Contents:
When compared to renowned instant messaging apps such as WhatsApp or Facebook Messenger, Telegram might seem like the underdog. However, the Russian platform is anything but with its user base of roughly 300 million. If you are not yet familiar with it, a few questions might be going through your mind right now. What is Telegram? Is it encrypted? How shady is its privacy policy? And, most importantly, is Telegram secure?
Worry not, as I will answer all of them and more in the following lines. As always, stay tuned until the end for some actionable advice on how to stay safe while using Telegram.
What is Telegram?
Telegram is a cloud-based instant messaging app that was launched back in 2013 and has gained quite a devoted user base since then. It was developed by Pavel and Nikolai Durov, two Russian brothers who are best known for creating the social networking platform VK (formerly VKontakte).
The app features a secret chat option with end-to-end encryption, as well as a regular chat variant that is encrypted in the Telegram Cloud. It is available on multiple mobile and desktop operating systems, namely iOS, macOS, Android, Windows Phone, Windows, and Linux.
What sets Telegram apart from the crowd is its popularity, especially among millennial and Gen Z users. Many of my friends use it and motivate their choice in doing so on the fact that it is more secure than other (Mark Zuckerberg-owned) instant messaging apps out there such as WhatsApp or Facebook Messenger.
However, that isn’t necessarily the case. For example, all WhatsApp chats feature end-to-end encryption, as opposed to Telegram using it for its secret chats only. So, what accounts for its popularity? What does Telegram do that other similar apps don’t? The answer lies within the app’s MTProto Mobile Protocol, which I will discuss in the section below where you’ll find out all there is to know about Telegram’s encryption process.
Is Telegram Encrypted?
According to the official Telegram FAQ section, the app features two layers of secure encryption. Private and group cloud chats support server to client encryption, while secret chats benefit from client to client encryption. Every single bit of data is treated the same way in the process, which means that text, files, and media alike are encrypted equally.
Telegram encryption is based on 2048-bit RSA encryption, 256-bit symmetric AES encryption, and Diffie–Hellman secure key exchange. As per further info provided in the app’s FAQ for the Technically Inclined,
All Telegram apps ensure that msg_key is equal to SHA-256 of a fragment of the auth_key concatenated with the decrypted message (including 12…1024 bytes of random padding). It is important that the plaintext always contains message length, server salt, session_id and other data not known to the attacker.
It is crucial that AES decryption keys depend both on msg_key, and on auth_key, known only to the parties involved in the exchange.
What is more, Telegram does not rely on a MAC-then-Encrypt, Encrypt-then-MAC, or MAC-and-Encrypt model, but rather on the aforementioned MTProto Mobile Protocol. In doing so, app developers obtain a faster and more thorough message verification process which allows for the safe and silent discarding of invalid or corrupted communications.
Server-Client Encryption
How does Telegram work at its most elementary and general level? The layer of MTProto dealing with cloud chats that are based on server-client encryption consists of three independent components:
- High-level component, or API query language, which defines the process through which API queries and responses become binary messages.
- Cryptographic component, or authorization layer, which defines how messages are encrypted before going out towards the transport component.
- Transport component, which defines the way in which the client and the server transmit the messages using already-existing network protocols such as HTTP, HTTPS, UDP, TCP, and so on.
It is important to note at this point that MTProto applies to standard cloud chats on mobile devices only, and does not feature end-to-end decryption by default. This is a notable security concern regarding Telegram that I will get into more towards the end of this article.
Are you interested in the functioning of these methods from an even more technical standpoint? Have a look at the image attached below, which can be found in Telegram’s official FAQ section. Check out their detailed description section for an in-depth explanation of the terminology that is used.
Image Source: Telegram
End-to-End Encryption
Telegram secret chats differ from standard ones because they are encrypted end-to-end. What does this mean for you, the user? Well, as per the app’s FAQ, this entails that only the sender and the recipient can read the messages in a secret chat. Nobody else can decrypt them, including Telegram staff.
Messages from a secret chat cannot be forwarded, and all adjacent media can be set to self-destruct after a preset amount of time. What is more, if one participant deletes the chat, the other will be required to do so as well. This is allowed by the fact that secret conversations on Telegram are device-specific and not stored in the cloud. Therefore, it is implied that your data is safe as long as your mobile phone stays by your side.
For a more technical overview of the end-to-end encryption process utilized in secret chats, you can check out the image embedded below, as well as the dedicated section in the advanced Telegram FAQ.
Image Source: Telegram
Telegram Privacy Policy
It’s no secret that the app has gained notoriety for its presumed superiority over other instant messaging apps. However, one look at its Privacy Policy will uncover that its approach is more or less the same as that of any other similar service.
What seems to concern other people I’ve seen write about the topic (such as Restore Privacy’s Henrich Long) is the info provided under section 5 of the Telegram Privacy Policy, which is titled Processing Your Personal Data. Through you accepting it, Telegram reserves itself the right to do some things with your data that might raise concerns.
