Save over 40% when you secure your tickets today to TNW Conference 💥 Prices will increase on November 22 →

This article was published on November 30, 2015

Telegram’s privacy flaw on Android is real – but there’s a workaround


Telegram’s privacy flaw on Android is real – but there’s a workaround

A rather wily developer has taken to Github to give Android Telegram users a worthwhile nudge on app security.

Ola Flisbäck explains that by downloading a third-party command-line interface an “attacker” can quickly open up a whole load of Telegram metadata that could be used to identify who you’re talking to.

Although it still takes a bit of additional detective work, if your settings show when you were last seen, the attacker, who only needs to know your phone number in order to start accessing this information, can start working out who you’re messaging.

Telegram on Android doesn’t require you to accept someone as a contact in order for them to add you to their address book, so you’re none the wiser.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

“The Telegram Android app sends a notification to all contacts when it becomes or stops being the ‘foreground’ app on the device,” Flisbäck says.

“Using that information alone it’s at times easy to make guesses about who’s talking to who if you have several contacts in common with a ‘victim’.

“An ‘attacker’ will sometimes see the victim and another contact taking turns going active/inactive as they pass messages back and forth.”

The approach seems to work particularly well if the victim and attacker have mutual contacts, enabling the baddie to narrow down the list of possible people engaged in conversation by seeing who is online or offline at a given time.

The team over at Telegram told The Next Web that there’s a quick fix to this: “On Telegram you can control precisely who has access to your online and last seen status (see Settings — Privacy & Security — Last seen).

“Privacy settings operate on the API level, so it does not matter which apps are used — official or unofficial. If you’re not sharing your data, it can’t be accessed.”

Telegram Last Seen

While this does offer a workaround, it obviously doesn’t help if you haven’t yet realised this is happening.

And if you turn on this setting, you will also be prevented from seeing if other people are online, while Telegram also still displays an approximate last seen time for you.

There is an exception to this, which is if you message someone while not sharing data, you do appear online for a few seconds to that particular person.

You can also override all of this to specifically include or exclude certain people, as in the screenshot above.

Although this does start getting a little complicated!

Stalking anyone on Telegram [Github via The Register]

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top