That’s your decision – Threema can be used without any address book access whatsoever.
By default, the synchronization is disabled, and no address book data will be read. In this case, you can add your Threema contacts manually (by typing in their IDs or scanning their QR codes).
If you decide to enable the synchronization, email addresses and phone numbers from your address book will only be transmitted to the server in one-way encrypted (“hashed”) form and are additionally protected using TLS encryption. The
servers only keep these hashes in volatile memory for a short time to determine the list of matching IDs, and then delete the hashes immediately. At no point are the hashes or the results of the synchronization written to disk.
Due to the relatively low number of possible phone number combinations, it is theoretically possible to crack hashes of phone numbers by trying all possibilities. This is due to the nature of hashes and phone numbers and cannot be solved differently (using salts like for hashing passwords does not work for this kind of data matching). Therefore we treat phone number hashes with the same care as if they were raw/unhashed phone numbers.