To secure or not too secure? That is the question!

Telegram has about 200 million users globally. The company operates out of Dubai but originated in Russia. Whilst Telegram has apps for Windows, MacOS and Linux, most users are probably using it on a cellphone. The app has a native iOS (mobile) and iOS ipad version and, of course, an Android variant that is also downloadable on f-droid, which in turn means they are not relying, with the f-droid version, on Google Services.

To register you need to provide your telephone number. The app will ask for access to your local telephone book which you can deny or accept so as to see if you've got contacts already using Telegram. The good news is that even if you register with your telephone number, you don't need to share it! You can use a username and share this with your contacts.

The code is open-source which is a great start! However, this is for clients themselves but not for the servers. Telegram has great apps and mighty stickers, which are cool! But they advertise privacy and security, however, that is not the case! End-to-end-encryption (E2EE) is not standard and is only implemented on the secure chat between any 2 users via a request option. These chats will only appear on the device you have accepted it on and not on any of the other devices you may have in place. Group Chats have ZERO encryption! That option is just not available!

The secure chat encryption is powered by an MTProto Mobile Protocol as explained here:

MTProto Mobile Protocol
Please feel free to check out our FAQ for the Technically Inclined. Client developers are required to comply with the Security…

And in May 2017, this protocol was audited by the Massachusetts Institute of Technology

https://courses.csail.mit.edu/6.857/2017/project/19.pdf

"In this project we have surveyed the Telegram messenger. When Telegram has started as a company it became popular because of its claims, public’s trust in the founders and also the timing (NSA leaks by Snowden were happened in the same year). Given these claims one would expect very high level of security from Telegram. However, our survey shows that Telegram has had serious and simple issues in the protocol (e.g. modified buggy Diffie-Hellman key exchange) that any knowledgeable security expert could penetrate. By using the command line interface of  Telegram we have been able to snoop on some of our friends and detect the times when they were conversing to each other. We believe that this is a serious privacy issue, because it can be exploited to detect relationships in classroom for example. Finally, our conclusion is that Telegram, just like any other application has vulnerabilities. Users have to be aware of this fact, but unfortunately the claims by companies make non-tech-savvy users to believe that their messages are unreadable by third parties."

Telegram reacted and released a new version of the MTProto Mobile Protocol (2.0) which addressed the issues mentioned in the audit. However, until now there has been no new audit conducted to confirm this claim.

The good news is that Telegram offers a 'Bounty and Bug' program which pays hackers and others for uncovering bugs with an award, the size of which is determined based in how bad the situation or bug fix was.

HackerOne
This community-curated security page documents any known process for reporting a security vulnerability to Telegram, often referred to as vulnerability disclosure (ISO 29147), a responsible disclosure policy, or bug bounty program.

Telegram claims all messages are server side encrypted

Telegram Privacy Policy
1. Introduction This Privacy Policy sets out how we, Telegram Messenger Inc. (“Telegram”), use and protect your personal…

However, Telegram employees and operators can see your chats! This also includes hackers and attackers of the server and, sadly, also third parties such as law enforcement.

Telegram have also attempted to explain why they don't offer E2EE for group or normal chats.

Why Isn’t Telegram End-to-End Encrypted by Default?
I’ve been getting this question more often this year. It’s based on the wrong assumption that some other popular messaging apps such as WhatsApp are “end-to-end encrypted by default”, while Telegram is not. This post is intended to disprove this myth that has been so carefully crafted by Facebook/Wh…

Telegram does offer an encryption key to make sure you're chatting with the person your supposed to be chatting to on secret one-on-one chats and not some impostor. To do so you need to check the encryption key, similar to Threema and Signal. Unlike regular messages, secret chats are not cloud-based and can only be accessed on the device used. Encryption keys are exchanged when a secret chat is initiated, therefore securing the messages sent. Messages in these secret chats can be deleted at any time and even set to 'self-destruct' after a set time. Yet, even with this feature, some experts argue that Telegram’s encryption is fundamentally flawed.

