Home » Misc » How secure is the telegram app

How secure is the telegram app


10 simple tips for safe and secure chats

By Jon Gilbert and Alessandro Mascellino

Updated

Minimize security risks and increase your privacy on Telegram

Using a secure messaging app is a great way to keep your Android phone secure. However, Telegram has notorious vulnerabilities that can open your messages to third parties. Unlike other privacy-focused messaging apps, Telegram offers different levels of safety and security based on your settings. Here are some essential tips to get you started.

How to use secret chats

While we love Telegram's cloud capabilities and multi-device sync, these come with a privacy trade-off. Regular chats on Telegram are not end-to-end encrypted, meaning third parties can intercept and read your messages. Telegram provides end-to-end encryption in its "secret chat option." However, if you're using Telegram across multiple budget Android phones, you won't be able to move secret chats between them.

To start a secret chat, follow these steps:

  1. Open Telegram.
  2. Tap the pencil icon (new chat) in the lower-right of your screen.
  3. Tap New Secret Chat.
  4. Select a contact to start a secret chat.

    2 Images

How to enable two-step verification

Enabling two-step verification (2SV) is a good security practice, no matter which app you use. Once activated, you'll enter a password every time you log in to Telegram from a new device. If you forget your 2SV password, you can recover it through your email.

Here's how to enable two-step verification on Telegram:

  1. Open Telegram.
  2. Tap the menu button in the upper-left corner of your screen.
  3. Tap Settings.

    2 Images

  4. Tap Privacy and Security.
  5. Tap Two-Step Verification.
  6. Enter a password.

How to disable active sessions

Having multiple Telegram sessions open simultaneously can be helpful, especially if you own multiple devices. Occasionally, you may have to use Telegram on devices you do not own. It's easy to forget what devices you're logged into, so Telegram lets you view and terminate active sessions from one device.

To view and disable active Telegram sessions, follow these steps:

  1. Open Telegram.
  2. Tap the menu button in the upper-left corner of your screen
  3. Tap Settings.
  4. Tap Privacy and Security.

    2 Images

  5. Tap Active Sessions.
  6. Tap Terminate all other sessions.

    2 Images

How to send self-destructing media

Self-destructing media disappears from a chat after a certain amount of time. (for example, Snapchat images are self-destructing media). You can send self-destructing media both within regular and secret conversations.

Here's how to enable self-destructing media on Telegram:

  1. Open Telegram.
  2. Select a chat.
  3. Tap the Attach icon in the lower-right corner of your screen.
  4. Choose an existing image or take a new one.

    2 Images

  5. Tap the stopwatch button next to the Send button.
  6. Select how long you wish your media to last.
  7. Tap the Send button.

How to delete messages

Telegram allows you to delete your messages and those sent to you in one-to-one chats. While not ideal for socializing, this feature is a plus for privacy, particularly if you have lost one of your devices and want to make sure no one can read your private messages.

Here's how to delete messages:

  1. Open Telegram.
  2. Open a chat.
  3. Long-press on any chat message.
  4. Tap the Delete button in the upper-right corner of your screen.

    2 Images

  5. Select the Also delete for checkbox to delete it for the other person.
  6. Tap Delete.

    2 Images

How to lock chats

Some Android phones allow you to set up app-specific locks via a password, PIN, or biometric authentication. If your Android phone does not have this feature, Telegram has got you covered.

To lock chats:

  1. Open Telegram.
  2. Tap the menu button in the upper-left corner of your screen.
  3. Tap Settings.
  4. Tap Privacy and Security.

    2 Images

  5. Tap Passcode Lock.
  6. Tap Enable passcode.
  7. Choose a passcode, and then tap Confirm.

    2 Images

How to set up a proxy server

There are many great VPNs available for Android, but you may not want or be able to use one. Fortunately, Telegram has a feature that lets you hide your IP address behind a proxy server.

Here's how to set up a Telegram proxy server:

  1. Open Telegram.
  2. Tap the menu button in the upper-left corner of your screen.
  3. Tap Settings.
  4. Tap Data and Storage.

    2 Images

  5. Scroll down and tap Proxy settings.
  6. Tap Add Proxy.

    2 Images

How to check group permissions

Being added to random groups with thousands of users is always a bad idea from a security standpoint. Telegram lets you specify who can add your account to groups.

