Insights For Success

Strategy, Innovation, Leadership and Security

Threema

Telegram Messenger isn't as secure as you think

GeneralEdward Kiledjian

Right after the horribly tragic terror attacks in Paris, we started to read badly written articles by journalists trying to attract readers with sensational headlines.

The easiest target was encrypted communication tools and one of those is Telegram Messenger. It was said ISIS/ISIL used Telegram to chat securely and that they considered it a good solid secure and trustworthy platform. Does it really deserve that reputation?

I wrote a article on March 2014 that explained some of the shortcomings of this messaging platform.

With all the publicity it is receiving now, I wanted to revisit the tool.

Some of the security issues for people wanting the best security available:

  • Uploading your contacts In order to register for Telegram, you have to use your real telephone number and upload your phonebook contacts (to find others that are using Telegram). This means they know with absolute certainty who owns each account and have a list of your contacts.

  • Metadata Metadata Metadata With everything Snowden has released, we know what metadata is and why it is so important to protect. It is how governments around the world can build very accurate profiles of users. Most users will use Telegram Messenger via a smartphone which is a horribly leaking end point for metadata. Even if you encrypt the actual message, your provider, phone manufacturer and phone OS provider know what app is installed, when it was installed, how often it was used, when it was used and for how long. Combining this with triangulated location information and general information collection means tracking down individual users becomes much easier for crafty well-funded hackers or governments.

  • Custom encryption Read my original article about Telegrams custom encryption. We are at a point in Information Security where there are well documented, tried, tested and reliable encryption mechanisms and it is strange that a company comes along and creates it own. This becomes especially worrisome when the protocol and tool aren’t completely open sourced.

Looking back at Telecom

Looking back at Telegram 1 year after the original article, I would still rate its security as medium level. It may be better than the most popular platforms but is nowhere near a level I would call really secure.

What’s the most secure instant messaging tool?

I write a blog post entitled “The most secure smartphone messaging app in 2013 and my recommendation still stands. The most secure instant messaging tool available today is Threema. Key management is handled by each user (not by the platform provider which weakens the security). It’s security model and back end infrastructure has been independently vetted for security.

Whatsapp to become more secure than Apple Messages

technologyEdward Kiledjian
Image by downloadsource.fr used under Creative Commons License

Image by downloadsource.fr used under Creative Commons License

I'm an advocate of personal privacy through encryption. I love the Threema instant messenger (Link) but none of my contacts used it. This is the problem with secure instant messenger apps, your friends aren't there so it becomes useless. 

Now Whatsapp is including the encryption functionality of TextSecure from Open Whisper Systems in their Android client and this will make Whatsapp the most secure instant messenger (beating even Apple's a Messages/iMessage).

Like Whatsapp, Apple's iMessage/Messages offers end to end encryption but in Apple's design, they control the encryption keys which means they could create a man in the middle type situation and you would never know. In the new Whatsapp with encrypted messenger app, the keys are controlled by the client and you will be able to verify the counter-parties encryption key using QR code scanning (similar to Threema) or by verbally exchanging the encryption key verifier. This will make sure beyond any doubt that the messages are encrypted for the intended recipient and no one else. 

How will it work?

When you start a conversation with another Whatsapp android users using the latest version, you will be asked to initiate a secure session. Once initiated, you will see visual marker (lock icon) in a couple of places to remind you the session is protected : next to the send button, next to each encrypted message and in the title bar.

When?

If you are using the latest android client, your version already includes the new end-to-end encryption mechanism and it is activated when talking to other Android based Whatsapp users.

Although I haven't seen any promises for an IOS version upgrade containing this secure technology from Whatsapp, I am confident we will eventually see it on iPhone as well.