ESL Global Cybersecurity Institute pentesters assess messaging app for activists

RIT cybersecurity experts help make instant messaging safer for activists in countries controlled by restrictive regimes.

In early 2022, pentesters from RIT’s ESL Global Cybersecurity Institute (GCI) conducted an application and operational security assessment of Partisan Telegram, a customized version of the Telegram messaging app. The app aims to protect fringe groups from hostile forces and is currently being used by Eastern European political dissidents. RIT was selected to conduct the assessment by a non-profit organization dedicated to global internet freedom.

“It’s rewarding to use our technological skills for good and to help people who are trying to communicate securely in countries that don’t want to,” said Rob Olson, lecturer in computer security at RIT and pentester for the project. “This is one of the original problems in cybersecurity.”

Olson worked with a team of student and professional ethical hackers to assess the app’s security by conducting an authorized simulated cyberattack known as penetration testing. However, Olson said this rating is unique because the app was designed for a specific threat model – to protect a user’s physical security in the event of unwanted searches and seizures.

Similar to WhatsApp or Facebook Messenger, Telegram is one of the world’s most popular cross-platform, cloud-based instant messaging services. With more than 700 million monthly active users, Telegram is also known for offering privacy add-ons and options to create customized versions of the app.

In Belarus, Russia and Ukraine – where Telegram has become the most popular instant messaging app – it is used to communicate with family and friends. It is also widely used to spread pro-Ukrainian messages and organize large-scale protests against enemy forces. Often people have multiple Telegram accounts — one for communicating with loved ones and another for joining channels that activists coordinate.

However, Telegram is not end-to-end encrypted. This means if an activist is stopped by hostile forces or their mobile device is confiscated, authorities could force a user to access the app and show confidential messages.

To counter these threats, an activist/hacktivist collective in Belarus has developed Partisan Telegram. The open-source Android app is designed to look and feel the same as the original Telegram, but with additional features to protect users.

From a Partisan Telegram lock screen, users have the option to enter different passwords, which they send to their different accounts. Users can also enter an incorrect passcode, which takes a number of precautionary measures including sending a text message to emergency contacts, logging out of accounts, and deleting specific sessions, chats, and channels. If a user is concerned that their account might fall into the wrong hands, they can enter a secret password to quickly disguise sensitive information that could be used against them.

Ultimately, Partisan Telegram is designed to withstand only occasional inspection by non-technical opposition forces. It is not intended to withstand dedicated forensic analysis.

To ensure the security of the app, developers conduct regular audits. They also reached out to the Open Technology Fund (OTF) Red Team Lab, a non-profit organization dedicated to promoting global internet freedom. OTF provided the developers with funding for an application and operational security assessment and selected RIT for the job.

RIT’s Eaton SAFE Lab is part of the ESL GCI, which provides cybersecurity services including penetration testing and security audits. The lab has performed nearly 100 tests for Fortune 100 companies, municipalities, school districts, and small and medium-sized businesses.

For the security review, the RIT team largely focused on the code that the developers added to the original Telegram app. They monitored the network traffic that Partisan Telegram generates and compared it to the original Telegram’s network traffic under similar usage – and found no major differences that a casual observer could use to identify the activist app. They also reverse engineered the app, running it through application vulnerability scanners and running dynamic tests.

The review found a big difference between the two apps. The customized Partisan Telegram takes up significantly more space on a device than the standard version of Telegram. In addition, reviewers identified sensitive security information released in GitHub’s open-source repositories that could allow opposition forces to create a malicious version of Partisan Telegram.

“In our report, we make recommendations on how many of the issues can be fixed,” Olson said. “And I have seen that they are already implementing them. It’s really nice to see how invested they are in solving the security issues.”

The full application and operational security assessment on Partisan Telegram is available online. Cyber ​​range engineer Forrest Fuqua, Jason Ross, and several computer students helped with the analysis.

To learn more about cybersecurity services at RIT’s Eaton SAFE Lab, contact ESL GCI Project and Operations Manager Sarah Yarger.