Home How To Private chat app Telegram may not be as secretive as advertised – Christian Science Monitor

Private chat app Telegram may not be as secretive as advertised – Christian Science Monitor

20 min read
0
0
108
Factory Setting

We want to bridge divides to reach everyone.
A selection of the most viewed stories this week on the Monitor’s website.
Every Saturday
Hear about special editorial projects, new product information, and upcoming events.
Occasional
Select stories from the Monitor that empower and uplift.
Every Weekday
An update on major political events, candidates, and parties twice a week.
Twice a Week
Stay informed about the latest scientific discoveries & breakthroughs.
Every Tuesday
A weekly digest of Monitor views and insightful commentary on major events.
Every Thursday
Latest book reviews, author interviews, and reading trends.
Every Friday
A weekly update on music, movies, cultural trends, and education solutions.
Every Thursday
The three most recent Christian Science articles with a spiritual perspective.
Every Monday
Telegram promotes itself as a private chat application. But a security firm says it uncovered a flaw that can reveal a message even after is has supposedly been deleted permanently. 
Loading…

The popular messaging app Telegram touts end-to-end encryption as one of its primary features, but may not be as secure as its 50 million users might think.
A security researcher says attackers can easily retrieve encrypted Telegram messages from devices used to send or receive them, even when the chats have been supposedly deleted permanently.
Private information that users may have shared via Telegram can be retrieved in plain text from the device, said Zuk Avraham, chief technology officer of mobile security firm Zimperium.
Telegram has downplayed Mr. Avraham’s discovery and said that its encryption works as claimed except when an attacker can gain administrative control of a device running the app. In such situations, no encryption measures can fully protect users, it said.
While demand for secretive chat services has grown as a result of concerns over online snooping by government and law enforcement, the competing claims about Telegram highlights the risk of sharing sensitive data via online services that tout strong privacy protections. 
Services such as Whisper and Secret, for instance, have attracted millions of users by pitching online anonymity as a central theme. But, in separate reports last year researchers found that Whisper tracked its users’ general whereabouts and the identity of Secret users was not always so secret. 
Telegram is an app for sending text and multimedia messages on Android, iOS, and Windows devices. Pavel and Nikolai Durov, the brothers behind VKontakte, one of Russia’s largest social networks, launched Telegram in 2013 as a secure alternative to WhatsApp, Line, and other messaging applications. 
Telegram claims that more than 50 million people, including many businesses, use it to send an average of 1 billion messages daily. The application is not particularly huge in the US though it has been among the top-ranked free apps in dozens of countries over the past year.
The Berlin-based nonprofit group managing Telegram has described it as a privacy-oriented app that uses a proprietary protocol called MTProto to securely encrypt data in transit between two parties engaged in a conversation.
The app supports a secret chat feature that touts end-to-end encryption of data in transit and while stored on the device. It offers a self-destruct feature that allows users to set a timer for deleting messages allegedly without leaving a trace on any device. Telegram claims its app is so secure that it even offers a $300,000 reward to anyone that can recover a text message that was encrypted with the app.
But Avraham said Telegram’s claims are misleading: Data shared via Telegram can by retrieved in clear text at least from a majority of Android devices running the application. He said he took advantage of a previously known vulnerability in an older version of Android to break into a mobile device running Telegram. The vulnerability allowed Avraham a way to gain root-level access to the machine, meaning he had complete administrative control of the device.
What he discovered is that anyone with that kind of access can read message that were sent using Telegram. “The Secure-Chat messages can be read in clear-text in Telegram’s memory,” Avraham said.
Even after a user deletes a message using Telegram’s self-destruct feature, the message can be retrieved in its entirety from the device, said Avraham.
But Markus Ra, head of marketing at Telegram, said the app works as advertised.
“If you assume that the attacker has root access, no app can be secure,” he said. Rooting a device, or gaining control of the device in a manner not intended by the manufacturer, removes security features built into the operating system, said Mr. Ra. “This is why manufacturers never give phone users root access by default.”
Encryption only works when keys are inaccessible to the attacker, said Ra. “If an exploit gives the attacker universal access to a system’s storage and memory — they will always have your key, no matter how many locks you use. No Android app can claim to protect data from a user with root access.”
Avraham contends Telegram’s arguments do little to counter the fact that the application’s encryption is not quite as rock-solid as it would have everyone think.
“You do not need to be a sophisticated actor to access Telegram’s secret messages,” said Avraham. “Any app that is running on your device can do it. Telegram should do more to protect their users.”
Telegram’s secret chats is 1 of 8 apps to receive a perfect score for security and privacy from rights advocacy group the Electronic Frontier Foundation. EFF maintains a secure messaging scorecard where it scores apps on various attributes such as encryption in transit, security design, authentication, security audits, and access to encryption keys by the vendor. Telegram’s app, along with seven other applications, scored higher than other better-known communication tools such as AIM, Blackberry Messenger, Facebook, and Google Hangouts.
Joseph Bonneau, a technology fellow at the EFF, said users have a problem if Zimperium’s claims about the contents of deleted messages still being retrievable from the device are true.
He agrees that privacy protections become useless once an attacker gains full access rights to the device. Even so, he said, Telegram should have implemented measures for ensuring that deleted messages are removed completely from both the sender and receiver’s devices.
Matt Clemens, engineer at application security vendor Arxan Technologies, said there are measures that can be applied to protect applications against the type of attack outlined by Zimperium.
The application code itself for instance can be protected against reverse engineering.
Measures can be taken to prevent attackers from pulling an application off a compromised device, taking it apart piece by piece and reassembling it so it looks like the original, he said. Similarly, the programming language used to define critical functionality can make a difference. There are also techniques that can be used to make an application aware that the device it is running on has been compromised and shut it down, he said. “There are then no resultant messages in memory or in a cached database for the attacker to try to reconstruct.”
 
Already a subscriber? Login
Monitor journalism changes lives because we open that too-small box that most people think they live in. We believe news can and should expand a sense of identity and possibility beyond narrow conventional expectations.
Our work isn’t possible without your support.
Already a subscriber? Login

Link copied.
Dear Reader,
About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:
“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”
If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.
But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.
The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.
We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”
If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.
Subscribe to insightful journalism
A selection of the most viewed stories this week on the Monitor’s website.
Every Saturday
Hear about special editorial projects, new product information, and upcoming events.
Occasional
Select stories from the Monitor that empower and uplift.
Every Weekday
An update on major political events, candidates, and parties twice a week.
Twice a Week
Stay informed about the latest scientific discoveries & breakthroughs.
Every Tuesday
A weekly digest of Monitor views and insightful commentary on major events.
Every Thursday
Latest book reviews, author interviews, and reading trends.
Every Friday
A weekly update on music, movies, cultural trends, and education solutions.
Every Thursday
The three most recent Christian Science articles with a spiritual perspective.
Every Monday
Follow us:
Your subscription to The Christian Science Monitor has expired. You can renew your subscription or continue to use the site without a subscription.
Return to the free version of the site
If you have questions about your account, please contact customer service or call us at 1-617-450-2300.
This message will appear once per week unless you renew or log out.
Your session to The Christian Science Monitor has expired. We logged you out.
Return to the free version of the site
If you have questions about your account, please contact customer service or call us at 1-617-450-2300.
You don’t have a Christian Science Monitor subscription yet.
Return to the free version of the site
If you have questions about your account, please contact customer service or call us at 1-617-450-2300.

source

Charis Administrator
Sorry! The Author has not filled his profile.
×
Charis Administrator
Sorry! The Author has not filled his profile.
Load More Related Articles
Load More By Charis
Load More In How To

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

Recruitment: Nigerian Army fixes June 28 to July 11 for screening

Nigerian Army fixes June 28 to July 11 for screening The Nigerian Army has announced the d…