Messenger Threema resists security check (almost) without incidents

[Togijak]

 

Security researchers have the Code for the Android and iOS App encrypting messenger Threema investigated and discovered no critical vulnerabilities.

The Instant Messenger Threema sends messages end-to-end encrypted and writes privacy and privacy to the flag. Now security researchers at the Münster University of applied Sciences have examined the Source Code of the Android and iOS App and the backup solution Threema Safe for security vulnerabilities.

According to its own data, the investigation has not revealed any critical security gaps. However, security researchers encountered two vulnerabilities classified as "medium". Some" low " gaps were also revealed. This has been closed by the developers in versions 3.62 (Android) and 4.1 (iOS).

If attackers exploit these vulnerabilities, they could send the private key to another Threema user with some effort – and when a victim is playing along. In addition, it would be conceivable that an attacker could read out portions of passwords from a log file of the Android App from Threema Safe.

Security check passed

Overall, security researchers attest to the Threema developers that they take security and data protection very seriously: all security and data protection mechanisms are intact and effective and the Messenger behaves as described in the public documentation. Of course, an audit is not all-encompassing, and further security risks may arise later.

Further information on the audit process and the gaps found can be found in the detailed report of the security researchers.

https://threema.ch/press-files/2_documentation/security_audit_report_threema_2019.pdf

German source