Threema protocol analysis

I spent the last weeks analyzing the protocol used by the mobile messaging application Threema. It’s a custom protocol with some similarities to CurveCP. Just like CurveCP it uses the NaCl library to encrypt packets.

You can read about the results of my analysis in this paper.

During my analysis I focused on understanding the protocol. In my paper I’m neither judging whether the protocol includes any weaknesses nor if the application contains some implementation mistakes. Nevertheless, the protocol seems to be well designed.

I’d like to thank Kasper Systems GmbH, the company behind Threema, for removing the reverse-engineering paragraph from their End-User Software License Agreement.

I’ve published a repository with the latest version of the paper and the LaTeX source code on GitHub.