You can find lots of free messaging apps out there. But finding a free messaging app that is also secure, and has enough users to make it worth using, is a lot harder. Today we’re going to talk about Telegram.
Telegram is totally free, and with over 200 million active monthly users, it certainly is popular. But is Telegram secure and safe? That’s one of the things we’ll be investigating in this in-depth Telegram review. So let’s dive in and see what we can discover.
Telegram pros & cons
- End-to-end (E2E) encryption
- Encryption algorithms: MTProto, a custom protocol
- Open source apps and Telegram Database Library
- Self-destructing messages
- Users can be logged in on multiple devices simultaneously
- Supports Two-Step Verification
- GDPR compliant
- Registration requires a phone number
- E2E encryption only for Secret Chats
- Has not shared any Transparency Reports
- Servers are not open source
- Logs IP Address and other user data
Now we’ll briefly touch on the main features of Telegram messenger.
Here are some key features to consider when deciding whether Telegram is right for you:
- Code for the open source parts is available on GitHub.
- Telegram apps for Android, iOS, Windows Phone, Mac OS, Windows, Linux, popular browsers
- In excess of 200,000 active users
For this review, we downloaded and tested Telegram desktop and mobile apps.
Telegram company background information
Telegram Messenger was created by brothers Nikolai and Pavel Durov in 2013. With over 200 million active users, it is one of the most popular messaging apps in the world. The company is headquartered in London, with the development team based in Dubai. The company is funded through a donation by Pavel.
Where is your Telegram data stored?
Telegram has a hybrid system for storing your data. By default, all your message data is stored on your devices. However, you can remove data from this local cache, and store it on Telegram’s servers. This allows you to balance your desire for privacy against the need for data storage space.
Those Telegram servers are located throughout the world as part of a distributed network.
Telegram third-party testing and audits
I wasn’t able to find any published third-party audits or other formal test results for Telegram. What I did find was a lot of criticism of the Telegram security model and of Telegram’s MTProto encryption scheme. We’ll go into this in more depth at the end of this post.
Telegram messenger hands-on testing
For purposes of this review, I used the Telegram mobile app for Android, along with the Windows Desktop app. Since Telegram focuses on the mobile experience and requires you to join the service using a mobile device before you can use a browser or Desktop app, we’ll concentrate on the mobile side of things first.
Telegram Android app
Installing Telegram on an Android phone involves downloading the app and registering your phone number. This is similar to Signal messenger, which also requires a phone number to use the service. You can either download the app from the Google Play store, or download the Android APK directly from the Telegram website.
Once you finish installing and registering your account, you will be able to use the Telegram app to communicate with other Telegram users by text, voice, photos, video, group messaging, and channels (subscription broadcasts). File sharing is also supported.
Working with Telegram
Opening the Telegram app shows you a list of your Telegram contacts. If you’ve used any of the popular instant messaging apps, the interface should look familiar to you:
Tap a contact to see the full chat thread containing your conversation with that person, group, or channel. This is all pretty standard stuff; the kind of stuff you would expect to find on any of the best messaging apps. However, Telegram offers several other features that help explain why this is one of the most popular secure messaging apps.
Additional Telegram app features
Going beyond basic messages, Telegram has interesting and useful features like these:
- Groups – Supporting up to 200,000 members per group, Telegram group chats helped protesters get organized during the mega-protests of 2019. Apparently, both groups and channels were used by the protesters, resulting in a large DDOS (Distributed Denial of Service) attack against the service. Telegram stated that the IP addresses of the computers involved in the attack were mostly Chinese.
- Channels – Channels allow you to broadcast messages to an unlimited number of Telegram users. This feature was also apparently used during the Hong Kong protests. A recent addition to Channels is a way to view detailed statistics about channel viewership.
- Instant View – Instant View is a system to, “…view articles from around the Web in a consistent way, with zero loading time.” If you receive a link via Telegram, you can tap the Instant View button to instantly see a version of the page that has been optimized for viewing in Telegram. Because the page is cached in Telegram’s servers, it downloads in a split second. Instant View isn’t available in the desktop versions of Telegram.
For reference, here’s an article viewed through Instant View on the Telegram Android app:
- Bots – Bots are computer programs that run in Telegram. They have a wide range of capabilities, and anyone with a reasonable level of programming skills can write and publish their own.
- Live Locations – Share your location live in a chat for 15 minutes, one hour, or eight hours. If multiple users share their live location within a group, they are shown on an interactive map.
- Telegram Passport – Telegram Passport is an encrypted way to store your identity documents on Telegram servers. Once stored here, you can easily share them with services that require real-world IDs.
Now we will take a close look at using Telegram on your desktop.
