https://github.com/threema-ch/threema-android

Threema App for Android.
https://github.com/threema-ch/threema-android

android-app messaging mobile-app secure-messenger

Last synced: 29 days ago
JSON representation

Threema App for Android.

• Host: GitHub
• URL: https://github.com/threema-ch/threema-android
• Owner: threema-ch
• License: agpl-3.0
• Created: 2020-12-20T20:14:55.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2024-09-30T11:38:48.000Z (about 1 month ago)
• Last Synced: 2024-10-02T03:01:22.133Z (about 1 month ago)
• Topics: android-app, messaging, mobile-app, secure-messenger
• Language: Java
• Homepage: https://threema.ch/open-source/
• Size: 62 MB
• Stars: 834
• Watchers: 49
• Forks: 93
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE.txt
  • Security: SECURITY.md

Awesome Lists containing this project

README

        


  

  

  





# Threema for Android

This repository contains the complete source code of

[Threema](https://threema.ch/) for Android.

## Table of Contents

- [Bug Reports / Feature Requests / Security Issues](#issues)

- [Source Code Release Policy](#release-policy)

- [License Checks](#license-checks)

- [Build Variants](#build-variants)

- [Building](#building)

- [Testing](#testing)

- [Reproducible Builds](#reproducible-builds)

- [Code Organization / Architecture](#architecture)

- [Contributions](#contributions)

- [Translating](#translating)

- [License](#license)

## Bug Reports / Feature Requests / Security Issues

To report bugs and request new features, please contact the Threema support

team through [threema.ch/support](https://threema.ch/support).

If you discover a security issue in Threema, please adhere to the coordinated

vulnerability disclosure model. To be eligible for a bug bounty, please [file a

report on GObugfree](https://app.gobugfree.com/programs/threema) (where all the

details, including the bounty levels, are listed). If you’re not interested in

the bug bounty program, you can contact us via Threema or by email; for contact

details, see [threema.ch/contact](https://threema.ch/en/contact) (section

“Security”).

## Source Code Release Policy

This source code repository will be updated for every public non-beta release.

There will be one commit per released version.

Commits are signed using PGP. See [SECURITY.md](SECURITY.md) for more

information.

## License Checks

While the source code for Threema for Android is published under an open source

license, Threema is still a paid app. To run the app in combination with our

official server infrastructure, you must have bought a license either on Google

Play or in the Threema shop.

The app uses four different license check types, depending on the build variant:

### Google Play Licensing

When creating a new Threema ID using the Threema app bought on Google Play, the

app sends a [LVL license verification token](https://developer.android.com/google/play/licensing/)

to the directory server. This allows the server to verify that you have indeed

bought the app, without being able to identify you.

This means that a self-compiled app using the `google` build variant cannot be

used to create a new Threema ID. You can, however, use an app that was

purchased over Google Play to create an ID and then export a backup. This

backup can then be imported into the self-compiled app.

Note that the ID creation endpoint is monitored for abuse.

### Huawei HMS Licensing

When creating a new Threema ID using the Threema app bought on Huawei AppGallery, the

app sends a [Huawei DRM Signature](https://developer.huawei.com/consumer/en/doc/development/AppGallery-connect-Guides/appgallerykit-paidapps-devguide-0000001073913394)

to the directory server. This allows the server to verify that you have indeed

bought the app, without being able to identify you.

This means that a self-compiled app using the `hms` build variant cannot be

used to create a new Threema ID. You can, however, use an app that was

purchased over Huawei AppGallery to create an ID and then export a backup. This

backup can then be imported into the self-compiled app.

Note that the ID creation endpoint is monitored for abuse.

### Threema Shop Licensing

If you bought a Threema for Android license in the [Threema Shop](https://shop.threema.ch/),

you have received a license key. This license key can be used for license

verification in the `store_threema` build variant.

### Threema Work

If you build the `work` build variant, credentials from the [Threema

Work](https://work.threema.ch/) subscription must be provided in order to use

the app.

### Allowlist

The `none` build variant is used for development. It can only be used to create

new Threema IDs if the random Device ID has been put on an “allow list” by a

Threema employee.

## Build Variants

**Consumer**

There are currently the following product flavors relevant for the consumer

version of Threema:

| Flavor                 | Description                                    | License Checks |

| ---------------------- | ---------------------------------------------- | -------------- |

| `store_google`         | Google Play Store version (regular, paid app)  | Google Play    |

| `hms`                  | Huawei AppGallery version (regular, paid app)  | Huawei HMS     |

| `store_threema`¹       | Threema Shop version (with play services)      | Threema Shop   |

| `libre`¹               | Libre (F-Droid) version (no proprietary code)  | Threema Shop   |

For local testing, we recommend building the `store_google` or `store_threema`

build variants.

