The popular messaging app Telegram touts end-to-end encryption as one of its primary features, but may not be as secure as its 50 million users might think.
A security researcher says attackers can easily retrieve encrypted Telegram messages from devices used to send or receive them, even when the chats have been supposedly deleted permanently.
Private information that users may have shared via Telegram can be retrieved in plain text from the device, said Zuk Avraham, chief technology officer of mobile security firm Zimperium.
Telegram has downplayed Mr. Avraham's discovery and said that its encryption works as claimed except when an attacker can gain administrative control of a device running the app. In such situations, no encryption measures can fully protect users, it said.
While demand for secretive chat services has grown as a result of concerns over online snooping by government and law enforcement, the competing claims about Telegram highlights the risk of sharing sensitive data via online services that tout strong privacy protections.
Services such as Whisper and Secret, for instance, have attracted millions of users by pitching online anonymity as a central theme. But, in separate reports last year researchers found that Whisper tracked its users' general whereabouts and the identity of Secret users was not always so secret.
Telegram is an app for sending text and multimedia messages on Android, iOS, and Windows devices. Pavel and Nikolai Durov, the brothers behind VKontakte, one of Russia’s largest social networks, launched Telegram in 2013 as a secure alternative to WhatsApp, Line, and other messaging applications.
Telegram claims that more than 50 million people, including many businesses, use it to send an average of 1 billion messages daily. The application is not particularly huge in the US though it has been among the top-ranked free apps in dozens of countries over the past year.
The Berlin-based nonprofit group managing Telegram has described it as a privacy-oriented app that uses a proprietary protocol called MTProto to securely encrypt data in transit between two parties engaged in a conversation.
The app supports a secret chat feature that touts end-to-end encryption of data in transit and while stored on the device. It offers a self-destruct feature that allows users to set a timer for deleting messages allegedly without leaving a trace on any device. Telegram claims its app is so secure that it even offers a $300,000 reward to anyone that can recover a text message that was encrypted with the app.
But Avraham said Telegram’s claims are misleading: Data shared via Telegram can by retrieved in clear text at least from a majority of Android devices running the application. He said he took advantage of a previously known vulnerability in an older version of Android to break into a mobile device running Telegram. The vulnerability allowed Avraham a way to gain root-level access to the machine, meaning he had complete administrative control of the device.
What he discovered is that anyone with that kind of access can read message that were sent using Telegram. “The Secure-Chat messages can be read in clear-text in Telegram’s memory,” Avraham said.
Even after a user deletes a message using Telegram’s self-destruct feature, the message can be retrieved in its entirety from the device, said Avraham.
But Markus Ra, head of marketing at Telegram, said the app works as advertised.
“If you assume that the attacker has root access, no app can be secure,” he said. Rooting a device, or gaining control of the device in a manner not intended by the manufacturer, removes security features built into the operating system, said Mr. Ra. “This is why manufacturers never give phone users root access by default.”
Encryption only works when keys are inaccessible to the attacker, said Ra. “If an exploit gives the attacker universal access to a system’s storage and memory — they will always have your key, no matter how many locks you use. No Android app can claim to protect data from a user with root access.”
Avraham contends Telegram’s arguments do little to counter the fact that the application’s encryption is not quite as rock-solid as it would have everyone think.
“You do not need to be a sophisticated actor to access Telegram's secret messages,” said Avraham. “Any app that is running on your device can do it. Telegram should do more to protect their users.”
Telegram’s secret chats is 1 of 8 apps to receive a perfect score for security and privacy from rights advocacy group the Electronic Frontier Foundation. EFF maintains a secure messaging scorecard where it scores apps on various attributes such as encryption in transit, security design, authentication, security audits, and access to encryption keys by the vendor. Telegram’s app, along with seven other applications, scored higher than other better-known communication tools such as AIM, Blackberry Messenger, Facebook, and Google Hangouts.
Joseph Bonneau, a technology fellow at the EFF, said users have a problem if Zimperium’s claims about the contents of deleted messages still being retrievable from the device are true.
He agrees that privacy protections become useless once an attacker gains full access rights to the device. Even so, he said, Telegram should have implemented measures for ensuring that deleted messages are removed completely from both the sender and receiver’s devices.
Matt Clemens, engineer at application security vendor Arxan Technologies, said there are measures that can be applied to protect applications against the type of attack outlined by Zimperium.
The application code itself for instance can be protected against reverse engineering.
Measures can be taken to prevent attackers from pulling an application off a compromised device, taking it apart piece by piece and reassembling it so it looks like the original, he said. Similarly, the programming language used to define critical functionality can make a difference. There are also techniques that can be used to make an application aware that the device it is running on has been compromised and shut it down, he said. “There are then no resultant messages in memory or in a cached database for the attacker to try to reconstruct.”