Academic researchers have discovered serious security holes in Threema's core, a instant messenger whose Swiss-based developer claims to provide a level better safetyand privacy that cannot provide "no other chat service. "
Despite the company's favorable claims (if you don't smoke your house) in two independent Threema security checks, the researchers report that the defects completely invalidate the assurances of confidentiality and control ID cards that are the cornerstone of any program that is supposed to provide end-to-end encryption, abbreviated E2EE from end-to-end encryption.
Threema currently has more than 10 million users, including the Swiss government, the Swiss military, German Chancellor Olaf Scholz and other politicians from that country. Threema's developers tout it as a more secure alternative to Meta's WhatsApp Messenger. It is among the top Android apps in Switzerland, Germany, Austria, Canada and the Australia. The application uses a custom encryption protocol in violation of established cryptographic rules.
Researchers from the Zurich-based research university ETH reported on Monday that they found seven vulnerabilities in Threema that seriously question the real level of security the app has offered over the years.
Two of the vulnerabilities do not require special access to a server or the Threema app to impersonate a user. Three vulnerabilities require an attacker to gain access to a Threema server, and the remaining two can be exploited when an attacker gains access to an unlocked phone.
"Overall, our attacks seriously undermine Threema's security claims," the researchers report. "All attacks are patchable, but in some cases significant redesign is needed."