Back to Home

Why Apple Blocked Telega: Analysis of MITM Risks

Analysis of the Incident with the Blocking of the Alternative Telegram Client — Telega — by Apple. Technical Reasons Related to MITM-Like Architecture and Consequences for Mobile App Developers Are Considered.

Telega and Apple: Conflict Due to MITM Architecture
Advertisement 728x90

# Why Apple Blocked Telega: Incident Analysis and Implications for Developers

Apple temporarily removed the alternative Telegram client Telega from the App Store and began flagging it as malware. iOS users are facing app launch blocks and recommendations to delete it. Developers deny any threats and point to independent security audits. However, Apple's actions stem from deeper issues: the client's technical implementation and suspicions of MITM traffic interception.

Context of the Incident

On April 9, 2026, the Telega app vanished from the App Store. When trying to open an already installed version, iOS displays a warning about potential danger and terminates the app. According to the developers, this stems from an erroneous classification by Apple. Several independent cybersecurity firms—Cloudflare, Seclookup, SOCRadar, Gridinsoft, Criminal IP, Fortinet, and Norton—confirmed the absence of malicious code in the app.

Nevertheless, in March 2026, a technical analysis surfaced online claiming that the Telega client implements hidden functionality that redirects all traffic between the device and Telegram servers through the project's own proxy servers. This approach formally violates end-to-end interaction principles and could be interpreted as a MITM (man-in-the-middle) attack, even if the developers' motivation is load testing or content delivery optimization.

Google AdInline article slot

Technical Aspects of the Dispute

The main grievance against Telega isn't trojans or spyware, but its network architecture. The official Telegram client uses its own MTProto protocol with server selection options and transparent routing. Alternative clients, especially those without official verification, must strictly adhere to these rules to avoid compromising the communication channel.

According to the published analysis:

  • On March 18, 2026, a new traffic redirection feature was activated in the Android version of Telega;
  • All requests to the Telegram API began routing through third-level domains owned by the Telega team;
  • TLS certificates for these domains were valid, but the intermediate link broke the trusted chain.

For Apple, such practices are unacceptable under the App Store Review Guidelines, particularly in sections on user privacy and data security (sections 5.1.1 and 5.1.2).

Google AdInline article slot

Community and Developers' Reaction

The Telega team explained the proxy routing as a response to a sharp surge in users and the need for load balancing. Introducing waitlists sparked a wave of negative reviews in the App Store, which may have prompted faster automated or manual intervention by Apple's moderators.

However, for the technical community, the key issue isn't intent but implementation. Even with good intentions, intercepting traffic without explicit user notification violates secure development principles. This is especially critical for messenger apps, where maximum communication channel transparency is expected.

The Telega developers have yet to publish a full technical report on their infrastructure, which undermines trust among experts.

Google AdInline article slot

What Users and Developers Should Do

If you're using Telega on iOS:

  • Don't try bypassing system warnings via sideloading—this could compromise your device's security integrity.
  • Back up your chats by exporting them in another client (e.g., the official Telegram).
  • Keep an eye on updates from the Telega team and Apple's decisions.
  • On Android and RuStore, the app remains available for now, but monitor network activity using tools like Wireshark or mitmproxy.

For developers of alternative clients, this case sets an important precedent. It shows that even a temporary deviation from standard architecture can lead to a full block in the Apple ecosystem.

Key Takeaways

  • Telega contains no classic malicious code, but its network architecture raises legitimate concerns.
  • Apple responds not only to threats but also to violations of privacy and transparency policies.
  • MITM-like behavior, even for optimization, is unacceptable without explicit user consent.
  • Independent audits confirm no trojans, but they don't guarantee App Store Guidelines compliance.
  • Developers should document all non-standard network interactions and obtain explicit user consent.

— Editorial Team

Advertisement 728x90

Read Next