/threema-android

Threema App for Android.

Primary LanguageJavaGNU Affero General Public License v3.0AGPL-3.0



Threema for Android

This repository contains the complete source code of Threema for Android.

Table of Contents

Bug Reports / Feature Requests / Security Issues

To report bugs and request new features, please contact the Threema support team through threema.ch/support.

If you discover a security issue in Threema, please adhere to the coordinated vulnerability disclosure model. To be eligible for a bug bounty, please file a report on GObugfree (where all the details, including the bounty levels, are listed). If you’re not interested in the bug bounty program, you can contact us via Threema or by email; for contact details, see threema.ch/contact (section “Security”).

Source Code Release Policy

This source code repository will be updated for every public non-beta release. There will be one commit per released version.

Commits are signed using PGP. See SECURITY.md for more information.

License Checks

While the source code for Threema for Android is published under an open source license, Threema is still a paid app. To run the app in combination with our official server infrastructure, you must have bought a license either on Google Play or in the Threema shop.

The app uses four different license check types, depending on the build variant:

Google Play Licensing

When creating a new Threema ID using the Threema app bought on Google Play, the app sends a LVL license verification token to the directory server. This allows the server to verify that you have indeed bought the app, without being able to identify you.

This means that a self-compiled app using the google build variant cannot be used to create a new Threema ID. You can, however, use an app that was purchased over Google Play to create an ID and then export a backup. This backup can then be imported into the self-compiled app.

Note that the ID creation endpoint is monitored for abuse.

Huawei HMS Licensing

When creating a new Threema ID using the Threema app bought on Huawei AppGallery, the app sends a Huawei DRM Signature to the directory server. This allows the server to verify that you have indeed bought the app, without being able to identify you.

This means that a self-compiled app using the hms build variant cannot be used to create a new Threema ID. You can, however, use an app that was purchased over Huawei AppGallery to create an ID and then export a backup. This backup can then be imported into the self-compiled app.

Note that the ID creation endpoint is monitored for abuse.

Threema Shop Licensing

If you bought a Threema for Android license in the Threema Shop, you have received a license key. This license key can be used for license verification in the store_threema build variant.

Threema Work

If you build the work build variant, credentials from the Threema Work subscription must be provided in order to use the app.

Allowlist

The none build variant is used for development. It can only be used to create new Threema IDs if the random Device ID has been put on an “allow list” by a Threema employee.

Build Variants

Consumer

There are currently the following product flavors relevant for the consumer version of Threema:

Flavor Description License Checks
store_google Google Play Store version (regular, paid app) Google Play
hms Huawei AppGallery version (regular, paid app) Huawei HMS
store_threema¹ Threema Shop version (with play services) Threema Shop
libre¹ Libre (F-Droid) version (no proprietary code) Threema Shop

For local testing, we recommend building the store_google or store_threema build variants.

¹ The main difference between store_threema and libre is that the former contains proprietary push services and a self-updater while the latter does not. Additionally, the libre version will use your system emoji, instead of bundling emoji graphics.

Threema Work / OnPrem

Additionally, these build variants are only relevant for Threema Work or Threema OnPrem customers:

Flavor Description License Checks
store_google_work Google Play Store version (work, free app) Threema Work
hms_work Huawei AppGallery version (work, free app) Threema Work
onprem Threema OnPremises version Threema Work

Internal Development

The following variants are only used for development and testing within Threema:

Flavor Description License Checks
none Used for development Allowlist
sandbox Uses sandbox test environment¹ Allowlist
sandbox_work Uses sandbox test environment¹ Threema Work
red Uses sandbox test environment¹ Threema Work

¹ The “sandbox” is a backend test environment that is used for internal testing at Threema. The sandbox backend can currently not be accessed from the public Internet.

Building

Before building the app, please read the “Build Variants” section above. For local testing, we recommend building and running the store_google or store_threema build variant.

Via Command Line

Prerequisites:

  • Android SDK
  • Android NDK
  • bash shell

The application APK can be built using Gradle Wrapper:

# Play Store variant
./gradlew assembleStore_googleDebug

# Threema Store variant
./gradlew assembleStore_threemaDebug

NOTE: Threema for Android is developed on Linux machines, we cannot offer any assistance for building on macOS, Windows, or other operating systems.

Via Android Studio

The project can be imported into Android Studio. To build and deploy it to a device, click the green “Play” icon.

Testing

Via Command Line

To run unit tests:

./gradlew testNoneDebug

To run integration tests (with a device or emulator attached):

./gradlew connectedNoneDebugAndroidTest

Note that integration tests run in the same app environment as your “real” app, so data loss is possible. For example, if an integration test deletes your Threema ID in order to test the backup restoration process, the Threema ID in your “real” app may also be gone (if it was signed with the same signing key). It is best to only run integration tests on a non-productive device or in an emulator.

Via Android Studio

You can also run tests through Android Studio.

Reproducible Builds

Instructions on how to reproduce the build process used to publish the official Threema app can be found at threema.ch/open-source/reproducible-builds/.

Code Organization / Architecture

Before digging into the codebase, you should read the Cryptography Whitepaper to understand the design concepts.

Code related to the core functionality (e.g., connecting to the chat server, encrypting messages, etc.) can be found in the domain/src/main/java/ch/threema/ directory.

The code of the actual Android app is located in the app/src/main/java/ch/threema/ directory.

Contributions

We accept GitHub pull requests. Please refer to https://threema.ch/open-source/contributions for more information on how to contribute.

Note that translation fixes should not be contributed through GitHub but through OneSky, see next section.

Translating

We manage our app translations through OneSky. If you’re interested in improving translations, or if you would like to translate Threema to a new language, please sign up at https://threema.oneskyapp.com/collaboration/.

License

Threema for Android is licensed under the GNU Affero General Public License v3.

Copyright (c) 2013-2023 Threema GmbH

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License, version 3,
as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.

The full license text can be found in LICENSE.txt.

If you have questions about the use of self-compiled apps or the license in general, feel free to contact us. We are publishing the source code in good faith, with transparency being the main goal. By having users pay for the development of the app, we can ensure that our goals sustainably align with the goals of our users: Great privacy and security, no ads, no collection of user data!