How Does Telegram Process Personal Data?
First of all, Telegram’s spam and abuse prevention procedure involves collecting information such as IP addresses, device details, history of username changes, and more. This data, if collected, is stored for a maximum of 12 months before being deleted. That gives malicious third parties plenty of time to access it, if you ask me.
Second of all, Telegram moderators are permitted to read standard chat messages that are flagged for spam and abuse to determine whether or not the allegation is accurate. While this is a commonsensical practice, it also means that other people can read what you write on there. Zoinks.
Finally, the app might also store aggregated metadata to better tailor your experience. For example, it calculates a rating based on who you message most often to create a personalized list of contacts that appear when you open the Search menu.
Neither of these three concepts is unheard-of in the digital world. However, users need to be aware of how their sensitive data is handled before sharing it on an app.
Who Does Telegram Share Your Data with?
Besides the other users you choose to communicate to over the app, Telegram specifies two more potential data destinations in section 8 of its Privacy Policy titled Who Your Personal Data May Be Shared With. Firstly, and obviously, Telegram shares the personal information of its users with its parent company and a group member which provides support for its services.
However (and you might have not seen this coming if you know the app’s reputation), Telegram also reserves itself the right to disclose your IP address and phone number to the relevant authorities. This only happens if the company receives a court order stating that a user is suspected of terrorism. This has presumably never happened before, and if it will, it will be published in a transparency report.
So… Is Telegram Secure or Not?
Long story short, Telegram is indeed encrypted on multiple levels, which provides user data with an additional layer of security. And while its Privacy Policy might raise some red flags for those of us out there who crave true confidentiality, at the end of the day such stipulations are more than conventional in today’s digital landscape.
All the technical details specified in the previous sections might sound impressive at a first glance, but is Telegram safe in the true sense of the word? Or, is it at least safer than other instant messaging alternatives?
Telegram Security Features
One look at the section on security from Telegram’s dedicated Wikipedia page will give you the answer to these questions, and the answer is no. In fact, Telegram’s security model has been heavily criticized by cryptography experts over the years.
Some of the main issues cited by the Wiki include not making E2E encryption the default for all chats, as well as storing media, messages, and contacts in the same place as decryption keys. The app’s proprietary MTProto Mobile Protocol has also been decried for containing unapproved and homebrewed cryptography that could potentially endanger the personally identifiable information stored on the platform.
Telegram’s claim to fame that it is more secure than other mass-market instant messaging apps such as WhatsApp has been disproved by professionals in the field. As stated above, WhatsApp encrypts all traffic end-to-end by default and operates within the boundaries of the expert-reviewed and approved Signal Protocol. Telegram, as we’ve discussed, attains neither.
In addition to this, researchers from Aarhus University in Denmark demonstrated in 2015 that Telegram does not achieve authenticated encryption or indistinguishability under chosen-ciphertext attack. Pavel Durov has defended the app publicly on numerous occasions, but reproach still arose regularly.
Telegram Security Breaches
This being said, is Telegram secure in the face of cyberattacks at least? The answer is still no. In fact, the app has fallen victim to plenty of breaches in recent years, the most notable of which I will briefly enumerate below.
On June 13, 2019, during the Hong Kong protests, Telegram suffered a denial-of-service attack performed by IP addresses linked to mainland China.
On March 30, 2020, a public ElasticSearch database containing the information of 42 million Iranian Telegram users was found on the Web. The app has been completely banned in the country since May 2018. This was just one of the numerous security breaches involving Iran on Telegram.
On October 19, 2020, hackers with access to the Signaling System 7, or SS7 for short, gained access to Telegram messenger. SS7 is used for linking mobile networks across the globe.
Minimizing the Cybersecurity Risks Associated with Telegram
To sum up the discussion thus far, Telegram is an instant messaging app that employs a custom encryption protocol known as MTProto. This has been heavily criticized by some experts over time, among other questionable approaches the app has taken. Plus, Telegram is no stranger to security breaches, especially over the last year or so.
However, there are many reasons you might still want to use it. Although E2E encryption is not its default, having the option to choose between regular and secret chats has a certain charm. And it’s not as if the alternative doesn’t exist at all.
Furthermore, Telegram is GDPR-compliant and supports two-step authentication. Its custom protocol recommends it as a favorite among tech enthusiasts thanks to its open-source model. Plus, you can add your own stickers. All in all, I’m not saying you should skip out on it entirely. Nevertheless, if you do choose to communicate on it, here are a few things you should consider from case to case.
Telegram for Home Users
Telegram comes in both mobile and desktop variants, and the latter is pretty well-optimized too. However, if you recall what I’ve mentioned eons ago at the beginning of this article, the MTProto Mobile Protocol applies to chats stored on mobile devices only. It’s right there in the name, actually. But what does this mean for you, a home user?