¹ The main difference between `store_threema` and `libre` is that the former

  contains proprietary push services and a self-updater while the latter does

  not. Additionally, the `libre` version will use your system emoji, instead

  of bundling emoji graphics.

**Threema Work / OnPrem**

Additionally, these build variants are only relevant for Threema Work or

Threema OnPrem customers:

| Flavor               | Description                                    | License Checks |

| -------------------- | ---------------------------------------------- | -------------- |

| `store_google_work`  | Google Play Store version (work, free app)     | Threema Work   |

| `hms_work`           | Huawei AppGallery version (work, free app)     | Threema Work   |

| `onprem`             | Threema OnPremises version                     | Threema Work   |

**Internal Development**

The following variants are only used for development and testing within Threema:

| Flavor         | Description                                    | License Checks |

|----------------| ---------------------------------------------- | -------------- |

| `none`         | Used for development                           | Allowlist      |

| `green`        | Uses sandbox test environment¹                 | Allowlist      |

| `sandbox_work` | Uses sandbox test environment¹                 | Threema Work   |

| `blue`         | Uses sandbox test environment¹                 | Threema Work   |

¹ *The “sandbox” is a backend test environment that is used for internal testing

  at Threema. The sandbox backend can currently not be accessed from the public

  Internet.*

## Building

Before building the app, please read the “Build Variants” section above. For

local testing, we recommend building and running the `store_google` or

`store_threema` build variant.

### Via Command Line

Prerequisites:

- Android SDK

- Android NDK

- bash shell

The application APK can be built using Gradle Wrapper:

    # Play Store variant

    ./gradlew assembleStore_googleDebug

    # Threema Store variant

    ./gradlew assembleStore_threemaDebug

*NOTE:* Threema for Android is developed on Linux machines, we cannot offer any

assistance for building on macOS, Windows, or other operating systems.

### Via Android Studio

The project can be imported into [Android Studio](https://developer.android.com/studio/).

To build and deploy it to a device, click the green “Play” icon.

## Testing

### Via Command Line

To run unit tests:

    ./gradlew testNoneDebug

To run integration tests (with a device or emulator attached):

    ./gradlew connectedNoneDebugAndroidTest

Note that integration tests run in the same app environment as your “real” app,

so data loss is possible. For example, if an integration test deletes your

Threema ID in order to test the backup restoration process, the Threema ID in

your “real” app may also be gone (if it was signed with the same signing key).

It is best to only run integration tests on a non-productive device or in an

emulator.

### Via Android Studio

You can also run tests through Android Studio.

## Reproducible Builds

Instructions on how to reproduce the build process used to publish the official

Threema app can be found at

[threema.ch/open-source/reproducible-builds/](https://threema.ch/open-source/reproducible-builds/).

## Code Organization / Architecture

Before digging into the codebase, you should read the [Cryptography

Whitepaper](https://threema.ch/press-files/2_documentation/cryptography_whitepaper.pdf)

to understand the design concepts.

Code related to the core functionality (e.g., connecting to the chat server,

encrypting messages, etc.) can be found in the

`domain/src/main/java/ch/threema/` directory.

The code of the actual Android app is located in the

`app/src/main/java/ch/threema/` directory.

## Contributions

We accept GitHub pull requests. Please refer to

for more information on how to contribute.

Note that translation fixes should not be contributed through GitHub but

through OneSky, see next section.

## Translating

We manage our app translations through OneSky. If you’re interested in

improving translations, or if you would like to translate Threema to a new

language, please sign up at .

## License

Threema for Android is licensed under the GNU Affero General Public License v3.

    Copyright (c) 2013-2024 Threema GmbH

    This program is free software: you can redistribute it and/or modify

    it under the terms of the GNU Affero General Public License, version 3,

    as published by the Free Software Foundation.

    This program is distributed in the hope that it will be useful,

    but WITHOUT ANY WARRANTY; without even the implied warranty of

    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

    GNU Affero General Public License for more details.

    You should have received a copy of the GNU Affero General Public License

    along with this program. If not, see .

The full license text can be found in [`LICENSE.txt`](LICENSE.txt).

If you have questions about the use of self-compiled apps or the license in

general, feel free to [contact us](mailto:[email protected]). We are

publishing the source code in good faith, with transparency being the main

goal. By having users pay for the development of the app, we can ensure that

our goals sustainably align with the goals of our users: Great privacy and

security, no ads, no collection of user data!