Is Telegram Secure? What it takes to build a secure messaging app

Is it secure? We ask this question whenever we are going to access any social network, messenger, online store, or virtually any app where we need to provide personal data. After notorious security breaches in Facebook, LinkedIn, Yahoo, and many other applications, where massive amounts of user data got exposed, we tend to think twice before trusting our data to social media.

Telegram messenger, an instant messaging app, can raise such concerns, too. On the one hand, Telegram has been around since 2013 when it was founded by Pavel Durov and his brother, Nikolai Durov, and in 2021, has reached as many as 500 million active users. On the other hand, Telegram has not been immune to cyber attacks, one of which occurred in 2020 and resulted in a leak of personal data of millions of Telegram users.

Still, Telegram remains an IM app of choice for millions of users, and every day, more people consider adopting it for themselves. So, is Telegram secure?

Telegram’s security concept

Telegram implements quite a number of security measures and mechanisms that it explains in its FAQ. Particularly, Telegram secures messaging in its network using the following mechanisms:

• Custom protocol. Telegram uses MTProto, a protocol developed specially for use in this network. This protocol was chosen as a solution to the problem of sending large files over weak connections. MTProto performs on a satisfactory level in such situations.
• Data encryption. Telegram uses two layers of encryption: client-server / server-client encryption and end-to-end encryption. The client-server /server-client encryption layer is the standard method applied to all chats that are referred to as Cloud Chats. End-to-end encryption is used in so-called Secret Chats, which are protected in a stronger way. Telegram explains this setup as necessary to enable restoration of chat history for Cloud Chats.
• Secret Chat. For users who seek a higher level of security and privacy, Telegram has its Secret Chat option. They are protected with end-to-end encryption and are device-specific. In a Secret Chat, messages are never stored in the Telegram cloud but are only kept on the users’ mobile phones. When a message is deleted on one side of the conversation, it gets also deleted on the other side. Logging in from another device does not allow access to Secret Chats. However, they are secure only as long as the users’ devices are secure.
• Self-destructing messages. As an additional security layer, Telegram allows setting a timer to have chat messages self-destruct after the specified time. This feature is available for all Secret Chats and media messages in Cloud Chats. A message set to self-destruct will be removed from both the senders’ and the recipient’s mobile devices.
• Two-step verification. The default settings of Telegram require only an SMS code to log in. However, as an additional layer of security, users may enable two-step verification that requires an additional secret password to be entered together with the SMS code.

Telegram security – pros and cons

Telegram’s security model has a lot of points speaking in favor of this IM app, however, there are certain things you need to pay attention to if you choose telegram as your instant messenger.

Telegram pros

• Open-source app. Telegram publishes both its source code and libraries on GitHub, thus allowing anyone to verify that the same code is actually used in the Telegram apps offered for different platforms and distributed via app stores. With source code published openly, any developer can audit and evaluate the end-to-end encryption algorithms applied in Telegram.
• Use of a custom protocol. Telegram developed its own communication protocol, MTProto, that was created with communication improvement in mind.
• 2-step verification increases account security.
• End-to-end encryption in a Secret Chat.
• Self-destructing messages.
• GDPR compliance. As a product offered in the EU, Telegram complies with the regulations of GDPR as to the handling of user data.

Telegram cons

• End-to-end encryption only for Secret Chats. In Telegram, all chats are not protected by end-to-end encryption by default. It is only enabled for Secret Chats. Messages sent in the basic Cloud Chats are enabled with client-server encryption which is less secure than the end-to-end method.
• Messages stored in the servers. For Cloud Chats, Telegram opted for client-server encryption with message storing in the Telegram cloud. This option was chosen in order to enable restoring message history when the user switches to another device. In Secret Chats, however, messages are only stored in the particular device they were sent from and cannot be retrieved from multiple devices.
• User data collected and stored for 12 months. Telegram collects lots of user data, such as IP address, device information, history of user name changes, etc., and stores it for 12 months. The Telegram Privacy Policy, while confirming this fact, does not explicitly explain how this data is used to “prevent spam, abuse, and other violations of our Terms of Service”. Therefore, in Telegram, your data does not fully belong to you. Nowadays, this is not exactly a security deficiency, but rather something to be aware of.
• Support of large group chats. Telegram allows up to 200,000 users in a group chat. While it may be an advantage from the perspective of user experience, it poses a certain security risk, as such large groups are hard to monitor for possible malicious intent.
• Access to user’s address book. Upon sign-up, Telegram requests access to the entire contact list in the user’s smartphone, which it then stores together with the rest of the user’s data. This way, it gets access to contacts who are not even Telegram users yet.

So, is Telegram Messenger secure?

While Telegram is a convenient and relatively safe option for private messaging, we recommend that you think twice before choosing it as an enterprise communication tool. Especially if you are operating in an industry that sets high standards of user data privacy, such as healthcare or finance, Telegram’s security may be suboptimal.

For example, since Telegram requires a telephone number to create an account, the user’s data that it stores can be tied to such a number and, therefore, identified. Besides, with data stored on Telegram’s servers, users have no control over it and the way it can be used.

Summing it up, Telegram Messenger may not meet the requirements of highly regulated industries handling massive amounts of sensitive information.

QuickBlox Chat API as an alternative

If you are looking for a secure instant messaging solution that can provide sufficient protection to the data you are handling, consider QuickBlox Chat API. In addition to the powerful communication functionality, QuickBlox’s solution includes security features meeting the requirements of such industries as healthcare and finance:

• Data encryption in transit and at rest
• Built-in antivirus tool
• Option to install the messenger app in your own cloud to ensure complete control over your data

Alternatively, QuickBlox offers its complete messaging service, Q-municate, which is easy to install and provides rich messaging functionality and strong security and protection out-of-the-box. It can be integrated into your enterprise network using the hosting solution that is the most preferable for you – a public cloud, your own cloud, or locally.

All QuickBlox communication products are developed in strict compliance with GDPR and HIPAA rules making them suitable for use in healthcare and other industries where user data handling is regulated.

QuickBlox will be happy to work with you on implementing a truly secure communication solution. We can suggest the configuration that will suit your requirements and consult you on implementing it so that to ensure top performance and the strongest data protection.

Contact us to learn more about how QuickBlox can support your needs for secure instant messaging.