Here's how change your group permissions:

  1. Open Telegram.
  2. Tap the menu button in the upper-left corner of your screen.
  3. Tap Settings.
  4. Tap Privacy and Security.

    2 Images

  5. Tap Groups.
  6. Change Everybody to My Contacts.

    2 Images

Some business accounts on Telegram that are run by bots allow you to complete payments directly within the app. We recommend exercising caution when providing personal details via Telegram.

If you decide to share your payment and shipping information, delete them as soon as possible by following these steps:

  1. Open Telegram.
  2. Tap the menu button in the upper-left corner of the app.
  3. Tap Settings.
  4. Tap Privacy and Security.

    2 Images

  5. Tap Clear Payment and Shipping Info.
  6. Select the Shipping info and Payment info checkboxes.
  7. Confirm your changes by tapping Clear.

    2 Images

How do I adjust Telegram's 'delete my account' timer?

Last, it's good to think about what might happen should you lose access to your account. Telegram comes with a "delete my account" feature designed precisely for scenarios like this.

Follow these instructions to set up a timer after which Telegram will permanently delete your account:

  1. Open Telegram.
  2. Tap the menu button in the upper-left corner of your screen.
  3. Tap Settings.
  4. Tap Privacy and Security.

    2 Images

  5. Tap If away for under the Delete my Account heading.
  6. Choose a period of time.

    2 Images

Have fun and be safe

Chat safely and securely with Telegram. These Telegram tips will help you chat with peace of mind. If you want to improve your security on any app, use a 2FA app like Google or Authy to secure your accounts. While not every app has 2FA support, most popular shopping and messaging apps do.

Is Telegram safe? | NordVPN

Contents

  • How safe is Telegram?
    • Only Telegram’s “secret chats” are end-to-end encrypted
    • Telegram records your information for up to 12 months
    • Telegram uses MTProto despite being open source
  • 3 Secure alternatives to Telegram
    • Signal vs Telegram
    • Signal vs WhatsApp vs Telegram

How safe is Telegram?

Telegram is encrypted, private, secure, and independent, making it a better alternative to WhatsApp, which is owned by data-harvesting Facebook.

  • In 2018, British consulting firm Cambridge Analytica collected millions of Facebook users' data for political advertising, without their consent.
  • In 2021, WhatsApp was fined $255M by an EU privacy watchdog for not explaining how it handled users’ and nonusers’ data and for sharing user data with other Facebook-owned companies.

While all Telegram messages are encrypted, they’re only encrypted while in transit from your device to Telegram’s servers. Once your data arrives on Telegram servers, it's decrypted and could be seen by Telegram. This is why end-to-end encryption is so important.

But is Telegram end-to-end encrypted?

Only Telegram’s “secret chats” are end-to-end encrypted

Telegram’s usual private and group chats aren't end-to-end encrypted, only secret chats are. This means that your conversations and personal information can be stored on Telegram’s servers and accessed by staff and third parties.

If you want complete privacy, use Telegram’s secret chat option. All of your data, including text, media, and files, are encrypted with an extra layer of client-client encryption. And no media or files that you send or receive via Telegram can be deciphered and intercepted by your internet service provider, owners of Wi-Fi routers you connect to, or other third parties.

Telegram’s secret chats:

  • Use end-to-end encryption.
  • Leave no trace on Telegram’s servers.
  • Support self-destructing messages.
  • Don’t allow forwarding of messages.

Good to know: Secret chats are not part of the Telegram cloud and can only be accessed on the device which the chat took place on.

Telegram records your information for up to 12 months

Telegram’s privacy policy includes information on the personal data it collects from you, how the company stores it, what it’s used for, and who it’s shared with.

In fact, Telegram records and stores your IP address, device information, and username changes for up to 12 months.

As a public messaging app, Telegram is also required to investigate concerning matters and provide your phone number and IP address to the authorities if legally asked to do so.

Telegram uses MTProto despite being open source

When an app says that it’s “open source,” it means that the code that makes up the app can be inspected by the public and security experts for weaknesses. This factor obviously helps make the app more secure and honest.

But there’s a small issue. Telegram uses a unique encryption protocol known as MTProto.

