Why ChatMail is More Private and Secure than Threema

ChatMail   |   January 15, 2023

Why ChatMail is More Private and Secure than Threema

"Threema can only be as secure as the device that it is running on." This statement is on Threema’s FAQs: How do you protect yourself against man-in-the-middle (MITM) attacks with Threema? Millions trust their privacy to Threema without knowing they’re at risk.

Device security is a major difference between ChatMail™ and Threema. To make ChatMail resilient to hacking, we use device hardening—stripping away the vulnerabilities built into all smartphones. We compare Threema side-by-side with ChatMail.

The Importance of a Proper Key Verification Protocol

Threema says MITM attacks can be prevented by scanning your contacts QR codes, noting, “You can be sure that it wasn’t spoofed or read by a third party (provided contact’s device wasn’t stolen or hacked).” – It really says that!

Users are directed to scan contacts QR codes by taking a picture of them with their camera, presumably in person off the users’ phone.

However, if you are not physically together, confirming the contacts ID means getting their QR code another way, perhaps by email or another messaging app.

This puts Threema users at risk of receiving a maliciously compromised QR Code sent by a cybercriminal, who could then assume the identity of who you are presumably wanting to speak with.

ChatMail automatically verifies your contacts with their public identity key. As our website notes, there is no need to manually verify keys. You generate your own cryptographic keys, which can be done with the click of a button.

A different set of encryption keys are used for each contact and each message is verified against MITM attack.

ChatMail does not allow a user to communicate unless the recipient has the correct identity key present.

Our encrypted calling uses ECDHE X25519, which is suited to mobile devices as it is faster, with TLS 1.2 ciphers. For MITM protection we utilise a verbal verification process. This keeps calls private and secure by removing them from prying eyes on the public internet.

Threema Can’t Protect You From The Other Apps On Your Phone

“When it comes down to it, 81% of developers believe iOS and Android standard security measures aren’t sufficient to protect mobile apps.” These grim statistics were reported in the reputable blog for cybersecurity professionals, SC Media.

Threema unequivocally states, “Malware that runs in the background on your device can intercept and falsify data without being noticed.” Nonetheless, the software developer allows the use of all third-party apps on the device you use to host Threema.

Threema states a user’s private key is stored on their mobile device “in such a way as to prevent access by other apps on the same device, or by unauthorized users.” Because of the lack of device control on both Android and iPhone, your device is still at risk from exploits by other apps.

You can’t trust a third-party app on your phone to provide you with security if your other apps can be used as potential exploits. Therefore, ChatMail blocks third party apps altogether. It’s the only way to ensure you won’t get malware or spyware on your phone.

If Pegasus spyware gets into your phone, more a concern for iPhone but also Android users, then the encryption doesn't matter anymore because anything you share through a messaging app like Threema, can potentially spread the spyware, or other malware, on to your contacts without them knowing.

The Top Trajectory For Malicious Actors

“Web applications are the number one vector for cyberattacks,” according to the latest research published in the 2022 Data Breach Investigations Report.

A web app connects users to web browsers. Threema has a web client that requires users to scan a QR code to gain access to it. The web client is a browser-based interface connected to the mobile device running the Threema app.

You need to have both Wi-Fi and Bluetooth enabled to use Threema’s web client app.

Web browsing is blocked on ChatMail due to the risk of exposure and the introduction to vulnerabilities. Bluetooth, GPS, and open Wi-Fi access is also removed. So is NFC. Everything that requires web browsing access has also been disabled. Our custom OS goes even further by offering a de-Googled alternative for your device to further guarantee anonymity.

Questionable Security and Privacy

Threema is coming under fire for downplaying a Swiss PhD student’s thesis on the inherent vulnerabilities of the app. This is also considered a slap in the face to the group of academic researchers from the Applied Cryptography group at ETH Zurich, who identified seven weaknesses in Threema that put over 10 million users at risk of exploitation.

Threema says the exposures were never really a threat. A professor in the study called the response "unexpectedly dismissive". ETH Zurich is known for its cutting-edge research and is considered one of the world's leading universities in science and technology. Two months after the researchers informed Threema of the findings, the app maker said they had resolved the issues.

