ESL Global Cybersecurity Institute pentesters assess messaging app for activists
RIT’s Eaton SAFE Lab conducts security assessment of customized Partisan Telegram app
RIT cybersecurity experts are helping make instant messaging safer for activists in countries controlled by restrictive regimes.
In early 2022, pentesters from RIT’s ESL Global Cybersecurity Institute (GCI) performed an application and operational security assessment of Partisan Telegram, a customized version of the Telegram messaging app. The app is intended to protect marginalized groups from hostile forces and is currently being used by Eastern European political dissidents. RIT was selected to conduct the assessment by a nonprofit organization that supports global internet freedom.
“It’s rewarding to use our technology skills for good and assist people who are trying to communicate securely in countries that don’t want them to communicate securely,” said Rob Olson, senior lecturer of computing security at RIT and a pentester for the project. “This is one the original problems in cybersecurity.”
Olson worked with a team of student and professional ethical hackers to evaluate the app’s security by conducting an authorized simulated cyberattack, known as a penetration test. However, Olson said that this assessment was unique because the app was designed for a specific threat model—to protect a user’s physical safety during unwanted searches and seizures.
Telegram is similar to WhatsApp or Facebook Messenger and is one of the world’s most popular cross-platform, cloud-based instant messaging services. With more than 700 million monthly active users, Telegram is also known for having privacy add-ons and options for people to create customized versions of the app.
In Belarus, Russia, and Ukraine—where Telegram has become the most popular instant messaging app—it is used for communicating with family and friends. It is also widely used to distribute pro-Ukrainian communications and organize large-scale protests against hostile forces. Often, people might have multiple Telegram accounts—one for communicating with loved ones and another for joining channels that coordinate activists.
However, Telegram is not end-to-end encrypted. This means that if an activist is stopped by hostile forces or their mobile device is confiscated, authorities could force a user to access the app and show any confidential messages.
To counteract these threats, an activist/hacktivist collective in Belarus developed “Partisan Telegram.” The open source Android app is designed to look and feel exactly like the original Telegram, but has extra features to protect users.
From one Partisan Telegram lock screen, users have the ability to enter different passcodes that send them to their different accounts. Users can also enter a false passcode that enacts a series of precautionary actions, including sending a text message to emergency contacts, logging out of accounts, and deleting specified sessions, chats, and channels. In effect, if a user is worried that their account could fall into the wrong hands, they can enter a secret password to quickly obfuscate sensitive information that could be used against them.
Ultimately, Partisan Telegram is only intended to resist casual inspection by technically unsophisticated opposition forces. It is not intended to be resistant against dedicated forensic analysis.
To maintain the app’s security, developers conduct regular audits. They also reached out to the Open Technology Fund (OTF) Red Team Lab, a nonprofit organization committed to advancing global internet freedom. OTF granted the developers funding for an application and operational security assessment and selected RIT for the job.
RIT’s Eaton SAFE Lab is a part of the ESL GCI that offers cybersecurity services, including penetration testing and security audits. The lab has already done nearly 100 tests for Fortune 100 companies, municipalities, school districts, and small and medium-sized businesses.
For the security review, the RIT team largely concentrated on the code that developers added on top of the original Telegram app. They monitored the network traffic that Partisan Telegram generates and compared it to network traffic from the original Telegram under similar use—finding no major differences that a casual observer could use to identify the activist app. They also reverse engineered the app, ran it through application vulnerability scanners, and conducted dynamic testing.
The assessment observed a major difference between the two apps. The customized Partisan Telegram takes up significantly more space on a device than the standard version of Telegram. Additionally, assessors identified sensitive security information published on the open source GitHub repositories that could allow opposition forces to create a malicious version of Partisan Telegram.
“In our report, we provide recommendations on how to fix many of the problems,” said Olson. “And I’ve seen they are already implementing them. It’s really nice to see how invested they are in addressing the security issues.”
The complete application and operational security assessment on Partisan Telegram is available online. Cyber Range Engineer Forrest Fuqua, Jason Ross, and several computing students assisted in the analysis.
To learn more about cybersecurity services at RIT’s Eaton SAFE Lab, contact the ESL GCI Project and Operations Manager Sarah Yarger.