Everything wrong with the Threema Desktop App

Threema launched their so-called Desktop app.

Let me say that it is nothing but cancer to call every electron based program app because it is basically a Browser, in this case Chrome or Chromium, which does nothing but render the web version. This is, in my opinion, not an app. More like a wrapper to render websites without any noticeable benefit for the end-user. I see it as step backward and not forward.

You can right-click on the pictures and open it in another tab to get a better picture quality.

Overall problems with the Desktop app

  • Waste of space compared to the Android app which you anyway be forced to use
  • There exist already the PWA release, so why release an app which does nothing. Because Firefox does not support PWA, it is a weak argument because 98 percent of all browsers are chromium based.
  • There are unofficial apps already, more than one on GitHub and linked in the unofficial Threema Forum.
  • Electron Framework is pure cancer regarding resource usage, there exist alternatives that us less RAM and CPU. Why not use it and follow the false hype around electron… it is beyond me.
  • Electron Framework runs a Browser, Chrome. Not everyone likes and appreciate it.
  • The PWA version, or lets just call it Web Version to make things easier understandable offers more function than the official Desktop version.
  • The Desktop release is quickly stitched together it seems, another version 2.0, according to the issue tracker, is planned.
  • No tray support among no autostart option.
  • No x86 version, only unofficial apps supporting at this moment x86. This is a minor thing because most people use x64 but anyway.
  • No self-destructible messages, same like in the apps. Signal has it, why not Threema. They responded to it and said it is false sense of security which is not entirely wrong BUT to eliminate possible issues is never a bad thing, better safe than sorry. On desktops the story might also be different because most people do not use FDE and the screensaver timeouts are often set to 10 minutes which might gives an attacker enough time to screenshot your conversation. On desktop systems screenshots cannot be easily prevented unless there is some sort of DRM implemented which the app needs to use, see Netflix.
  • Threema lists binaries as download without any checksum or verification aka reproducible builds. Most people expected more from Threema.

As you can see there are no checksums nor reproducible builds. More than unprofessional.

Cosmetic issues

You cannot change the background wallpaper which gives you eye cancer. This is only possible in the mobile app.

I even prefer a black background than this, sorry to say but I do not think I am the only one who think like this.

App settings are a joke

The screenshot is from the web version, it already only has a handful of options. Okay, we can now argue if that is good or bad but the Desktop version has even less options than this screenshot shows.

People usable expect some useful options to minimize it in the tray or auto-start the app when the OS starts, some useful essential things but sadly there is nothing here.

There are bunch of programs and so-called apps

Why not contribute to existing apps… beyond me. The unofficial forum is linked directly under the support page. So, Threema is aware of the forum and basically supports it directly or indirectly, plays no role.

Forum

All of those apps are not apps, they are wrappers. Those all run electron alias Chrome which is a resource hook. As if that is not enough some apps including Google stuff.

Overall size of the desktop app

I took a screenshot from here, yes it is the unofficial app but the official one has same or similar size so the argument holds across official and unofficial versions.

As you can see over 70 MB for an app that does nothing but start chrome and wraps the web version. Why eg Firefox people who hate or dislike chrome run chrome apps. This makes no sense at all. This is why I call among the ram and cpu resource usage waste stuff electron cancer.

Not available in the pamac and pacman Store

Only an unofficial app is available in the Linux Store millions of people use and trust. There is no logic to release .deb version when most people use trusted stores. The store also has the benefit that you can compile or build it directly from the source code, which makes it better than downloading some random binaries which you manually need to install.

I have not checked the Windows version but I assume there is also no Store version for the Windows release.

Unofficial promoted apps using Google as fall-backs for spelling and search

Keep in mind that those unofficial apps, no matter the fact that they are unofficial are advertised in the unofficial forum. A forum that is linked directly under the Threema support website.

Inspecting the langhard version reveals some Google issues.

There was and is no warning or info that the shown forum apps are less private. Which is why I dislike it.

There are also weird connection if you check the firewall. I will post some more screenshot and info later when I am finished inspecting it, similar connections are also in the official desktop app. Someone else was faster.

Relationship with Google across other Apps like Brave Browser

First of all the privacy community hates Google and there are many reasons why this is the case. Google products are undeniable secure but not private is the main argument, which I support too.

Brave and basically all other real Android apps using eg. push to deliver notifications, for rewards or ads or in Threemas case to fetch messages. This is why those apps are, among other reasons not on F-Droid. Threema has another system as fallback, in case you are de-googled implemented calls Polling. It is less efficient and has some drawbacks which I do not explain in depth here because this writeup is about the Desktop release flaws and failures and not about Push or FCM etc. vs. Polling. There are newly created alternatives to FCM created in 2021 or UnifiedPus, the most popular and first application which adopted UnifiedPush was afaik FluffyChat.

Brave defends his decision to trust Google with the fact that it is reliable and proven to be secure. This might be true and there is not much to argue about but Google might be able to collect your private data, in this metadata. There is not much to collect overall spoken but there are some that can be used to connect the dots from a to b over c which can be interesting for the feds or advertising Corpos like Google etc.

Threema works with polling but the annoying messages are not really helpful and there is no option to turn them globally off. I like that Threema tries to provide workarounds but it is nothing but annoying for de-googled people - like me - to get reminders that Google push is not installed, a simple option for us power-users would be helpful to put an end to it. We know that we decided to turn our back on Google services and products.

Conclusion

The release was too late and my impression is that the app was stitched together in a hurry. People already used unofficial apps in the meantime and it points out that they are less private, there was absolute no warning given and as of today those forum posts are still all online and the topics are not locked, which means people going to continue installing those apps because no one apparently found the major points or did an audit or review on a serious level.

Here are some alternatives compared to Electron for the Threema Team listed that they can use instead of electron. Please do not follow the wrong trend to chrome-ify the entire web.

What to do

  • Remove all forks and unofficial apps because they can make things worse. Close the forum posts and mention on the first or and last post that those apps are possible dangerous, outdated or not private.
  • Fix the app and the UI.
  • Ditch Google FCM once and for all.
  • Release an F-Droid version.
  • Replace Electron Framework with something which overall wastes less resources and does not depend on Google and Co.
  • Provide reproducible builds.
  • Provide checksums if you provide binaries.
  • Fix your crypto.

Greetings,

CHEF-KOCH