Back to Home

Telega Telegram Client Security: MitM, GPL Violations, Data Leak

A deep dive into the 'Telega' Telegram client reveals critical security flaws, GPL v2 license violations, and potential MitM threats due to a Russian state root certificate and disabled security checks. User data is at risk.

Telega Telegram Client: Critical Security Flaws & MitM Threats Exposed
Advertisement 728x90

Critical Security Analysis of the 'Telega' Telegram Client: License Violations and Hidden MitM Attack Threats

'Telega', marketed as a 'youth-oriented' Telegram client with claimed openness and censorship circumvention capabilities, upon detailed reverse-engineering analysis, revealed critical security vulnerabilities, serious GPL v2 license violations, and potential mechanisms for unauthorized traffic interception. A key discovery was the integration of the Russian Ministry of Digital Development's root certificate, which, combined with disabled certificate validation, creates conditions for full-fledged Man-in-the-Middle (MitM) attacks. This poses significant risks to user data confidentiality and integrity.

Claimed Openness vs. Hidden Risks

'Telega' client developers actively promote it as an Open Source solution capable of bypassing blocks and ensuring stable operation. However, attempts to access the source code, which is claimed to be open, have met with obstacles: the official website lacks links to repositories, and support requests and chat messages are either deleted or ignored. This alone casts doubt on the sincerity of their claims of openness.

Further analysis of the End-User License Agreement (EULA) revealed direct contradictions with the principles of free software. Specifically, the EULA asserts 'exclusive rights to the Messenger' for the licensor, even though the client, as discovered, is a fork of Telegram for Android, distributed under the GPL v2 license. This means that 'Telega' developers are obligated to provide the source code and do not have the right to restrict its copying or distribution. Instead, the EULA contains clauses explicitly prohibiting 'selling, reproducing, copying the Messenger,' which is a blatant violation of GPL v2. Furthermore, the Boost Software License 1.0 for TDLib is cited as a reference for 'open source code,' which only governs one of the libraries used, not the main client. Clauses were also found that allow unilateral modification of functionality without notice and forced subscription of users to channels, while developer liability is limited to a symbolic sum of 500 rubles (approximately $5-6 USD).

Google AdInline article slot

Technical Vulnerabilities and Architectural Flaws

Reverse-engineering of the 'Telega' APK file revealed several concerning technical decisions. For instance, user calls are routed through the servers of the Russian social network 'Odnoklassniki' (calls.okcdn.ru), which raises questions about traffic confidentiality and the appropriateness of such a choice for a 'youth-oriented' client. Another peculiarity is that Perfect Forward Secrecy (PFS) management is handled server-side. This means the server owner could potentially disable PFS, thereby reducing the security level of past sessions if long-term keys are compromised.

The censorship circumvention mechanism, touted as one of its key advantages, is also implemented with critical flaws. The client requests current data center (DC) addresses via an HTTP request to https://api.telega.info/v1/dc-proxy. However, the code lacks mechanisms to verify the response signature from this server, and the TrustManager is disabled (stubbed out), meaning there is a complete absence of certificate validation.

// Example code demonstrating the lack of certificate validation
// (TrustManager is stubbed out)
public class InsecureTrustManager implements X509TrustManager {
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        // Always trust, without validation
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        // Always trust, without validation
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
}

This allows an attacker performing a Man-in-the-Middle (MitM) attack on the path to api.telega.info to spoof the response and redirect all user traffic to their controlled server. In the standard Telegram architecture, a proxy (MTProto Proxy) does not have access to encryption keys and cannot see message content, whereas 'Telega's' architecture potentially allows traffic to be routed anywhere, making it vulnerable.

Google AdInline article slot

Critical Threat: Ministry of Digital Development Certificate and MitM Attacks

The most alarming discovery was the presence of the root certificate resources/res/raw/rootca_ssl_rsa2022.cer within the 'Telega' APK file resources. This is none other than the Russian Trusted Root CA certificate, issued by the Russian Ministry of Digital Development. The inclusion of a state-issued root certificate in a client application is, in itself, an unusual and potentially dangerous practice. Combined with the aforementioned lack of certificate validation (the TrustManager is disabled) and the removal of the Certificate Pinning mechanism, which is present in the original Telegram client, this creates ideal conditions for a full-fledged MitM attack.

Certificate Pinning is a mechanism that allows an application to 'pin' expected certificates for specific domains, rejecting any others, even if they are signed by a trusted root authority. Its absence in 'Telega,' combined with trust in the Ministry of Digital Development's root certificate, means that anyone possessing the private key for this certificate (e.g., state authorities or attackers who have obtained it) can intercept and decrypt all 'Telega' user traffic in real-time. This poses a direct threat to communication confidentiality and security, transforming the client from a 'blockage circumvention tool' into a potential surveillance instrument.

Data Leakage and Incomplete Source Code

Network activity analysis revealed that the 'Telega' client sends the following data to its servers (telega.info):

Google AdInline article slot
  • phone (phone number)
  • ip (IP address)
  • deviceModel (device model)
  • systemVersion (operating system version)
  • authKeyId (Telegram authorization key identifier)

Transmitting authKeyId to third-party servers is particularly sensitive information, as it is directly linked to user authorization within the Telegram network and can be used for identification. The claimed open-source nature also proved to be a facade, not only due to its initial unavailability but also because repositories later found on GitHub were incomplete and did not contain all the code present in the APK file. This further erodes trust in the developers and their security claims.

Key Findings from the 'Telega' Telegram Client Analysis:

  • GPL v2 License Violation: The client, based on Telegram for Android code, fails to comply with the open-source license terms by prohibiting copying and not providing the source code.
  • Insecure Call Routing: The use of Odnoklassniki servers for voice calls raises privacy concerns.
  • Vulnerable Proxy Mechanism: The lack of signature and certificate validation when requesting new DCs opens the door for MitM attacks.
  • Ministry of Digital Development Root Certificate Integration: The Russian Trusted Root CA embedded in the application, combined with disabled Certificate Pinning, allows for traffic interception and decryption.
  • Extensive Data Leakage: Sending phone numbers, IP addresses, device data, and authKeyId to third-party telega.info servers without adequate security guarantees.
  • Fictitious Openness: Claims of Open Source proved false, undermining trust in the project and its developers.

What's Important:

  • The 'Telega' client contains serious vulnerabilities that can jeopardize user data confidentiality and security.
  • The integration of the Ministry of Digital Development's root certificate and the disabling of basic security checks create conditions for state-sponsored or other controlled traffic interception.
  • Using this client carries significant risks for users, especially given the transmission of critical identifiers to third-party servers.
  • Claims of Open Source proved false, undermining trust in the project and its developers.
  • Developers should strictly adhere to GPL v2 terms and implement standard security practices, including Certificate Pinning and rigorous certificate validation.

— Editorial Team

Advertisement 728x90

Read Next