Is Telegram Secure? What You Need to Know Before Downloading the App
Telegram Is Not as Secure as It Portrays Itself to Be. Learn How to Stay Safe While Using It.
Worry not, as I will answer all of them and more in the following lines. As always, stay tuned until the end for some actionable advice on how to stay safe while using Telegram.
What is Telegram?
Telegram is a cloud-based instant messaging app that was launched back in 2013 and has gained quite a devoted user base since then. It was developed by Pavel and Nikolai Durov, two Russian brothers who are best known for creating the social networking platform VK (formerly VKontakte).
The app features a secret chat option with end-to-end encryption, as well as a regular chat variant that is encrypted in the Telegram Cloud. It is available on multiple mobile and desktop operating systems, namely iOS, macOS, Android, Windows Phone, Windows, and Linux.
What sets Telegram apart from the crowd is its popularity, especially among millennial and Gen Z users. Many of my friends use it and motivate their choice in doing so on the fact that it is more secure than other (Mark Zuckerberg-owned) instant messaging apps out there such as WhatsApp or Facebook Messenger.
However, that isn’t necessarily the case. For example, all WhatsApp chats feature end-to-end encryption, as opposed to Telegram using it for its secret chats only. So, what accounts for its popularity? What does Telegram do that other similar apps don’t? The answer lies within the app’s MTProto Mobile Protocol, which I will discuss in the section below where you’ll find out all there is to know about Telegram’s encryption process.
Is Telegram Encrypted?
According to the official Telegram FAQ section, the app features two layers of secure encryption. Private and group cloud chats support server to client encryption, while secret chats benefit from client to client encryption. Every single bit of data is treated the same way in the process, which means that text, files, and media alike are encrypted equally.
Telegram encryption is based on 2048-bit RSA encryption, 256-bit symmetric AES encryption, and Diffie–Hellman secure key exchange. As per further info provided in the app’s FAQ for the Technically Inclined,
All Telegram apps ensure that msg_key is equal to SHA-256 of a fragment of the auth_key concatenated with the decrypted message (including 12…1024 bytes of random padding). It is important that the plaintext always contains message length, server salt, session_id and other data not known to the attacker.
It is crucial that AES decryption keys depend both on msg_key, and on auth_key, known only to the parties involved in the exchange.
What is more, Telegram does not rely on a MAC-then-Encrypt, Encrypt-then-MAC, or MAC-and-Encrypt model, but rather on the aforementioned MTProto Mobile Protocol. In doing so, app developers obtain a faster and more thorough message verification process which allows for the safe and silent discarding of invalid or corrupted communications.
How does Telegram work at its most elementary and general level? The layer of MTProto dealing with cloud chats that are based on server-client encryption consists of three independent components:
- High-level component, or API query language, which defines the process through which API queries and responses become binary messages.
- Cryptographic component, or authorization layer, which defines how messages are encrypted before going out towards the transport component.
- Transport component, which defines the way in which the client and the server transmit the messages using already-existing network protocols such as HTTP, HTTPS, UDP, TCP, and so on.
It is important to note at this point that MTProto applies to standard cloud chats on mobile devices only, and does not feature end-to-end decryption by default. This is a notable security concern regarding Telegram that I will get into more towards the end of this article.
Are you interested in the functioning of these methods from an even more technical standpoint? Have a look at the image attached below, which can be found in Telegram’s official FAQ section. Check out their detailed description section for an in-depth explanation of the terminology that is used.
Image Source: Telegram
Telegram secret chats differ from standard ones because they are encrypted end-to-end. What does this mean for you, the user? Well, as per the app’s FAQ, this entails that only the sender and the recipient can read the messages in a secret chat. Nobody else can decrypt them, including Telegram staff.
Messages from a secret chat cannot be forwarded, and all adjacent media can be set to self-destruct after a preset amount of time. What is more, if one participant deletes the chat, the other will be required to do so as well. This is allowed by the fact that secret conversations on Telegram are device-specific and not stored in the cloud. Therefore, it is implied that your data is safe as long as your mobile phone stays by your side.
For a more technical overview of the end-to-end encryption process utilized in secret chats, you can check out the image embedded below, as well as the dedicated section in the advanced Telegram FAQ.
Image Source: Telegram
How Does Telegram Process Personal Data?
First of all, Telegram’s spam and abuse prevention procedure involves collecting information such as IP addresses, device details, history of username changes, and more. This data, if collected, is stored for a maximum of 12 months before being deleted. That gives malicious third parties plenty of time to access it, if you ask me.
Second of all, Telegram moderators are permitted to read standard chat messages that are flagged for spam and abuse to determine whether or not the allegation is accurate. While this is a commonsensical practice, it also means that other people can read what you write on there. Zoinks.
Finally, the app might also store aggregated metadata to better tailor your experience. For example, it calculates a rating based on who you message most often to create a personalized list of contacts that appear when you open the Search menu.
Neither of these three concepts is unheard-of in the digital world. However, users need to be aware of how their sensitive data is handled before sharing it on an app.
Who Does Telegram Share Your Data with?
However (and you might have not seen this coming if you know the app’s reputation), Telegram also reserves itself the right to disclose your IP address and phone number to the relevant authorities. This only happens if the company receives a court order stating that a user is suspected of terrorism. This has presumably never happened before, and if it will, it will be published in a transparency report.
So… Is Telegram Secure or Not?
All the technical details specified in the previous sections might sound impressive at a first glance, but is Telegram safe in the true sense of the word? Or, is it at least safer than other instant messaging alternatives?
