In August 2013, two Russian developers—and brothers—Nikolai Durov and Pavel Durov released Telegram to the world, a new instant messaging platform with a simple promise: to provide privacy and security that competing platforms available at the time weren't delivering. Telegram is usable on mobile devices and desktop operating systems alike, and promotes Secret Chats as a way to securely exchange messages with end-to-end encryption. Indeed, Telegram is quite pleasant to use for the most part. Messages are delivered very quickly, the available mobile and desktop clients provide a fairly pleasant user experience and there's no dependency on your mobile device having an active connection to use Telegram from another device (like with WhatsApp).
Most unusual about the design of Telegram, however, was the decision to engineer a new encryption scheme called MTProto, using symmetric encryption keys, rather than using previously tested and well-known encryption schemes. Cryptographers expressed doubt about whether custom-designed cryptography will be subject to flaws that compromise the security or privacy of the end-user. Some experts, including researchers at Aarhus University, have expressed concern about whether the encrypted messages are properly authenticated, leading to potential weaknesses. MTProto has received criticism from the Electronic Frontier Foundation (EFF). To look at this alone, the outlook doesn't seem good.
Perhaps most daunting overall is the fact that Telegram actually doesn't perform end-to-end encryption of instant messages by default, instead reserving this functionality only for "Secret Chats", which must be manually initiated by the user and can only take place between two specific devices (a Telegram user with multiple devices will only be able to interact with that secret chat session on the device it was initiated from/accepted at). Telegram claim that this is because cloud syncing of instant messages between devices is more convenient for non-secret chats than the guaranteed security that end-to-end encryption provides. What this means in practice is that normal instant messages sent over Telegram are actually stored by Telegram in a format that they can decrypt themselves. Perhaps we should just hope instead that nobody raids Telegram's datacenters.
Take Apple, for example, who took a different approach with iMessage that allows them to provide end-to-end encryption between devices whilst still providing the illusion of message sync across devices. Instead of encrypting the message once for the recipient user, iMessage actually encrypts the message for each recipient device separately, as each device has it's own encryption keys. In effect, if you own an iPad, an iPhone and a Mac and a friend sends you an iMessage, they are actually encrypting and sending the message three times, once for each device. Every device receives a copy of every message, so you can jump between devices without a loss of history, but no actual syncing of message history is taking place between clients and the iMessage server. Everything end-to-end, as it should be.
There's no doubt that the methodology used by Apple works. Huge volumes of iMessages are sent daily, and a user of iMessage never has to think about whether or not they should really be switching to a secret chat as all messages are end-to-end encrypted by default. This introduces the next significant problem for Telegram as a secure platform: human error.
Humans are typically the weakest link in any secure system, and it only takes a user to type something secret into a non-secret chat by mistake (or just forget to initiate a secret chat altogether) and effectively it's game over. It is hugely irresponsible of Telegram to market itself as a secure messaging platform and yet place the responsibility for security solely into the hands of the user, all whilst making the baseless assumption that the user will actually remember or recognise when a secret chat should be used instead of a regular one. In fact, it makes an even worse assumption that all Telegram users even know that secret chats exist or how they work—something that we should not assume to be correct for those who have simply been told to download Telegram by their friends and family without having performed any further reading or research.
That's not to say that iMessage is perfect by any means. Indeed iMessage also has weaknesses, largely in the fact that you must trust the public key infrastructure that Apple uses for iMessage-capable devices to discover each other's public keys. Specifically, you must trust that Apple will not inject additional public keys into the directory without your knowledge or consent, given that Apple devices will not notify you as a user when someone else's public keys change. This is not an unsolvable problem, however, and can easily be mitigated by allowing the user to control which keys (or rather, devices) it should trust and notifying the user when new public keys appear for your contacts. Legitimately this would happen if someone were to log into iMessage from a new device, but equally it may also happen if a sneaky Government were trying to obtain a copy of any messages you sent to that user from that point forward.
Whilst not perfect, however, the iMessage approach is clearly superior. Treat all messages as if they're secret. Treat each of the recipient's devices as a separate entity with it's own unique encryption keys. Keep the private keys in the hands of the user's device. Only store messages on the iMessage server in a format that Apple themselves can't decrypt. Don't place any of the onus on the user to be secure. Don't assume the user knows when they are and aren't being secure.
There are a lot of things that Telegram would do well to learn from iMessage.
Knowing that Telegram's developers are knowingly overlooking such critical issues or design flaws, however, makes it very difficult to recommend Telegram as a truly secure messaging solution, especially to non-technical friends and family. Whilst competitors, such as WhatsApp and Facebook Messenger, are already working to further spread the deployment of end-to-end encryption for messages, Telegram seems to have stagnated and does not appear to be interested in solving the core issues with non-secret chats, or better yet, eliminating the idea of non-secure chats altogether.
It may be prudent to not place too much trust in it after all.