Telegram Desktop clients
Installing Telegram Desktop on your desktop is just like installing any other app. It only takes a moment to download, and seconds to install. Once you do, Telegram opens and asks you to enter the telephone number you used to register your mobile app. Alternately, you can click the Quick log in using QR code link and follow those directions. Either way, you’ll soon see the familiar Telegram user interface translated onto your desktop.
Telegram officially supports the following desktop platforms:
- Mac OS
- Linux (64 bit and 32 bit)
Here is a screenshot of the Telegram desktop app.
One drawback with the Telegram desktop app is that you won’t have access to all the same features and capabilities that you do on your phone. However, if nothing else, the Desktop app will be a lifesaver in those times when you need to send long text messages.
Telegram’s support site takes the form of a huge FAQ page. This page (seen below) links to an immense amount of helpful information about Telegram. While working on this Telegram review, I was able to find the answers to any questions that came up by searching the FAQ.
Of course, I can’t guarantee that you will never need support from a live person. That shouldn’t be a problem, as Telegram offers you several ways to get in touch with their support team. Instead of listing out all the options here, just go to the Support section of that huge Telegram FAQ page.
How secure and private is Telegram
Telegram has taken a beating over the years due to doubts about its security model. The concerns target two main areas: E2E encryption, and MTProto security. Let’s examine each of these areas.
The concern about Telegram’s E2E encryption is that it is not applied by default. Most chats (Cloud chats) on Telegram are securely encrypted while in transit between your devices and Telegram’s servers. Once chat messages arrive at the Telegram servers, they are encrypted using MTProto while at rest on the servers. However, Telegram can read chat data since it handles the encryption/decryption of messages at the servers. Other secure messaging services such as Signal, apply E2E encryption on all communications by default.
Telegram does support E2E encryption for two types of communications: Secret Chats, and voice calls. Secret Chats are chats that are not stored on Telegram servers, and are only accessible to the devices involved in the chat. Secret Chats should be as secure as MTProto, but users need to remember to turn them on.
Voice calls are automatically E2E encrypted, likewise making them as secure as MTProto allows.
MTProto is the custom mobile protocol designed by the Telegram team. While I am not qualified to comment on the security of the protocol, it has been criticized by numerous cryptography experts. Check out this Wikipedia link to get a better sense of the flak this protocol has taken over the years.
Finally, the company has the ability to read any of your Cloud Chat messages to investigate spam and other violations of their Terms of Service. They may share some of your personal data with other Telegram users you choose to communicate with and companies within the Telegram Group. If forced by a court order, they may provide your IP address and mobile number to the appropriate authorities.
It would be wise to use Secret Chats and voice calls whenever you wish to share private information on Telegram.
Using a VPN with Telegram
As noted above, Telegram will record your IP address and keep it for up to 12 months. This links your identity up with your Telegram activity, chats, etc. Therefore you should take this into consideration based on your threat model and unique needs.
To hide your IP address when using Telegram, you can use a VPN. A VPN with Telegram will hide your IP address and location. Some of our top-recommended VPNs include NordVPN, which is based in Panama and ExpressVPN, based in the British Virgin Islands (with a three months free coupon).
Note: A VPN is not a silver bullet that hides all your metadata. However, it will securely encrypt traffic between your device and a VPN server, while also concealing your true location and IP address. See these best VPN services for more options and info.
Using Telegram without your real phone number
While we’re on the topic of privacy, it’s also important to note that Telegram requires a phone number to create an account. This is a verification step to prevent bots and spammers from mass-registering.
Verification happens via a text message or phone call, and then you enter the verification code to begin using the service. But here’s the catch: you don’t have to use your phone number.
There are many anonymous SMS services you can find online that allow you to receive text messages to digital numbers. There are both free and paid SMS services available (see disposable SMS), which you can find through a bit of research. You may have to try with a few different services and numbers before you can get a Telegram verification code to come through and work, but it will ensure your real phone number stays safe.
Telegram business features
Like its competitor Signal, Telegram Messenger is only available as a single, free version. There are no pricing tiers, no extra-cost features, and no business-specific features.
Telegram prices = free
As mentioned above, Telegram is 100% free of charge. The company has stated that if they run low on money, they might add some non-essential premium features, but as of now, there is only the one, free version.
Telegram review conclusion
Telegram is one of the most popular messaging apps in the world with over 200 million users. Add in the fact that it is free, fast, and has tons of useful and fun features beyond basic messaging, and it’s easy to see why it is so popular.
But popularity does not necessarily mean it is secure or a good option for privacy-conscious users. As I showed above, there are many experts in the cryptography community that have raised doubts about Telegram’s security. At the same time, the fact that end-to-end encryption is only available for Secret Chats and voice calls worries many of us.
Is Telegram right for you?
The answer to this question all comes down to your threat model and unique needs. Whatever you decide, keep these risks in mind and proceed with caution if you decide to use Telegram to connect with your acquaintances.