MTProto was developed by Telegram, and it’s the only company that uses the protocol. This means that it hasn’t been tested as much as other more common protocols. So if there IS a vulnerability in MTProto, we wouldn’t really know about it.

Related articles

3 Secure alternatives to Telegram

If you’re looking for an alternative to Telegram but still want to stay private and secure, you have plenty of options.

Here are 3 secure messaging apps to choose from:

1. Wickr

  • Wickr is free and end-to-end encrypted.
  • You can send private self-destructing messages to other Wickr contacts (text, photo, video, voice).
  • Wickr deletes geotags (your location/s) and message time-stamps.
  • Users can verify themselves with short bursts of encrypted video.
  • Wickr has screenshot detection and blocks third-party keyboards on iOS.

2. WhatsApp

Despite being owned by Facebook, WhatsApp’s default end-to-end encryption can arguably protect users from Facebook spies.

  • All WhatsApp chats are end-to-end encrypted by default. So cybercriminals can’t decrypt your conversations even if they tried.
  • Users can enjoy standard features like calling, video calling, voice messaging, and file sharing.

3. Signal

  • Signal is end-to-end encrypted by default and uses a commonly respected encryption protocol.
  • It lets you send anonymous messages so even the Signal server doesn’t know who the sender is.
  • You can blur faces in the photos that you send.
  • Signal has no trackers or advertisers – so illicit data sharing is less likely.

Signal vs Telegram

Signal is probably your best bet in terms of security and easily defeats the Signal vs. Telegram debate. Here’s why:

    1. Extra verification: Signal lets you verify that your conversation is genuinely private. Each Signal conversation has a unique device safety number to verify the security of your messages and calls with certain contacts.
    2. Password lock messages: Signal lets you set a password for the app, so even if someone gets into your phone, your Signal messages stay locked.
    3. It is possible to go phone number free: Signal is working on using a PIN to allow users to verify themselves instead of a phone number (giving you more anonymity.)

    Signal vs WhatsApp vs Telegram

    WhatsApp is end-to-end encrypted by default unlike Telegram, where you may accidentally expose your chats if you forget to use the “secret chat” function. However, WhatsApp IS owned by Facebook, one of the world’s biggest data collectors – a reason to be cautious.

    Signal offers the best of both: it is end-to-end encrypted by default, lets you hide your chats even from Signal itself, and is independently owned.

    For absolute anonymity, use a burner sim when signing up to use messaging apps so you don’t get tracked through your normal phone number. Your messaging app should always be end-to-end encrypted for both one-on-one chats AND group chats. If it is, we’re more likely to give it our seal of approval.

    Want to read more like this?

    Get the latest news and tips from NordVPN.

    We won't spam and you will always be able to unsubscribe.

    Is Telegram safe? Or how I searched for a bookmark in MTProto / Habr

    Telegram is a messenger for smartphones that positions itself as safe, protecting not only from intruders, but also from government. structures like the NSA. To achieve this security, Telegram uses its own development - the MTProto cryptographic protocol, the reliability of which is doubted by many, and so am I.

    After the announcement of a reward for decrypting messages, I tried to understand MTProto. The fact that it is impossible (at least very difficult) to decrypt a certain set of bytes is immediately clear, but listening to messenger traffic is not the only type of attack.

    The first thought was the possibility of a MITM attack (the man in the middle) and I went to read the api protocol. Where it turned out that the protection here is quite reliable: at the time of the first launch of the client, an authorization key is created, it is created directly on the client device using the Diffie-Hellman key exchange protocol, but with a slight difference - the public key of the Telegram server is already flashed in the client code, which excludes its substitution by third parties.

    After I installed the client, entered the phone number, and most of all I was surprised that I did not need to enter passwords, instead, an SMS with a one-time five-digit number confirmation key comes to the phone. I took the second phone, installed the client, entered the same number as the first time, I also received a five-digit number that I entered on phone number 2 and successfully authorized. Those. here is the first vulnerability. In Telegram, a lot of algorithms were screwed up, the possibility of intercepting and replacing traffic was excluded, and they forgot about the banal password. The attacker does not need to listen to the messenger traffic, but only needs to intercept the SMS and access is obtained without problems.