It means that, unfortunately, there is no secret chats option on desktop, and thus no end-to-end encryption. In October of 2018, BleepingComputer reported that Telegram Desktop stores chats locally in plain text files. These are not encrypted in any way, and thus easily readable and accessible to malicious third parties that might infiltrate your machine.
Therefore, my recommendation is to protect your devices on all fronts. Heimdal Security’s very own Heimdal™ Threat Prevention Home can help you with that. Its proprietary DarkLayer Guard™ & VectorN Detection is optimized for both mobile and desktop devices by filtering traffic at the level of the Domain Name System and impeding any malicious communications.
As an extra treat for desktop users, Heimdal™ Threat Prevention Home also integrates the Heimdal™ Patch & Asset Management software. XPR deploys relevant patches and updates within hours of their release, ensuring that all your device’s vulnerabilities are closed for good.
Telegram for Business
Are you already using Telegram to increase your company’s visibility, or are you at least considering it? According to the MailUp Blog, the instant messaging app might just be that additional marketing channel you have been looking for.
Although Telegram does not have a designated Business model in the same way as WhatsApp or Skype do, it can still be used for corporate purposes. It is a great medium for both internal and external communications, as well as customer care.
Nonetheless, you’ve ideally read everything I’ve had to say about the app thus far. Telegram is not entirely secure, especially when you’re using it for business. This is why I recommend going the extra mile and using a cybersecurity solution such as Heimdal™ Threat Prevention in tandem with the instant messaging app.
Heimdal® DNS Security Solution
In a similar way to its Home counterpart, Heimdal™ Threat Prevention blocks cyberattacks before they even reach your company’s endpoints, servers, or network. And while DarkLayer Guard stops ransomware and other unknown threats at the layers of the DNS, HTTP, and HTTPS Heimdal™ Patch & Asset Management patches over 85% of vulnerabilities to ensure the complete security of your systems.
Telegram for Journalists
Telegram’s preponderantly young audience, convenient format, high engagement rates, and privacy settings helped it become a favorite among journalists. But while the benefits of using Telegram for various news-related purposes are undeniable, I strongly advise you to double-check the app’s Privacy Policy regularly if you are a journalist.
The story so far is that the app might share your information with authorities if requested. Plus, its bulletproof image is more so reliant on clever marketing than actual technical superiority. Choose what you share on it carefully.
One Last Thing Before You Go…
So, is Telegram secure? No, or at least not in the same capacity, it likes to present itself to be. Nonetheless, it has its advantages as an instant messaging app and can become a great business asset as well. By taking the right security precautions beforehand, Telegram with its user base of 300 million is a place where you can connect with friends, family, customers, leads, or anyone and everyone else.
Are you an active Telegram user? What are your thoughts on its security features and privacy policy? Let me know in the comment section below, I’d love to read all about your opinions!
Alina Georgiana Petcu is a Product Marketing Manager within Heimdal™ Security and her main interest lies in institutional cybersecurity. In her spare time, Alina is also an avid malware historian who loves nothing more than to untangle the intricate narratives behind the world's most infamous cyberattacks.
Your points about MTProto are wrong. Yes, Telegram has been criticized for its MTProto 1.0 encryption algorithm but they do not use it anymore.
They now use MTProto 2.0 encryption which has now been audited and peer-reviewed to be safe.
I have been using Telegram on my android device for chats between family and friends. When my wife sent me photo through a secure Telegram chat, I was surprised to see it show up in Google Photos, as a folder not being synced.
It seems like the transport is encrypted, but on your device Google can read the chat. Or are the photos sent unencrypted and end up in a media folder? Either way this is a problem
Bottom line:
Telegram in tandem with Thor Foresight Enterprise is the unbeatable option.
Thanks a lot for your awesome work!
nor SS7 or Hong Kong protests is fair to telegram, cuz is not telegram fault.
Hi I got an email from a guy claiming to be Johnny Depp the actor, he asked if I would download Telegram messaging instead of hangout, he said he is having problems with hangout. I am pretty sure this is an impostor claiming to be Johnny Depp. I don’t feel safe with Telegram messaging as well as other apps. I am blocking this guy, is telegram messaging a safe app?
Can this App do video calls like WhatsApp ?
Yes Patrick, you can use Telegram for video calls as well.
Telegram Desktop for macOS is the only affected system that stores chats locally in plain text files. The app named Telegram Desktop (Windows, Linux) does not store messages on your drive and encrypts everything with your local passcode.
Telegram is secure but is not safe.
It seems that Microsoft agrees with my comment 🙂
https://www.zdnet.com/article/microsoft-urges-users-to-stop-using-phone-based-multi-factor-authentication/
Thanks for the great article Alina.
In my opinion, to include the SS7 access from Oct/19 on the list is not completely fair with Telegram since that not affected only the APP. But I got your point 🙂
We can use an email as 2FA, which in this case won’t be affected by SS7. I was hoping they might come with an API to support for example Microsoft Authenticator app. That would be awesome.