User:Rehcappil/sandbox

Threema is an instant messaging application for smartphones. Until now it is only available for iOS devices. A version for Android is announced for early may. Versions for Windows Phone, BlackBerry and Symbian are planned for the period after the completion of the Android version. In addition to text messaging, users can send each other images, videos and locations. A group chat is already in development and will be published in a later version. Threema is an Swiss product, consequently are all server located in Switzerland.

Security
Threema distinguished in that it is very safe. Threema use a 255 bit long asymmetric Elliptic curve cryptography (EEC) which is comparable to 2048 bit RSA. This key is used to derive a unique 256 bit symmetric key for every single message. The XSalsa20 stream cipher encrypts the message eventually. Moreover is the communication between the server and the device encrypted. To the message is added a 128 bit message authentication code to detect manipulations as well as a random amount of padding to prevent that inferences can be made to the content.

Usability
When you first start the application, the user have to crate their own keys by moving their finger on the display. You can link your mobile phone with your mobile phone number and your e-mail address. Next to every contact is a verification level (dots). They indicate how high the confidence is that the stored public keys really belong to your contacts. They have no effect on the encryption strength. Without checking the public key is a Man-in-the-Middle attack not excluded.
 * One is coloured, it is red. You get the ID and the public key from the server. There is no match with your adress book. You can't be sure that the person is who they assert to be in their messages.
 * Two are coloured, they are orange. Here is a match with a phone number or e-mail address of your address book. You can be pretty sure that the person is who they assert to be in their messages.
 * Three are coloured, they are green. You have checked the ID and the public key by scanning scanning their QR code. Except that the device has been hacked, you can be pretty sure that the person is who she claims to be.

Privacy
Threema offers the possibility to synchronize the contacts. Instead of uploading the whole contact the application sends a Hash to the server to check if there is a suitable user which is already in your contact list. After this comparison the Hashes will be deleted. In addition, all messages will be erased after their successful delivery. During this time they are only stored in the RAM.