Partisan Telegram (P-Telegram) was developed to meet the needs of high-risk users. P-Telegram is intended for use by political dissidents to facilitate coordination using Telegram in regions controlled by hostile forces.
Telegram is one of the world’s most popular cross-platform cloud-based instant messaging services. However, it’s important to remember that on Telegram, private and group chats are not end-to-end encrypted. This means that your conversations and personal identifiable information could be stored on Telegram’s servers and accessed by third parties. Intruders can also attack individuals and organizations on Telegram, accessing their accounts and the information. This presents a risk to marginalized groups, particularly activists who may be targeted in restrictive regimes. If an activist’s mobile device is confiscated, authorities could access Telegram and all confidential messages included.
To counteract these threats, Partisan Telegram (P-Telegram) was developed to meet the needs of high-risk users. P-Telegram is intended for use by political dissidents to facilitate coordination using Telegram in regions controlled by hostile forces.
To ensure the ongoing security and safety of such applications, P-Telegram engages in regular audits and ongoing improvements that are essential to maintain control of information security. Recently, P-Telegram engaged Open Technology Fund’s Red Team Lab to conduct an application and operational security assessment. The RIT SAFE Lab performed the security assessment on behalf of the Red Team Lab in early 2022, conducting static and dynamic tests to assess application and operational security of the latest Android version.
The security assessment reported some positive findings. While the assessment observed that P-Telegram occupies significantly more space on disk than the standard version of Telegram, any known digital artifacts related to identifying the existence of P-Telegram on a device would be difficult, if not impossible, to discern by a casual observer with no technical knowledge and no specialized equipment.
Additionally, the assessment observed that the keystore containing the key used to sign official release versions of P-Telegram could be found in two public GitHub repositories. With access to the keystore, it is possible that opposition forces could create a malicious version of P-Telegram and social engineer users into installing it. To counteract this risk, a rotating code signing key is being implemented, as are development processes to ensure that such data is not pushed into public GitHub repositories into the future.
Overall, the security assessment proved positive, showing that significant safety and security considerations were put into the development of the application. These safety features all performed as expected, and no additional application vulnerabilities were found. Several security issues were raised in the assessment, which have been addressed by P-Telegram.
The complete application and operational security assessment on Partisan Telegram can be found below.