For his experiment, Avraham took control—gaining "root" privileges—of an Android phone running Telegram exploiting a couple of known Android vulnerabilities. That's how he found out that Telegram, which was launched last year by Pavel Durov, the Russian tech wiz kid who founded the social network VKontakte, doesn't encrypt the database containing the archive of "Secret Chat" messages, and that the messages are also available, unencrypted, in the phone's memory, as he explained in his post."I would be very hesitant to use this app," Avraham said. "Having a clear-text database containing all the conversations is absurd from a privacy oriented app."
Technically that Telegram attack is a step above kleptonalysis. They skipped the keys and went straight to stealing the plaintext.
— the grugq (@thegrugq) February 23, 2015
Eva Galperin, a technologist and global policy analyst for the advocacy group the Electronic Frontier Foundation, said her first reaction to the blog post was "a lot of eye rolling.""If you tell me that you can break encryption by compromising the endpoint you haven't really broken encryption at all," she told me. "It's like haha! I can get into your house with the key! Gotcha!"In other words, perhaps you don't need to freak out over this. The problem isn't Telegram here."If you assume that the attacker has root access—no app can be secure," Markus Ra, a spokesman for Telegram, said, dismissing Avraham as a "charlatan" and his post as just an "a rather standard 'use my product' ad that exploits a misleading heading to attract attention."(Thomas Chopitea, an information security researcher, confirmed to Motherboard that the exploit described by Avraham is an issue that potentially affects every Android app.)Yet, as EFF's technologist Peter Eckersley told Motherboard, Telegram should do a better job at "encrypting the messages in storage, and overwriting the ciphertext or keys when deletion occurs."
tl;dr for people outside the InfoSec community: there is no Telegram "hack". Pure smoke. I might not like Telegram, but it's not been broken
— Filippo Valsorda (@FiloSottile) February 23, 2015