This secure messaging app comparison is going to look at one of the best in the downloadable app business—Threema—and compare it with our premium product SKY ECC. While both are quality messaging apps, there are ways in which they differ which clearly separate SKY ECC as a higher-quality solution.
Read this comparison to see what they both excel at, the weak areas you need to be aware of, and you decide which is going to be best for your secure messaging needs. There is a comparison table at the bottom which quickly shows the strengths and weaknesses of the apps using color-coded references that anyone can quickly understand.
Secure messaging app comparison: encryption used
Messaging apps are made secure by their encryption. Poor encryption, either the standard used or the implementation of it, makes an app vulnerable. End-to-end encryption is the standard, and both apps implement it well.
Threema isn’t specific about their encryption, but what I’ve been able to piece together is they use 256-bit ECC encryption algorithm that has been derived from the NaCl Networking and Cryptography library. This is a respected open-source encryption algorithm and is a good choice, but not the strongest choice available.
Problem with Threema’s encryption
An issue that Threema has with their encryption and security in general is that they don’t use perfect forward secrecy. Proper perfect forward secrecy is a specific key agreement protocol. The best feature of it is how it protects encrypted chats done in the past if long-term keys are compromised in the future.
This feature gap hurts Threema in our eyes, and in the eyes of many others. They are one of the few encrypted messaging apps to not have this, as you can see in the master secure app comparison sheet.
Encryption used by SKY ECC
SKY ECC also uses ECC encryption, but we use a 521-bit key and our own proprietary encryption algorithm. 256 bits versus 521 bits may not seem like much, but it will matter going forward as advanced and quantum computing change the encryption world again. Know this:
- SKY ECC isn’t twice as strong as a 256-bit NaCl implementation, it’s hundreds of times stronger because increasing key size increases the complexity of the encrypted text logarithmically not linearly.
- The 256-bit ECC we believe Threema uses has an RSA security bit equivalent of 3072 bits. That’s respectable, but lacks in comparison to the 15,360 RSA bits equivalence for our 521-bit ECC.
- The difference isn’t us being twice as secure from 256 to 521-bit ECC–it’s magnitudes more secure due to the math behind it all.
The use of ECC is the right decision for mobile applications as it uses smaller keys which are faster to encrypt and decrypt. This is important with messages containing larger files that need to be read quickly. Threema uses ECC, but they use a weaker version when compared to ours. See this table:
Secure messaging app comparison: hardware
Every app you download from an app store has the same problem: the hardware you install the app on is your phone, and it can only reach a certain level of security unless you’re an advanced user.
Threema, being an app which anyone can download onto a compatible device, is suspect right off the bat. Sure, your phone may be secure, but:
- How secure are your contact’s phones?
- How secure are other apps on your phone?
- Does your phone have kernel rollback protection?
- Are there OS backdoor issues on your phone?
- Are brute force protection tactics being used?
All of these questions add up to hardware choices with Threema being less than ideal no matter what you do. If you answered ‘no’ or ‘I don’t know’ to any of these questions then you could be vulnerable, so Threema is vulnerable.
A particular issue with Threema is that it does allow you to set a passcode to open the app, but I see no indication that it has brute force protection. See the screenshot below of how I made 60 failed passcode attempts and it never once stopped me.
SKY ECC limits attempts to 10 at most, with the second last guess requiring a CAPTCHA to be entered to stop automated brute force attacks, like I was doing manually above, completely. When the maximum number of attempts are reached, SKY ECC resets itself and deletes all its data from your phone. This is on top of device passcodes someone would have to get through first and not trigger the entire phone from resetting itself (SKY ECC and all).
SKY ECC’s hardware
In order to ensure top of the line security across all of our devices, SKY ECC is only installed on devices from these three manufacturers:
Each of these manufacturers use tamper-resistant chips which prevent kernel rollback, which is the bare minimum of protection that every phone should have but is rarely found on lower-quality devices. Even these manufacturers don’t always use these secure tools, so we choose their best.
