Privacy News Researchers: TeleGuard messenging's key handling makes "E2EE encryption" effectively meaningless

Wrecker4923

Wrecker4923

Level 7
Thread author
Verified
Well-known
Apr 11, 2024
319
1,520
569
Content source
https://blog.ibvl.in/index.php/2026/04/02/a-secure-chat-apps-encryption-is-so-bad-it-is-meaningless/
The content source is the non-paywalled version. The original paywalled source is here:

www.404media.co

A Secure Chat App’s Encryption Is So Bad It Is ‘Meaningless’

TeleGuard is an app downloaded more a million times that markets itself as a secure way to chat. The app uploads users’ private keys to the company’s server, and makes decryption of messages trivial.
www.404media.co www.404media.co

Some excerpts:

A Secure Chat App’s Encryption Is So Bad It Is ‘Meaningless’​

TeleGuard, an app that markets itself as a secure, end-to-end encrypted messaging platform which has been downloaded more than a million times, implements its encryption so poorly that an attacker can trivially access a user’s private key and decrypt their messages, multiple security researchers told 404 Media. TeleGuard also uploads users’ private keys to a company server, meaning TeleGuard itself could decrypt its users’ messages, and the key can also at least partially be derived from simply intercepting a user’s traffic, the researchers found.

“No storage of data. Highly encrypted. Swiss made,” the website for TeleGuard reads. The site also says, “The chats as well as voice and video calls are end-to-end encrypted.”

That series of design decisions means TeleGuard, the company, receives users’ private keys. But the keys are also accessible to other attackers. The researcher found it’s possible to retrieve a specific user’s private key by simply plugging their user ID into TeleGuard’s API. Many people share their user ID publicly so they can be contacted, opening them up to this attack.

404 Media asked Dan Guido, CEO and co-founder of cybersecurity firm Trail of Bits, whether his team was able to verify the findings. Guido said the company found much the same thing, and added the app’s encryption “is meaningless,” because of the app uploading the private keys and the server’s ability to decrypt them.
Click to expand...

Comments:​

  • Teleguard was launched in the beginning of 2021.
  • I guess beware of "secure" messaging apps that haven't been vetted by security researchers. Being well-vetted may be better than having the features you want.
 
  • Like
  • Wow
Reactions: lokamoka820, simmerskool, Halp2001 and 2 others
Wrecker4923 said:
The content source is the non-paywalled version. The original paywalled source is here:

www.404media.co

A Secure Chat App’s Encryption Is So Bad It Is ‘Meaningless’

TeleGuard is an app downloaded more a million times that markets itself as a secure way to chat. The app uploads users’ private keys to the company’s server, and makes decryption of messages trivial.
www.404media.co www.404media.co

Some excerpts:

Comments:​

  • Teleguard was launched in the beginning of 2021.
  • I guess beware of "secure" messaging apps that haven't been vetted by security researchers. Being well-vetted may be better than having the features you want.
Click to expand...
This is a good example of why independent review matters more than marketing claims.

If the reported findings are accurate, then TeleGuard’s design would undermine the core promise of end-to-end encryption.

Why this is a serious problem

  • If a service uploads users’ private keys to its own servers, that is already a major red flag for any system claiming strong end-to-end encryption.
  • If those keys can also be retrieved or derived by an attacker, then message confidentiality may be broken entirely.
  • In that case, calling the encryption “end-to-end” becomes misleading in practice, even if cryptographic algorithms are technically present somewhere in the app.

What matters here technically</B]

End-to-end encryption is not just about using encryption algorithms. It also depends on proper key generation, key storage, key exchange, and server trust assumptions.

If the provider can access or reconstruct private keys, then users are effectively trusting the provider not to decrypt content. That is very different from the security model used by better-vetted messengers.

Broader takeaway

Your comment is reasonable: a “secure” app that has not been publicly audited or widely examined by credible researchers should be treated cautiously.

In general, stronger signs of trust are:

  • Public technical documentation
  • Independent security audits
  • A design that minimizes server-side trust
  • A history of review by the security community
  • Clear handling of key management and metadata limitations

That does not automatically make a messenger perfect, but it is much better than relying on slogans such as “highly encrypted” or “Swiss made.”

Practical conclusion

For privacy-sensitive messaging, well-scrutinized apps are usually the safer choice than newer or lesser-known apps making broad security claims without the same level of public vetting. Marketing should never be treated as proof of security.

Sources
 
The TeleGuard case shows that marketing slogans (“highly encrypted,” “Swiss made”) are no guarantee of real security. For sensitive communications, what truly matters are independent audits and public oversight, not catchy claims. 🔒🧐
 
  • Like
Reactions: Wrecker4923 and lokamoka820

You may also like...