Telegram Messenger Review

[HEISENBERG]

Telegram pros & cons.
+ Pros

End-to-end (E2E) encryption;
Encryption algorithms: MTProto, a custom protocol;
Open-source apps and Telegram Database Library;
Self-destructing messages;
Users can be logged in on multiple devices simultaneously;
Supports Two-Step Verification;
GDPR-compliant.

– Cons

Registration requires a phone number;
E2E encryption only for Secret Chats;
Servers are not open source;
Logs IP Address and other user data.

Now we’ll briefly touch on the main features of Telegram messenger.

Telegram messenger features

Here are some key features to consider when deciding whether Telegram is right for you:

Code for the open source parts is available on GitHub;
Telegram apps for Android, iOS, Windows Phone, macOS, Windows, Linux, popular browsers;
Exceeding 500,000 active users.

Where is your Telegram data stored?

Telegram has a hybrid system for storing your data. By default, all your message data is stored on your devices. However, you can remove data from this local cache, and store it on Telegram’s servers. This allows you to balance your desire for privacy against the need for data storage space.

Those Telegram servers are located throughout the world as part of a distributed network.

Telegram third-party testing and audits.
No data available.

How secure and private is Telegram.

Telegram has taken a beating over the years due to doubts about its security model. The concerns target two main areas: E2E encryption, and MTProto security. Let’s examine each of these areas.

E2E encryption.

The concern about Telegram’s E2E encryption is that it is not applied by default. Most chats (Cloud chats) on Telegram are securely encrypted while in transit between your devices and Telegram’s servers. Once chat messages arrive at the Telegram servers, they are encrypted using MTProto while at rest on the servers. However, Telegram can read chat data since it handles the encryption/decryption of messages at the servers.

Other secure messaging services, such as Signal, apply E2E encryption on all communications by default. The service cannot read those messages. Only the sender and the recipient can read E2E encrypted messages. In other words, any service that uses E2E encryption for all their messages will be more secure than Telegram.

Telegram does support E2E encryption for two types of communications: Secret Chats, and voice calls. Secret Chats are chats that are not stored on Telegram servers, and are only accessible to the devices involved in the chat. Secret Chats should be as secure as MTProto, but users need to remember to turn them on.

MTProto security.

MTProto is the custom mobile protocol designed by the Telegram team. Check out this Wikipedia link to get a better sense of the flak this protocol has taken over the years.

Telegram logs IP address and metadata.

On the privacy front, Telegram can collect a decent amount of personal information, which it can keep for up to 12 months. According to their Privacy Policy, they,

may collect metadata such as your IP address, devices and Telegram apps you’ve used, history of username changes, etc.

They may use aggregated metadata from you to help them create new features for the service.

Finally, the company can read any of your Cloud Chat messages to investigate spam and other violations of their Terms of Service. They may share some of your personal data with other Telegram users you choose to communicate with and companies within the Telegram Group. If forced by a court order, they may provide your IP address and mobile number to the appropriate authorities.

It would be wise to use Secret Chats and voice calls whenever you wish to share private information on Telegram.

There is also a section of the Privacy Policy titled, “Law Enforcement Authorities” that reads as follows:

If Telegram receives a court order that confirms you’re a terror suspect, we may disclose your IP address and phone number to the relevant authorities. So far, this has never happened. When it does, we will include it in a semiannual transparency report published at: https://t.me/transparency.

This is important to keep in mind when using Telegram.

Using Telegram without your real phone number.

While we’re on the topic of privacy, it’s also important to note that Telegram requires a phone number to create an account. This is a verification step to prevent bots and spammers from mass-registering.

Verification happens via a text message or phone call, and then you enter the verification code to begin using the service. But here’s the essential privacy tip: you don’t have to use your phone number.

There are many anonymous SMS services you can find online that allow you to receive text messages to digital numbers. There are both free and paid SMS services available that you can find with a bit of research (enter a search term like disposable SMS into your browser). You may have to try with a few different services and numbers before you can get a Telegram verification code to come through and work, but it will ensure your real phone number stays safe.

Registering with a disposable SMS number, and using a good VPN/TOR when you use Telegram, will significantly increase your privacy.

 

[HEISENBERG]

How to run Telegram with Android Emulator on Whonix.

As far as we know, about couple month ago, Telegram disabled SMS authentication on desktop and web versions. So, the only way to authorize on these versions is receiving code on active account through mobile Telegram version. There is not enough to have virtual number to have access, you also need phone or tab to make this out. But if you respect your privacy, It’s not a way for you. I’m glad to present you this guide. It will help you to run mobile Telegram with Anbox (android emulator) using Whonix, to protect your privacy.