Threema updated its guidance for users regarding their reuse of ephemeral keys, noting, “To also protect received messages with Perfect Forward Secrecy, ask the contact to activate this option in your contact details on their end.” Threema says PFS will be activated by default in an upcoming update.

Relying on a contact to protect you is not a solution. Implemented correctly, like we do with ChatMail, PFS isolates each transaction’s encryption to prevent future exploits and security breaches from compromising your communications, personal information, or data – both now and in the past.

Bleeping Computer summarized these vulnerabilities:

  • Ephemeral key compromise impersonation – An attacker can forever impersonate a client to the server by stealing their ephemeral key. Also, instead of using ephemeral keys only once, Threema appeared to be reusing them.
  • Vouch box forgery – An attacker can trick a user into sending them a valid vouch box, and then use it to impersonate the client to the server forever.
  • Message reordering and deletion – A malicious server can forward messages from one user to another in arbitrary order, or withhold delivery of specific messages, which serves like deletion.
  • Replay and reflection attacks – The message nonce database on the Android version of Threema isn't transferable, opening the way to message replaying and reflection attacks.
  • Kompromat attack – A malicious server can trick the client into using the same key while talking to the server during the initial registration protocol and while talking to other users in the E2E protocol.
  • Cloning via Threema ID export – An attacker can clone other people's accounts on their device during windows of opportunity like the victim leaving their device unlocked and unattended.
  • Compression side-channel – A vulnerability in Threema's encryption allows attackers to extract a user's private key by controlling their own username and forcing multiple backups on Android devices. The attack can take a few hours to execute.

Ars Technica Security Editor Dan Goodin said the discoveries “seriously call into question the true level of security the app has offered” for the last decade.

If You Can Clone Your Phone With a QR Code, Others Can Too

Your messages and data are not private if others can access them. Many countries around the world have the right to search your phone at border crossings. If you don’t unlock your device, they can detain you. If you have biometric access to your device, what’s stopping border agents from using it?

Threema uses multiple QR codes. You can display your own ID or confirm a contact’s ID and add their Threema ID to your contact list using QR codes.

If you want to use Threema on multiple devices, you can create an ID export using a QR code. This is one of the noted potential exploits ETH Zurich condemned.

ChatMail doesn’t use QR codes or Biometrics to access your device. ChatMail recognizes other encrypted contacts and your device will automatically download their public key.

In the event you were ever compelled to unlock your device, ChatMail users can proactively create a Duress password in their profile settings to wipe the device on demand.

Don’t Trust Apps If You Can Export Chats Outside of the Device

Users of Threema expect their chats are private and secure. However, the Export Chat feature lets you choose to save any message, photo, media files, chat, contact, group, and your user ID outside of Threema. These are saved as Zip files which can be opened on MacOS or Windows. As Windows is an often exploited operating system, this is also a risk.

ChatMail security protocols eliminate the ability to export confidential conversations. This means users cannot take screenshots of messages or images or send messages outside of ChatMail. Messages and any embedded images expire automatically, but you can choose to set a timer for early deletion across all recipient devices.

Privacy Is Worth Paying For

We agree with Threema’s homepage statement, “If you don’t pay with money for a service, you pay with your data instead.” However, unlike Threema, all ChatMail users benefit from our world class privacy and security. For example, regular individual Threema user’s level of encryption verification is lower than those using Threema Work, which also comes in three different tiers. We believe it is our duty to protect our customers by being the experts and providing them all with the same level of defense against threats to their mobile communications, rather than making them choose.

We also agree, “Messengers based on the Matrix protocol…[have] considerable privacy drawbacks. For example, messages and metadata are permanently stored on all involved servers, which means that every server operator is able to track who communicates with whom at what point in time.”

Compared to all other privacy and security touting encrypted messaging and calling apps, only ChatMail proves our encryption with a live data extraction. Contact us to set up a demonstration for your enterprise organization.

ChatMail™. Engineered for Security. Designed for Privacy.