    Moving on. In Telegram, there are chats with end-to-end encryption, when the key is known only to the interlocutors, messages are encrypted on it. This key is obtained by the same Diffie-Hellman algorithm. Many messenger users demand to be able to exchange public keys via NFC and QR codes in order to 100% eliminate the possibility of MITM attacks, including from the Telegram server side. Employees of Digital Fortress (the company that developed the messenger) argue that such functionality is redundant (which is already suspicious), and you can make sure that no one has changed the public keys generated by the interlocutor by comparing the visualization of the key (in the form of a picture).

    And there are a couple of buts:

    After one of the interlocutors logs out, the chat key will be regenerated, and I can only check that I have the same key as the interlocutor by looking at his phone with his eyes. Why do I need an encrypted chat if the interlocutor is a meter away from me?

    I looked into the secure chats api. And my eye caught on this pseudocode:
    key = (pow(g_b, a) mod dh_prime) xor nonce
    This is the code for obtaining a shared key using the DH algorithm, almost. Let me remind you that the original DH algorithm has the form
    key = pow(g_b, a) mod dh_prime

    Variables in expressions:

    • key – secret key used to encrypt traffic,
    • g_b - public key of the interlocutor,
    • a - Your private key,
    • dh_prime is an open prime,
    • nonce is a “random” sequence received from the Telegram server for calculating the key.

    Question! Why such a modification in the algorithm? If the nonce is the same sequence for both clients, then it will simply turn the key inside out without making it safer. But if it is different, then the Telegram server can pick up such a nonce, in which the user keys will match even during a MITM attack and no one will know that they are listening to it. And even if the nonce matches for 2 interlocutors today, there is no guarantee that the nonce will match tomorrow when the NSA / FSB / other not good organization comes to the Digital Fortress office.

    Refer to Alice and Bob for clarification. The attack can go like this:

    1. Alice starts a secret chat with Bob and informs the Telegram server about it. The server gives Alice an open prime number (p) and a primitive root mod p (g). Alice generates her private key (a) and based on it the public key (A) which she sends to the server.
    2. The server generates its own keys (t and T) and passes T to Bob under the guise of Alice's public key. Together with T it passes g, p and a random sequence (b_nonce).
    3. Bob similarly generates the keys (b, B) and calculates the secret key (s). He returns his public key (B) to the server.
    4. The server calculates s and, based on it, a completely non-random sequence (a_nonce), transmits T as Bob's public key and a_nonce as a random sequence.
    5. Alice calculates a secret key that is equal to both Bob's key and the server's key
    6. Bob looks at the visualization of the key in Alice's phone and, seeing the same key as his own, uses the service without suspicion. And Telegram accumulates long logs without any obstacles.

    So is it worth using? If you want a simple quick chat, Telegram is a great app. If you are paranoid, then you should not use it unambiguously. Because even if I made a mistake and wrote a complete heresy, Telegram knows everything about you: phone number, contacts, SMS messages, location, with whom and when you communicate. Pay attention to the list of permissions for the application. Those. my opinion Telegram is a fast, convenient, but not at all private chat.

    UPD: The story ended well. Vulnerability fixed, documentation and applications updated, crawlers treasures bugs are motivated, which has already paid off (1, 2). We must pay tribute to the developers of Telegram, who immediately responded to the article.

    Is Telegram really secure?

    12/16/2020

    Author: CHIP

    1 star2 stars3 stars4 stars5 stars

    Is Telegram really secure?

    3

    5

    1

    7

    Telegram is trying to prove that it is the most secure messenger in the world that will never leak your data to anyone. To what extent this is true and how to protect privacy when working with the application, we understand the article.

    Telegram: How secure is this messenger?

    This is only partially true. Although end-to-end encryption is used for voice and video calls, it is not enabled by default for regular chat messages. Only if you use "Secret Chat" messages are encrypted end-to-end. This is only possible in private, not group chats.

    Messages are encrypted between client and server by default - however, this makes the data available to the operator or potential attacker. Accordingly, Telegram, compared to other instant messengers such as WhatsApp, does not provide much security at all.

    Another security aspect is the phone number. It is necessary for registration in Telegram. However, you can hide your number when contacting other users. Of course, this is an important advantage compared to the same WhatsApp.

    • Operation

      How to set up an autoresponder in WhatsApp, Telegram, Instagram and Facebook

    How to communicate securely on Telegram

    To communicate using Telegram as safely as possible, use our tips: