A comprehensive analysis of the cryptographic protocols used in the Swiss encrypted messaging application Threema has revealed a number of loopholes.
What is Threema?
Threema’s end-to-end inner protocol, the one used to exchange messages between actual humans, is based on a single X25519 key, used bidirectionally. It has no forward secrecy. Worse, to prevent otherwise-trivial replay attacks made possible by the simplistic structure of the protocol, both sides have to cache every nonce they’ve seen used to encrypt a message. This breaks down when users change devices, which, due to the structure of the protocol, is trivially detectable.
One form of their backup uses encrypted ZIPs, which reveal the names of files, which files apparently (according to the paper) reveal the identity of counterparties you’ve been talking to. Also: the ZIP library the client uses didn’t verify MACs, and while Threema fixed that, the maintainer of the ZIP library Threema chose hasn’t responded, which is :grimace-emoj.
While Threema has been subjected to third-party code audits at least twice – once in 2019 and a second time in 2020 – the latest findings show that they weren’t thorough enough to uncover the problems present in the “cryptographic core of the application.”
“Using modern, secure libraries for cryptographic primitives does not, on its own, lead to a secure protocol design,” the researchers said. “Libraries such as NaCl or libsignal can be misused while building more complex protocols and developers must be wary not to be lulled into a false sense of security.”
Threema Safe compression is disabled in current app versions (Threema ≥5.0 for Android and Threema ≥4.8.5 for iOS), thus resolving this issue.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment