The Telegram iPhone app balances security and fun with easy messaging and a novel decentralized system that allows anyone to create and share sticker sets. It has long been a PCMag favorite. iOS 10's reinvigorated Messages app offers a real challenge with its continued emphasis on security in addition to its new animations and stickers, but Telegram counters strongly with smart compromise between ease of use and encrypted messaging, which secures all your messages and uses end-to-end encryption for secret messages. Telegram is one of the best chat apps for the iPhone, and still an Editors' Choice winner, despite the increased competition.
Setup
Telegram is available for free from the Apple App Store. I had no trouble installing it on my iPhone 6, and am thrilled at all the other platforms Telegram currently supports, including Android, PC, Mac, and even Windows Phone. There's also a Web client, making it easy to log in and check your messages wherever you are.
Before you can begin with Telegram, you have to enter your phone number. This is the main identifier that Telegram uses. After you enter your number, Telegram sends a confirmation code via SMS. If you choose to link your Telegram account to the desktop, tablet, or Web client, the service confirms your identity by sending a special message to the Telegram app on your phone. It's wonderfully seamless, though the downside is that you can only have one phone associated with a Telegram account. If you want to install Telegram on a second phone, you have to create a separate account.
Using a phone number also raises some legitimate privacy concerns, as does Telegram's requirement that it view your contacts to connect you with other users. Any Telegram user who has your phone number in their Contacts list will see you in their Telegram contacts. This is part for the course for such apps, but I still prefer adding contacts in apps the old-fashioned way.
Unlike messaging apps like WhatsApp, Telegram lets you create a special Username from the Settings panel. If your account has a Username, anyone can search and find you using your Username instead of your phone number. Telegram also generates a public link that you can share to let friends easily find you. I particularly like that you can change your Username at any time.
Telegram on the Telephone
The first thing you notice when you log in to Telegram is that the app is very well designed. It's extremely responsive, and has all the high design we've come to expect from a polished iPhone app. Google Allo has a similar interface, and feels a little snappier, but Telegram is no slouch.
The threaded conversations and uploaded images in Telegram look excellent, and have a distinctly WhatsApp-like vibe. And as with WhatsApp, you can choose one of your photos or one of the 33 tasteful images included with Telegram as the background for your chats.
Secrets and Super-Secrets
There are two types of messages in Telegram. By default, messages between two users are called Cloud Messages. These are encrypted at rest and while in transit, and are accessible to all of your devices running Telegram. This is possible because your Cloud Messages, as well as the cryptographic keys to read them, are stored and managed by Telegram. It is possible that a hacker could steal, or law enforcement subpoena, messages and keys from Telegram's servers. Depending on how that information is stored on Telegram's end of things, it is also possible that these messages could be decrypted. Telegram makes these limitations clear in the service's documentation.
What good are Cloud Messages then? Consider that when the FBI wants to read an encrypted message, they use investigations of the physical device (see the FBI's fight with Apple) and subpoenas to obtain information from wireless carriers and companies like Telegram. The NSA, on the other hand, looks at signals as they travel. If the NSA or a hacker took a peek at your Web traffic when you were chatting over Telegram, they'd see nothing but meaningless gibberish. Using a good VPN service is another way to keep your traffic safe from prying eyes, one that can further protect you by hiding your IP address.
The other type of messages are known as Secret Chats, and these trade the accessibility of Cloud Messages for better security. When you start a Secret Chat, the encryption keys for the messages are managed on the sender and recipient's devices. These are the only devices that can read the Secret Chats. This means your Secret Chats aren't held on Telegram's cloud, and by extension aren't available on any of your other devices. This sounds like a downside, but really it's the best method for sending a message you want secured in the best possible way.
Many secure messaging apps aim for what's called perfect forward secrecy, meaning that breaking one message won't allow an attacker to read all your old messages and all your future messages. Telegram comes close by destroying the encryption keys for your Secret Chats after every 100 messages or every seven days, whichever happens first. Editors' Choice Wickr, on the other hand, creates new keys for each message. Signal, also an Editors' Choice winner, has its own scheme for ensuring a broken key won't imperil your communications.
Confirming that the person at the end of the line is who they say they are has always been a problem for secure messaging. After all, if someone borrows or steals your phone, they can impersonate you. You can prevent this by enabling the option to require a password to open the Telegram app on any device (and, of course, setting a passcode on your iPhone's lock screen). Signal addresses the identity problem with a scannable QR code to confirm identity, and also displays keywords that can be spoken aloud to prevent a man-in-the-middle attack. Unfortunately, Telegram does not include Signal's secure voice features.
Not all features are available for all types of Telegram messages. For example, Secret Chats can have a timer set that deletes the message from both your phone and the recipient's phone after the set amount of time. You also see a notice when the person you're sharing a Secret Chat with takes a screenshot within the app. These features aren't available for Cloud Messages, but Cloud Messages (including Group messages, but more on those later) can be forwarded to other users while Secret Chats cannot.
A quick word on self-destructing messages: They aren't just a fun gimmick as they are for Snapchat. Deleting a message is the best way to make sure that it doesn't get intercepted or decrypted. Wickr was one of the first apps to introduce self-destructing secure messages, and it's a feature I always like to see in a secure messaging app. Google Allo, for example, includes an excellent self-destruct feature in its Incognito mode.
Most users can't accept the idea of not having access to their messages at all times, which keeps them from embracing secure messaging platforms. To me, Secret Chats are like taking someone aside to whisper a secret. It might not make sense all the time, but there are some things best discussed in private.
Groups, Stickers, and More
Both Secret Chats and Cloud Messages do more than simply send text. You can send photos, audio clips, and emojis, just as you would from your SMS client of choice. You can also send local files or files stored on iCloud Drive or Google Drive. Telegram claims there is no limit on how large these files can be. Sending large files might test your patience and your data bill, so send them wisely. Telegram also supports attached videos, contact information, and current (or nearby) location.
Note that stickers and attachments by definition have to live in Telegram's servers. But for attachments to Secret Chats, Telegram has a special scheme for dealing with this problem. Telegram's excellent and exhaustive documentation explains that attachments are encrypted with a separate key that is itself encrypted, along with the location of your attachment. These encrypted attachments appear as random data on Telegram's servers, and are periodically deleted.
If you love Facebook Messenger's stickers (and I do), you're in luck because Telegram has the best and strangest collection of stickers I've seen. Users are encouraged to make their own creations, meaning that there are, at last count, more sticker sets on Telegram than atoms in the universe (confirmation pending). On my phone I have very handsome stickers of cartoon magpies, frightening owl men, and a set composed entirely of images from hit show Murder: She Wrote.
The downside to Telegram's sticker system is that there is no centralized store; to find them, you have to save a set sent to you by another user or search out special Telegram bots via public links. The app will show you trending stickers, giving you some insight into what other people are sending on Telegram. Facebook Messenger has a massive, and mostly free, sticker store. The iOS 10 Messages app also uses a centralized store for its growing sticker collection, but these generally cost money and the store is difficult to navigate.
Telegram also sports a number of surprising photo and video tools. Snap a picture and you can adjust the photo's exposure, contrast, warmth, saturation, tint, fade, highlights, shadows, vignetting, grain, blur, sharpness, and even its image curves. These tools aren't as powerful as those of PicsArt, but far better than other messaging apps.
You can also draw on images, but Telegram now lets you place any of your downloaded stickers, too. The app even includes special masks meant to fit over images. Like sticker packs, these are numerous and high quality, with everything from snake-hair to cyber sunglasses. If you tap the mute button after shooting a video, the app converts it to a looping GIF, and lets you draw as well as add stickers and masks. It's a lot of fun.
For times when one-on-one messaging simply isn't enough, Telegram offers Groups and Channels. These are very similar to WhatsApp groups; pick a name, add some users, and your missives are delivered to everyone. Groups can have a specific admin, or share those privileges with everyone, and any of the participants can mute their own notifications or leave a group. That's great. Channels are like bigger, more public groups and are a kind of social feature I've never seen in a secure messaging app before. Telegram Channels feel a lot like the anonymous, encrypted chat rooms used by Cryptocat, but Cryptocat allows any user to use any username at any time. Telegram is a little less flexible, and, for me, a little more trustworthy.
Apple and Google have both launched new efforts in the messaging space that incorporate novel features. The Apple Messages app has animations along with stickers, and third-party app integrations that let you, for example, search for and purchase movie tickets via Fandango without leaving your text messages. Google Allo introduces the Google Assistant, which integrates search results while you chat. Telegram can't match either of these features, and that could be a big problem in the coming years.
What's in a Protocol?
Rather than use an established encryption protocol, Telegram decided to roll its own. It's called MTProto, and it has all sorts of words associated with it that you're probably familiar with from the security world: 256-bit symmetric AES encryption, RSA 2048 encryption, and Diffie-Hellman key exchange.
Creating a custom protocol is an unusual move and one not usually accepted by the security community. Encryption, after all, is extremely complicated and building your own instead of using a tried-and-true solution is frequently viewed as a bad thing. To Telegram's credit, the company has opened some, but not all, of its source code for review. Hopefully, Telegram will continue to open their code and allow the world to pick it over for errors and help improve it.
Security researchers have had some success attacking Telegram, but not its encryption protocol. Last year, Zimperium reported that it had successfully found a way to access Telegram Secret Chat information held in device memory on an Android 4.4 device. This is an extremely complex attack, and it requires a very motivated attacker who is targeting your specific device—the kind of attack that is rarely seen in the wild. A more recent attack allowed someone to search through phone numbers, but was swiftly plugged by Telegram.
The biggest drawback to Telegram is, to my mind, its custom encryption system. Signal, on the other hand, uses its own protocol but is an open source project. Anyone can pick through the code and submit fixes for problems. It might sound counterintuitive, but security experts agree that open source is better for security. The Signal protocol is also being used to secure WhatsApp messages, private Facebook Messenger messages, and Google Allo's Incognito mode. That means it has been thoroughly tested, and may be one of the most widely used encryption systems. Best of all, Signal is maintained by Open WhisperSystems, which uses volunteers and grant money to operate. The organization is actively disinterested in monetizing its users or data.
Fun, Secure Messaging
With a simple, beautiful design, excellent cross-platform support, and multiple features to protect the integrity and security of your messages, Telegram Messenger is a top messaging pick on iOS. In addition to that, it has numerous photo and video embellishment features that take pictures to the next level. And while its sticker store is frequently bizarre, it's an experience unrivaled in the messaging space.
Telegram's decision to not open source its encryption protocol gives me pause. I consider it to be an excellent general-purpose messenger with security inclinations, and what I reach for when I want to send fun messages to friends. For truly secure (if somewhat less fun) messaging, I recommend the excellent Signal, which is also an Editors' Choice.
No comments:
Post a Comment