Threema protocol analysis

I spent the last weeks analyzing the protocol used by the mobile messaging application Threema. It's a custom protocol with some similarities to CurveCP. Just like CurveCP it uses the NaCl library to encrypt packets.

You can read about the results of my analysis in this paper.

During my analysis I focused on understanding the protocol. In my paper I'm neither judging whether the protocol includes any weaknesses nor if the application contains some implementation mistakes. Nevertheless, the protocol seems to be well designed.

I'd like to thank Kasper Systems GmbH, the company behind Threema, for removing the reverse-engineering paragraph from their End-User Software License Agreement.

I've published a repository with the latest version of the paper and the LaTeX source code on GitHub.


Hi, I'm Jan Ahrens. In this blog you can read about my thoughts on various technical topics.

As you might have already guessed: My opinions are my own and don't necessarily represent those of my employer.

If you want to contact me you can use my PGP key. Its fingerprint is 3762 1152 E099 AB27 04E8 3FD1 B911 E6A2 2B4F 3B5F.

This blog is built with Jekyll. You can find its source code on GitHub.