paint-brush
Privacy Protection: How Secure is Telegram Messenger?by@janhajek
493 reads
493 reads

Privacy Protection: How Secure is Telegram Messenger?

by Jan HajekMay 7th, 2021
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

First released for iOS on August 14, 2013, and for Android in October 2013, Telegram messenger is a basic instant messaging app. With over 500 million daily users, it is one of the top ten most downloaded applications in the world. Telegram features such as media, groups, and chat are encrypted with a combination of 256-bit symmetric AES encryption algorithm, 2048-bit RSA encryption, and secure Diffie–Hellman key exchange exchange. Telegram has a background of interacting with the. Iranian and Russian governments, especially in different states, makes it an attractive target for nation-states.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Privacy Protection: How Secure is Telegram Messenger?
Jan Hajek HackerNoon profile picture

Telegram is a cross-platform, cloud-based instant messenger that is available for free. End-to-end secure video communication, VoIP, file sharing, and various other functionality are also accessible. First released for iOS on August 14, 2013, and for Android in October 2013, Telegram messenger is a basic instant messaging app that is quick, convenient, efficient, and can sync across all user's devices. With over 500 million daily users, it is one of the top ten most downloaded applications in the world. According to the developers of telegram messenger, it is a secure and easy-to-use application. Telegram features such as media, groups, and chat are encrypted with a combination of 256-bit symmetric AES encryption algorithm, 2048-bit RSA encryption, and secure Diffie–Hellman key exchange.

Is Telegram Secure?

Exploring the security perspective of messengers, we focus on technologies that are secure by default. Although Telegram supports end-to-end encryption (E2E), it must be enabled on a conversation-by-conversation basis by using a secret chat. As a result, Telegram's default conversations are much less secure.

Telegram explains the reason for this opt-in as "convenience"; regular messages in Telegram are encrypted in the cloud and can be synced through different devices, while the chat creator must manually back up secret chat. Moreover, Telegram group chats are not encrypted; any participant can silently download video and audio files. Furthermore, in terms of security, open-source has many benefits, mainly transparency, which is the foundation of confidence. Telegram is partly open-source; the client-side programs are open source, but the server-side is closed source.

Data Storage

Except for secret chats, Telegram chats are saved on the cloud by
default. Telegram intends to provide data storage through distributed networks and highly encrypted cloud data. The security key is shared throughout regions to avoid information leakage by a single nation or small community of allies requesting details or a key. There are also a few issues with this technique.

Because the encryption keys are stored on the server, Telegram will technically decrypt communications stored on the cloud. Second, in the event that Telegram's infrastructure is compromised, an adversary may access encryption keys to decode conversations.

Telegram's prominence, especially in different states, makes it an attractive
target for nation-states. As a result, the whole security model of Telegram
cloud is based on trusting a centralized authority, which is a vulnerable
strategy from a security perspective.

Encryption Method in Telegram

Cryptography researchers have criticized Telegram for using MTProto, a non-standard cryptographic protocol. Certainly, confidence cannot be gained for an algorithm until the scheme has undergone years of in-depth research, thorough testing, and extensive review, which MTProto has not achieved. Several security bugs in MTProto have been found, but the majority of them are theoretical. Despite the criticism, the Electronic Frontier Foundation's safe communications scorecard has scored Telegram's hidden chat as 7/7. Likewise, in a whitepaper titled "Automated Symbolic Verification of Telegram's MTProto 2.0," researchers concluded that the protocol is sound and MTProto 2.0 does not present any conceptual fault, but they also addressed the probability of implementation bugs and side-channel threats.

Telegram encompasses public networks for broadcasting messages to a
large number of users. Telegram has a background of interacting with the
Iranian and Russian governments. As, at the behest of the government, Telegram shut down an Iranian opposition channel in 2017 for encouraging violence; additionally, Telegram decided to ban several bots, including stickers in Iran.

Similarly, Telegram was banned in Russia in April 2020 due to noncompliance with the FSB's requirement to issue encryption keys. The ban was lifted in June 2020 after Telegram agreed to engage in the investigation as required. Despite this, Telegram has stated in its privacy policy that it still has to report a single instance of data disclosure at the government's behest.

Since Telegram collects and preserves a great deal of information for its service distribution, the data may be of considerable importance to a country, and Telegram may be obliged to provide information under court order. 

Privacy Protection

According to Telegram's privacy policies, they gather information such as IP addresses, device information, history of username changes, Telegram applications you've used, and more as part of their spam and misuse protection protocol. If this data is processed, it is kept for 12 months before being discarded. Twelve months is a huge time for malicious third parties to access user's data.

Besides, Telegram moderators are allowed to read regular chat messages tagged for spam and bullying to decide whether or not the statement is accurate. Although this is a fair practice, it still implies that someone will read what you've written on anyway.

Furthermore, the app can save compiled metadata in order to better customize your experience. For instance, it creates a customized list of contacts by calculating a ranking based on whom you message the most often when you open the Search menu. In the digital world, none of these three ideas are novel. However, when exchanging personal data on an app, users should be mindful of how the data is treated. 

Telegram transfers the whole address book to the Telegram cloud to be
notified if someone on the contact list signs up for Telegram service. Telegram knows from user's social graph in this manner, including people who do not utilize their service. Telegram defines two additional possible data sources in section 8 of its Privacy Policy titled Whom Your Personal Data May Be Shared With, in addition to the other users you want to connect with through the app.

Telegram exchanges its user's personal details with its parent company and a community member who provides funding for its services. On the other hand, Telegram retains the freedom to reveal your IP address and phone number to the appropriate authorities. That occurs after the organization issues a legal order claiming that a customer is guilty of terrorist activity. That has not happened yet, but it'll be recorded in a transparency survey if it happens. 

Although Telegram is encrypted on several layers, which adds an extra
layer of encryption to user details, it is not a reliable messenger in terms of
privacy and protection. As the messenger collects a lot of metadata from the users, it can be exploited by attackers. Malicious third parties may also
misuse the metadata of app users. For all those people whose main concern is the privacy and confidentiality of their data, Telegram messenger is not secure for them.