Telegram Security Features
One look at the section on security from Telegram’s dedicated Wikipedia page will give you the answer to these questions, and the answer is no. In fact, Telegram’s security model has been heavily criticized by cryptography experts over the years.
Some of the main issues cited by the Wiki include not making E2E encryption the default for all chats, as well as storing media, messages, and contacts in the same place as decryption keys. The app’s proprietary MTProto Mobile Protocol has also been decried for containing unapproved and homebrewed cryptography that could potentially endanger the personally identifiable information stored on the platform.
Telegram’s claim to fame that it is more secure than other mass-market instant messaging apps such as WhatsApp has been disproved by professionals in the field. As stated above, WhatsApp encrypts all traffic end-to-end by default and operates within the boundaries of the expert-reviewed and approved Signal Protocol. Telegram, as we’ve discussed, attains neither.
In addition to this, researchers from Aarhus University in Denmark demonstrated in 2015 that Telegram does not achieve authenticated encryption or indistinguishability under chosen-ciphertext attack. Pavel Durov has defended the app publicly on numerous occasions, but reproach still arose regularly.
Telegram Security Breaches
This being said, is Telegram secure in the face of cyberattacks at least? The answer is still no. In fact, the app has fallen victim to plenty of breaches in recent years, the most notable of which I will briefly enumerate below.
On June 13, 2019, during the Hong Kong protests, Telegram suffered a denial-of-service attack performed by IP addresses linked to mainland China.
On March 30, 2020, a public ElasticSearch database containing the information of 42 million Iranian Telegram users was found on the Web. The app has been completely banned in the country since May 2018. This was just one of the numerous security breaches involving Iran on Telegram.
On October 19, 2020, hackers with access to the Signaling System 7, or SS7 for short, gained access to Telegram messenger. SS7 is used for linking mobile networks across the globe.
Minimizing the Cybersecurity Risks Associated with Telegram
To sum up the discussion thus far, Telegram is an instant messaging app that employs a custom encryption protocol known as MTProto. This has been heavily criticized by some experts over time, among other questionable approaches the app has taken. Plus, Telegram is no stranger to security breaches, especially over the last year or so.
However, there are many reasons you might still want to use it. Although E2E encryption is not its default, having the option to choose between regular and secret chats has a certain charm. And it’s not as if the alternative doesn’t exist at all.
Furthermore, Telegram is GDPR-compliant and supports two-step authentication. Its custom protocol recommends it as a favorite among tech enthusiasts thanks to its open-source model. Plus, you can add your own stickers. All in all, I’m not saying you should skip out on it entirely. Nevertheless, if you do choose to communicate on it, here are a few things you should consider from case to case.
Telegram for Home Users
Telegram comes in both mobile and desktop variants, and the latter is pretty well-optimized too. However, if you recall what I’ve mentioned eons ago at the beginning of this article, the MTProto Mobile Protocol applies to chats stored on mobile devices only. It’s right there in the name, actually. But what does this mean for you, a home user?
It means that, unfortunately, there is no secret chats option on desktop, and thus no end-to-end encryption. In October of 2018, BleepingComputer reported that Telegram Desktop stores chats locally in plain text files. These are not encrypted in any way, and thus easily readable and accessible to malicious third parties that might infiltrate your machine.
Therefore, my recommendation is to protect your devices on all fronts. Heimdal Security’s very own Thor Foresight Home can help you with that. Its proprietary DarkLayer Guard™ & VectorN Detection is optimized for both mobile and desktop devices by filtering traffic at the level of the Domain Name System and impeding any malicious communications.
SECURE YOUR ONLINE BROWSING!
SECURE YOUR ONLINE BROWSING!Get Thor Foresight
As an extra treat for desktop users, Thor Foresight Home also integrates the X-Ploit Resilience patch management software. XPR deploys relevant patches and updates within hours of their release, ensuring that all your device’s vulnerabilities are closed for good.
Telegram for Business
Are you already using Telegram to increase your company’s visibility, or are you at least considering it? According to the MailUp Blog, the instant messaging app might just be that additional marketing channel you have been looking for.
Although Telegram does not have a designated Business model in the same way as WhatsApp or Skype do, it can still be used for corporate purposes. It is a great medium for both internal and external communications, as well as customer care.
Nonetheless, you’ve ideally read everything I’ve had to say about the app thus far. Telegram is not entirely secure, especially when you’re using it for business. This is why I recommend going the extra mile and using a cybersecurity solution such as Thor Foresight Enterprise in tandem with the instant messaging app.
Antivirus is no longer enough to keep an organization’s systems secure.
Thor Foresight Enterprise
before they reach your system.
Antivirus is no longer enough to keep an organization’s systems secure.
In a similar way to its Home counterpart, Thor Foresight Enterprise blocks cyberattacks before they even reach your company’s endpoints, servers, or network. And while DarkLayer Guard stops ransomware and other unknown threats at the layers of the DNS, HTTP, and HTTPS, X-Ploit Resilience patches over 85% of vulnerabilities to ensure the complete security of your systems.
Telegram for Journalists
The story so far is that the app might share your information with authorities if requested. Plus, its bulletproof image is more so reliant on clever marketing than actual technical superiority. Choose what you share on it carefully.
One Last Thing Before You Go…
So, is Telegram secure? No, or at least not in the same capacity it likes to present itself to be. Nonetheless, it has its advantages as an instant messaging app and can become a great business asset as well. By taking the right security precautions beforehand, Telegram with its user base of 300 million is a place where you can connect with friends, family, customers, leads, or anyone and everyone else.