2

Telegram is completely blocked in my country (entire IP range and domain of telegram is blocked), and I cannot access messages by telegram app. However, notifications for newly received telegram messages are being displayed on my android phone and iPad. This implies that in addition to me and Telegram Company, third parties (Google and Apple) also have access to my messages. If I am right and this is the case, how can I prevent those third parties from accessing my messages even with the cost of not showing telegram notification?

WhatsApp is not blocked in my country, but I believe that the same applies to WhatsApp messenger. Because there have been times that WhatsApp messenger has been temporarily inaccessible, but its notifications showed up.

M6299
  • 129
  • 3
  • 2
    that assumption is probably wrong. – yeah_well Dec 24 '20 at 06:28
  • @yeah_well What makes you say that? – M6299 Dec 24 '20 at 06:31
  • If you are receiving message notifications then it is not blocked. – defalt Dec 24 '20 at 07:19
  • @defalt Telegram is blocked in my country in all ISPs. What I am saying is that when I open Telegram, it does not connect because it is blocked countrywide. But I receive notification about messages that telegram itself cannot receive. It means that messages go from telegram to a third party (supposedly Google) which is not blocked, and then get conveyed to my phone (only notifications and a summary of messages). – M6299 Dec 24 '20 at 08:29
  • @M6299 google doesn't fetch your telegram messages for you.Telegram notification probably uses some domain that isn't blocked.If google did something like that,the whole purpose of telegram messenger is useless – yeah_well Dec 24 '20 at 08:51
  • @yeah_well I completely blocked telegram by a firewall in my android phone, but I still receive notifications. It seems that it has something to do with "APNS notifications to Apple servers" and "FCM notifications to Google servers" as mentioned here: https://core.telegram.org/api/push-updates https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging – M6299 Dec 24 '20 at 09:27
  • 3
    Your premise is incorrect. Apple and Google are not accessing your telegram messages. Telegram is sending notifications. That's all. – Rory Alsop Dec 24 '20 at 11:36

3 Answers3

3

Telegram uses the Firebase Cloud Messaging system for its push notifications on Android, and APNS (Apple's equivalent) on iOS devices. These notifications to the Telegram app on your phone come from the Google and Apple servers, respectively.

Telegram -> Push Service (Google/Apple/etc) -> phone -> app -> notification

So yes, the traffic is not coming from the Telegram servers directly, and that's why the app is showing you notifications when the Telegram servers are blocked in your country.

But no, those services do not have "access to your messages"; the messages are secured in the same way that messages are secured coming from the Telegram servers directly.

The data that the Telegram servers pass on to these services are encrypted using the same encryption as the app. Once the app receives the data, it decrypts it to show you the notification.

Can you stop using the Push Service? By disabling notifications, you might trigger the Telegram app to de-register from the push notification service, but that will depend on how the app is created. I have not found the relevant documentation to confirm that one way or the other.

schroeder
  • 123,438
  • 55
  • 284
  • 319
1

@schroeder is correct in the way that the infrastructure works, it's considered "secure". However, there is another vector, and anybody who is coming here to learn about security should be made aware of this:

notifications for newly received telegram

The encryption ends at the application. One the mobile device itself, the content is clearly decrypted, so the human can read the message. The application tells the Android/iOS to display a popup notification after the application has decrypted it.

This means that:

  1. an installed "accessibility" app from any vendor MAY be able to read the decrypted information.

  2. malicious code from Apple/Google in iOS/Android CAN feasibly capture notification text (and in-app text) that is decrypted (and other media). Such code might not be in your current iOS/Android version, but it may be in the future.

  3. non-private features from Apple/Google in iOS/Android MAY capture decrypted information as a result of crash reporting. Such a feature may not exist today, it might be deployed in the future.

Those are the technical realities - how that translates to security risk is really up to you to consider.

Kind Contributor
  • 461
  • 2
  • 7
0

Apps in background can not receive messages. Instead, they must be notified using so-called push messages which are sent from the app's server to google/apple and from there to your mobile. These push messages may include payload which is displayed on your phone (this is what you notice as new message). This payload is clear text. When you tap on the notification, Telegram in your example is woken up and tries to fetch the new message. This fails due to your blocking.
The only way I see would be to have Telegram not send the push message to you. I don't know if it has this option. I am not sure if disabling notifications on the OS level would do the trick as it could be that it only inhibits the reception of push messages on the phone, but not the sending of them from the Telegram server.

Christoph
  • 11
  • Do you have any references that describe this data flow (i.e. that notifications are sent to *Google* who then sends to your phone?) Because this is contrary to how notifications or the Push API work. Notifications are from ***the app*** or from ***the server***. Which means that the app has received something and then triggers the OS to display the notification. There is no 3rd party. – schroeder Jan 06 '21 at 12:15
  • The payload is not in cleartext. And the notification is from the Telegram app, not the OS. I have provided an answer with links to the relevant documentation. – schroeder Jan 06 '21 at 15:31
  • I would still assume that the actual push message payload (not the entire telegram messages) is clear text part of the push message. In Telegram that would be the message sender's name and the first about 100 characters of the message (that is, the _title_ and _body_ parameter of the push message). This would explain why M6299 sees the notifications (which include this data I assume) . But admittedly, I'm not sure about this. – Christoph Jan 06 '21 at 18:43
  • You do not have it correct. Please review my answer and the API docs I provided. The Push Service is not the thing displaying the message. The app is... – schroeder Jan 06 '21 at 19:18