:
chromium http://localhost:9966
(Note that this setup should not be used in production. To run Threema Web on a server, please follow the instructions at docs/self_hosting.md.)
Testing
To run tests:
npm run build chromium tests/testsuite.html
To run linting checks:
npm run lint
You can also install a pre-push hook to do the linting:
echo -e '#!/bin/shnnpm run lint' > .git/hooks/pre-push chmod +x .git/hooks/pre-push
Configuration
The configuration of Threema Web can be tweaked in src/config.ts:
General
SELF_HOSTED: Set this to true if this instance of Threema Web isn't being hosted on web.threema.ch.
SaltyRTC
SALTYRTC_HOST: Set this to the hostname of the SaltyRTC server that you want to use. If set to null, the hostname will be constructed based on the SALTYRTC_HOST_PREFIX and the SALTYRTC_HOST_SUFFIX values.SALTYRTC_PORT: The port of the SaltyRTC server to be used.SALTYRTC_SERVER_KEY: The public permanent key of the SaltyRTC server. Set this value to null if your server does not provide a public permanent key, or if you don't want to verify it.
ICE
SALTYRTC_STUN: Configuration object for the WebRTC STUN server.SALTYRTC_TURN: Configuration object for the WebRTC TURN server.
Push
PUSH_URL: The server URL used to deliver push notifications to the app.
Self Hosting
For instructions on how to host your own version of Threema Web, please refer to docs/self_hosting.md.
Contributing
Contributions to Threema Web are welcome! Please open a pull request with your proposed changes.
Security
Every Threema Web release will be tagged. The git tags are cryptographically signed using the following PGP key:
pub rsa4096 2016-09-06 [SC] [expires: 2026-09-04] E7AD D991 4E26 0E8B 35DF B506 65FD E935 573A CDA6 uid Threema Signing Key
If you discover a security issue in the Threema Web, please follow responsible disclosure and report it directly to [email protected] instead of opening an issue on Github.
pub rsa4096 2017-02-08 [SC] [expires: 2022-02-07] 677E 0E97 1669 53B3 2620 D95C 71B9 C6BA C55A 9855 uid Threema Security
You can find both public keys and their proofs on keybase.
License
Threema Web. Copyright © 2016-2017 Threema GmbH (https://threema.ch/). This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. You should have received a copy of the GNU Affero General Public License along with this program. If not, see .
Используемые источники:
- https://xn--d1ababe6aj1ada0j.xn--p1acf/threema/messendzher-threema
- https://github.com/threema-ch/threema-web
- https://search.deepweb.to/wiki/threema
- https://devhub.io/repos/threema-ch-threema-web