We phase out older phones which have stopped having patches for security holes. Many of us loved using the iPhone 4, 5, and 6 here, but they had to be sunsetted once updates stopped coming as it was no longer a secure hardware choice.
Secure messaging app comparison: company backing
I used to be a big fan of Whatsapp for secure messaging for basic security needs. Then they were bought by Facebook and I knew that was the end for me. The company that owns an app plays a large role in how they operate and what their goals are. Threema and SKY ECC compare fairly well in this regard, starting with a look at their funding models for the app:
- Threema: This is a paid app, $4 here in Canada, which means that it is self-funded by the users. There are no investors, advertisers, or venture capitalists trying to make a buck off of users as the users themselves fund the app.
- SKY ECC: Users of SKY ECC fund the app. With no investors, advertisers, or anyone but SKY ECC and the users being a concern, we are free to create the best app possible without any pressure.
Where the company is located is also an issue to look at as local laws impact all types of data collection and privacy laws:
- Threema: Their location in Switzerland is a prime location due to their privacy laws relating to the internet. They have been pressured lately by the USA to change general privacy laws related to their famous banking regulations, and that is a bit concerning as who knows what they could potentially bend next.
- SKY ECC: The digital privacy laws of Canada are well established. Unlike our neighbors to the South, Canada has never been on the Reporters Without Borders “Enemies of the Internet” list. This is third-party verification of Canadian laws as private and fair.
The last aspect of judging a company comes down to company policies. These state how they want their app to be used, and how it cannot be used:
- SKY ECC: With the app collecting no data, and anonymous sign ups being quite easy as your SKY ECC ID is never associated with a phone number or email address, our policy is to not know your data so we can’t compromise your data. Even our Law Enforcement policy, a typically boring document no one reads, is so positive that it’s often the last page people read before heading to our online store.
Both apps are backed by good companies with good intentions. Threema certainly excels over WhatsApp and others as their privacy is much better. Their location in Switzerland is also an advantage over USA-based apps like Wickr in that they have both less surveillance and less influence from Silicon Valley venture capitalists.
Secure messaging app comparison: features
Perhaps the most important aspect of all of this is how the app itself is built and the features it uses to secure the messages and files of users. There are many different names for these features, but they usually boil down to:
- Contact approval: Threema does have this feature, but it is not on by default. This means that anyone can message you once they have your ID and will be added to your contact list as soon as they message you. You have to go into Settings > Privacy > Turn on the “Block Unknown” feature. This is a default setting for SKY ECC; you always control your contacts just as you always control your data.
- Photo storage: The default setting is for photos to be stored on the app itself, but users have the option to save images to camera roll. This might seem nice and convenient, but what if you really don’t want a photograph to be saved in such a public place on someone’s phone? SKY ECC doesn’t allow storing images (or notes) outside the app; all photos are stored within the app with no ability to move them out. When you send a photo to a SKY ECC user you know exactly where that photo will be. You can also revoke that image at any time, removing it from all devices simultaneously.
- Metadata: Both SKY ECC and Threema use 256-bit AES encryption to protect your metadata. This is a seldom-used step and both apps are smart to use it so that who you talk to, when, and for how long remains your business rather than being intercepted by snoopers.
- Self-destructing messages: Messages which self-destruct at pre-set times are quite valuable. They allow for messages which need to be seen and acted on, but not stored to be deleted automatically when sender decides. Threema does not have self-destructing messages, and claim they will never add it.
Threema do well with the features they have, but a lack of contact approval as the default, poor photo storage control, and no self-destructing messages makes Threema a weaker choice than SKY ECC when it comes to effective features.
The winner of this secure messaging apps comparison
Threema is a good app, but is a tough sell to the larger market as it is not free when other free apps are just as good as it. There are no truly stand-out features which would make someone choose it over Wickr, and it certainly doesn’t stack up against SKY ECC at all.
This quick comparison chart should make the choice pretty clear with the differences represented visually:
We can’t say that Threema is a bad app. It isn’t. There’s just no way that anyone could say that it measures up to the level of security and privacy offered by SKY ECC, especially with its lack of perfect forward secrecy, and how it can protect the most important people, their data, and their privacy.