Threema becomes open source and thus reveals the source code. “To celebrate, we are lowering the app price by 28. December by 50%”, the Messenger writes -Provider in the announcement. Threema already had documentation of the cryptographic process, now the complete inspection and release of the code follows.

According to Threema, the code is subject to the AGPLv3 license and is therefore generally freely available to users. For the time being, however, it can only be compiled reproducibly under Android. In this way you can ensure that Threema’s Android apps actually use the published code. Apple’s guidelines didn’t make it easy to offer reproducible builds, but they are working on them. The first announcement that Threema should become Open Source was made at the end of the summer, including the announcement of the entry of the investment company Afinum.

Security instead of data collection Since the messenger is still chargeable, it must of course not be simply set up again yourself. A license check prevents new Threema IDs from being created with the self-compiled apps. If you want to use a self-built app, you have to import a backup into the app with an existing ID that was previously created with a purchased Threema app. Only thanks to paying users is it possible to ensure privacy and security of the messenger without data collection or advertising, says Threema.

Threema uses the open source NaCl library for encryption. The correct application of the encryption could already be checked by manually checking the encrypted messages. The messenger uses two ways of encryption; The end-to-end encryption between the communication participants themselves and an additional encryption between the app and the server so that it cannot be found out by tapping network packets who is communicating with whom.

Threema is also working on offering a multi-device function. Since the own security requirements made this very difficult, the development is still taking. The provider has at least already stated that they want to try to use a “mediator server” that takes over the coordination. Several keys should be derived from the user ID in order to prevent the server from knowing which ID belongs to which device.

(emw)