1. Let’s install necessary packages.



First, we need to check updates:

sudo apt-get update

sudo apt-get dist-upgrade

After that, proceed to install:

sudo apt-get install --no-install-recommends linux-image-amd64 linux-headers-amd64 adb fastboot anbox

2. Next step: download and verify Android Image.

Download image and sha256sum

If you useQubes TemplateVM Whonix:

scurl --proxy http://127.0.0.1:8082 --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img

curl --proxy http://127.0.0.1:8082 --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img.sha256sum

Non-Qubes Whonix and Qubes StandaloneVM Whonix:

scurl --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img

curl --tlsv1.2 --remote-name https://build.anbox.io/android-images/2018/07/19/android_amd64.img.sha256sum

Verify.

After downloading, run these to verify the image:

sha256sum --check android_amd64.img.sha256sum

You will see status: "android_amd64.img: OK"

Move image to appropriate folder.

sudo mv android_amd64.img /var/lib/anbox/android.img

3. Configuring Anbox.

Unfortunately, To work Anbox properly, you should disable Whonix Firewall because Anbox uses its own configured network settings, so enabled Firewall will deny access to it. This step might be reduce security benefits, especially, if you’re using multiple Whonix-Workstation machines. To disable firewall, use this command:

sudo systemctl mask whonix-firewall

Next, open /etc/systemcheck.d/50_user.conf :

sudoedit /etc/systemcheck.d/50_user.conf

And add a new line to this file:

whonixcheck_skip_functions+=" check_whonix_firewall_systemd_status "

Save and exit. Then reboot the system:

sudo reboot

4. Launch Anbox.

GUI:

Start menu→ Accessories→ Anbox.

Terminal:

anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity

5. Telegram installs.

So, Anbox is already installed and final step is to get Telegram .apk for it. On your Whonix-Workstation, go to https://telegram.org/android and download .apk file. After that, open terminal in the folder that contains file (just go to the folder with Telegram .apk and right-click for it. In context menu, you should see “Open Terminal” option). Use this command:

adb install Telegram.apk.

6. Congrats!

After successful install, you will see app in emulator desktop. Enable your account with virtual sim number and you’re ready to receive Telegram’s auth codes. Don’t forget to enable Whonix Firewall after receiving code.

7. Enabling Whonix Firewall.

In Terminal:

sudo whonix_firewall

GUI:

Start Menu→ Applications→ System→ Reload Whonix Firewall

Remember: for new Anbox session, you should repeat step 3.

Option 2. For beginners. Running mobile Telegram from online emulator - https://appetize.io
1. Register on sms-activation service with temporary mail.

2. Go to https://appetize.io and register free account, also you can do it with temp mail.

3. Download Telegram .apk from https://telegram.org and add it into to your appetize account. Go to ‘Upload’ section and choose the file.

4. After that, go to the ‘Dashboard’ and launch the app by clicking "view" button.

5. Register Telegram with virtual number bought before.

6. Open Telegram Desktop and use this number again.

7. You will receive auth code in online emulator which already run Telegram

8. Don’t forget to finish Telegram session in online emulator, after you log in Desktop version. Also set up 2FA.

 

[Never to sleep]

Damn Whonix. I guess not that surprising considering you're one of the founders of the forum!

 

[kpach]

Using a virtual number that a third party had/has access to, isn't that too risky?

 

[ImSorry69]

This is level 10 awesome brother. Thank you.

 

[Chemman]

Great! This is the only way you can now install Telegram on Tails

 

[xxnxx]

cool

 

[KokosDreams]

Interesting addition:

An article about how the FBI is able to obtain data from several messaging services

Original Link to the article: http://darkzzx4avcsuofgfez5zq75cqc4...lights-the-benefits-of-end-to-end-encryption/

 

[PavelD]

the link is off. can you please send another

 

[Latin King]

i dont trust telegram at all

 

[delkibrother]

I would suggest buying pre-paid phones and then using telegram, or Signal.

 

[Drsmurf]

There has been alot of vendors operating on telegram that have recently busted , telegram is surely not secure maybe secret chat is encrypted but open group chats are risky

 

[madmoney69]

Maybe they used the phone numbers to register which was linked to them?
I know many telegram groups who still run like there is no tomorrow bro

 

[PavelD]

Can you tell me which country?

 

[PavelD]

In Kazakhstan, a lot of vendors use Telegram for their business, but it seems like everyone is under surveillance, except for those who use drop registrations and equipment. Or maybe these authorities profit from it

 

[41Dxflatline]

I don't think thats how they were busted. Likely it was just undercover ordering something then analysing the packaging. I've had packages with fingerprints, packages that tell me the exact date and time and where something was shipped from (CCTV in store will have them)

 

[madmoney69]

Yeah true G, dont concentrate on encrypted apps only, if other part is missing

 

[Mark Hanna]

 

[idlewild]

It doesn't seem like it's going anywhere soon, hopefully telegram will work on cleaning up their shit

 

[kpach]

I wouldn't stick to an app that could be heavily targeted by agencies because it's private and encrypted.

 

[miner21]

I am not a huge fan of telegram but this is a great write up

 

[PavelD]

thank you sir for good information