During the protests in HK, Telegram was Hong Kong's most downloaded app on android and iOS!

When thousands of protesters took to the streets in Hong Kong during the protests against the proposed and controversial new extradition law, many turned to Telegram to help get organized. Pitched as a secure communication tool, Telegram has been used by both activists and others to avoid government scrutiny.

However, on the day of the protests, Telegram told its users that it suffered a distributed denial of service (DDoS) attack, where its servers were overloaded with 'garbage requests' causing connection issues for many users.

Telegram CEO Pavel Durov wrote on Twitter.

“IP addresses coming mostly from China. Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception.”

The issue is that some users don’t seem to be aware of the risks of using Telegram. During the protests in HK, police arrested the administrator of a Telegram group with some 30,000 participants. He was accused of plotting with others to storm a government complex and block adjacent roads.

NOTE! Telegram can see (and hand over) your IP address, your entire metadata, including the telephone numbers of yourself and the recipient plus your location!

Telegram’s mobile app has also been accused of exposing crucial digital footprint information and researchers at MIT have shown how a hacker can pinpoint to the second when a user goes on and off line.

And whilst they have been known to deny these requests, it is possible! You have been warned!

And just like with most messaging apps, there’s no way of stopping any chat participant from taking screenshots of your conversation and sharing or storing them.

Telegram communication on a central server

Every communication, chat or group chat goes over Telegram's central server. This means you have one single point of failure!

Every message (except the one-on-one secret chats) are saved for a lifetime on Telegram's servers! This is a horror show if you have canceled your account, you have a new telephone number or because you just don't want to be part of Telegram anymore, so if someone registers with your old number, they can see all your previous chats! To avoid this you need to delete your account or transfer it to your new number.

https://telegram.org/faq/#q-how-do-i-delete-my-account

The next horror show involves their handling of your contacts! Telegram saves and keeps the contacts you've uploaded or allowed them to process. If your friends are on Telegram and they attack your account and there they are in plain text! Not encrypted or hashed but all saved and stored...

If you did sync your contacts then you do have an option to delete them.

Settings ->Privacy and Security->Data Settings->Delete Synced Contacts

IP addresses, device type and every login you've used will also be saved for 12 month on the servers at Telegram.

If you are using the f-droid version there are no trackers in the app, however, on the Google Play version the app sends analytics and tracks you with Google Firebase Analytics and HockeyApp.

Telegram offers a Bot via API which can be added to group chats.

Telegram Bot API
The Bot API is an HTTP-based interface created for developers keen on building bots for Telegram. To learn how to create…

Now something positive...on calls!

Calls can be made peer-to-peer or via the Telegram servers. The great part here is that they are indeed E2EE as in secret chats.

Telegram can also scan nearby users and groups based on your GPS location. This is ideal  if you wish to add someone as a contact that you’ve just met as it removes the hassle of calling the other phone or manually exchanging  numbers. Besides messaging others and joining groups, you can also create location-based groups which other users can find and join.‌

One great feature on Telegram is Channels. This can be used for a kind of article sharing! Basically like RSS, it pulls headlines, some parts of the article and the headline picture to the selected/chosen Channel.

My personal verdict on Telegram this time round is that it's a great social media tool, thanks to Channels and the groups which can be used to talk about things of common interest. If you treat Telegram as an open social network, perhaps like a forum, or as your Facebook replacement to share things with people you want to share things with, it is great, but do not expect privacy! It's a Social Network!

If you are on Telegram and use it as a social network and don't care about privacy when it comes to networking, then you can join our Telegram group:

Decentralize.Today
www.decentralize.today

and if you would like to just be informed on the latest news when it comes to privacy, join the privacyisahumanright channel:

The Resistance, Cyberpunks - Crypto & Privacy
Privacy is a human right!

and if you're already connecting with us and your want your very own, consider joining us on Mastodon:

Decentralize.Today (@Decentralize_today@mastodon.social)
1.25K Toots, 130 Following, 481 Followers · The future won’t be centralized

Yours in privacy,

The Privacy Advocate