Design a site like this with
Get started

Threema the Secure Messenger

Threema v. 4.6.2 on iOS, and v. 4.41 Build 3000635 on Android,  advertises that it is a secure communication application which can keep its user’s data away from hackers, corporations, and governments. They advertise that they keep very little data on the server. Threema writes that mobile user files are stored encrypted. To obtain more detailed information please visit . In my research here the backup data from Threema must be created and is password protected (set by user) on Android v. 7. The backup up data (Android v. 7) is created within the application itself, and is not present either in a full dump or a general device backup, unless the user creates the backup in the application.  Another feature the user can set on Android version is the ability to Auto-save to gallery, if this is selected the images (incoming or outgoing) are stored unencrypted. The user can also set a locking mechanism and a passphrase (used to unlock encryption) in the Security setting.  On iOS version the user can set an application passcode lock, and select to erase all data after 10 failed attempts. The user in the Media setting can select to automatically save media in “Photos” application. Finally, in the Advanced setting the user can select to collect a “Debug Log” which can be used to independently verify Threema’s end-to-end encryption.

To begin with, Threema is not a free application whether on Android or iOS. The application fee is $2.99, and the chats, under the conditions of this research, were found in state.  I purchased the Threema application through Google Play on my Samsung Galaxy S6 test device, running Android v. 7, this device is rooted. I also paid for the Threema application through the Apple App Store on my iPhone 7, running iOS 13.3.1, and is checkra1ned.

Starting with the Samsung Galaxy S6 device I opened the application and set up the account for Brian Thompson, profile of Brithomp55, then you are requested to draw a pattern to set up the user’s ID, Brian’s Threema ID is 2T6KCAJC, Key Fingerprint aa6b8015c8704c77fb93d4391Qaf97ea. Once Brian’s account was set up I proceeded to set up Lorie’s account.

Then I set up the account on the iPhone7 test device. I did not set any settings either on the Samsung Galaxy S6 or the iPhone 7. I used the application as is when it is downloaded.

Next, I began populating both devices with data. I started by sending a chat message from Brian Thompson’s acct. to Lorie Hermesdorf acct. Here in the chat you use the account user’s ThreemaID to send a text message. Then, I sent Brian Thompson a text message using Brian’s ThreemaID. Included in the message is an attached image file.

Now for the analysis. I will begin with,

 Threema on iOS

I created an iOS backup (encrypted) on my MacBookPro. I then downloaded the iBackupViewer v. 4.1600 application from the Apple store. I opened the iOS backup in iBackupViewer and selected file tree. I then located the folder in AppDomainGroup/ Upon opening the folder, I located a file ThreemaData.sqlite I exported this file to my MacBookPro desktop. Next, I opened this file using DB Browser for SQLite.

I also checked for the database in the ffs dump. I located it private/var/mobile/data/containers/Shared/AppGroup/

The artifacts are the same in both the backup database file and the database file contained in the ffs dump. You get the timestamps and messages in plaintext.

Further, there was a snapshot in ch.threema.iapp which contained the image that Brian sent to Lorie (ID W6ENEYNJ). See image below.

So, to sum up the iOS examination of Threema. The ThreemaData.sqlite file is available both in an iOS encrypted backup, and a ffs dump. The database itself is discovered in state. I have only examined the artifacts involved with text messages. This application can also handle calls.

Threema on Android

So, at first examination there were no artifacts located in the Threema folder. The threema4.db was identified as encrypted. Again, applications store their data differently not only by different versions, but the OS itself. See below.

So, I opened the application again on the Samsung Galaxy S6 test device running Android v. 7. I noticed that the user can create a backup. I selected to make a backup. When you create this backup, the user is prompted to create a password for the file. There is no way to disregard the password. (see image)

Since this device is rooted, I plugged it into my MSI Windows 10 computer to view the files. This time in the path /data/ there was a backup folder (see image below).

Now, I will use 7zip to decompress this folder. I am prompted for the password. These are the files contained within the backup folder. Interestingly, instead of a database there are individual files of the previous database tables (see image below).

Highlighted is the Message table (contained within a .csv file message_W6ENEYNJ). The filename contains the ThreemaID of Lorie Hermesdorf not Brian Thompson. Keep in mind this backup was created on the Samsung Galaxy S6 which is the device of Brian Thompson.  The message contents are in plaintext (see image below).

So, to sum up the Android analysis. It appears if the user creates a backup within the Threema application, the backup folder can be opened and viewed if the examiner knows the password of the folder.  Upon opening the folder, the examiner is presented with separate .csv files similar to the database structure tables. In the message_ThreemaID file the examiner will find timestamps and plaintext content of the messages.

I intend to conduct further research on this application by changing some settings and then checking for data storage changes. Again, the only operation of the Threema application that was examined is the text message capability. The telephony aspect was not examined.

I want to take a moment and thank Alexis Brignoni for reviewing this material for me!

Till next time….


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: