Last month, a story broke in the Washington Post about “stay behind” operations by Ukraine in then-occupied Kherson. The story discusses Ihor, a Ukrainian in Kherson, who was in communication with a Ukrainian special forces officer in Ukrainian-controlled Mykolaiv called “Smoke”. Ihor, with help from Smoke, helped perform sabotage and espionage operations behind enemy lines.

At one point, Ihor was captured and tortured by Russian occupation forces for 11 days. Russia eventually released Ihor, but tried to use him to capture other partisans in the area. To do this, they instructed him to provide screenshots of all of his further interactions with Smoke, under threat of death if he didn’t comply. Thanks to some ingenuity and prior planning, Ihor was able to secretly tip-off Smoke to defeat this Russian plan, and survived to tell the tale after Kherson was later liberated by Ukrainian forces.

Ihor’s story—and the stories of others like him—is one of extraordinary bravery in extremely dangerous conditions. But his interview with the Washington Post reveals something more: it reveals that Russia was actively surveilling Telegram chats as part of their counterinsurgency operations in occupied Ukraine.

Telegram’s security has long been called into question by the information security community. There’s lots of aspects of how it is built that don’t make sense from a security perspective. But so far, there’s never been any good evidence that it’s been exploited by the Russian security services in practice.

Until now.

Ihor’s story is particularly amazing because it doesn’t just reveal that Russian forces are surveilling Telegram chats. It also gives us a good hint as to how.

It even tells us what Russia wasn’t doing—at least in the narrow case of Ihor. And it reveals how at least one other major and well-known security defect in Telegram—ones that have been left open on purpose by Telegram—would very likely have led to Ihor’s death if Russian occupation forces had been only slightly more competent and successfully exploited them.

There’s no evidence here that Telegram knew or helped Russia exploit any of these defects. But that doesn’t let Telegram off the hook either. The two defects that Russia didn’t exploit—but which would have led to Ihor’s death had the Russian forces chosen to use them—are both well known to Telegram; they’ve been described before, and Telegram has inexplicably and intentionally chosen not to fix them.

All three of these defects exist in Telegram only because of its steadfast refusal to adopt or correct their application’s security—a big contrast to virtually every other mainstream encrypted chat app.

If you take away just one thing from this post, let it be this: Telegram is not safe to use as a chat or call app. It nearly cost Ihor his life. Ukrainians—and frankly everyone else too—should find another encrypted application for chats and calls. A good choice would be something like WhatsApp, but Apple’s iMessage or Signal are also good choices if your contacts are also using those.

So without further ado, here’s the story of Telegram, its dangerous lack of security, and how the Russians were exploiting it in occupied Kherson.

Telegram: a quick history and primer

Telegram is a major social networking and communications app that is extremely popular in Eastern Europe, including in both Russia and Ukraine. Before the war, more than 80% of all smartphones in Ukraine had it installed, and it has over 550 million monthly active users worldwide.

Telegram’s founder is the Russian-born billionaire Pavel Durov, who made his name founding Vkontakte—essentially a Russian Facebook. He founded Telegram in Russia in 2013, just a year before being forced out from Vkontakte by people he described as “Putin’s cronies”. According to him, that departure was caused by his refusal to hand over Vkontakte’s data about Ukrainian protestors during the 2014 Euromaidan. Durov later left Russia and now lives in Dubai and holds UAE citizenship, where Telegram is now based.

Telegram has had run-ins with the Russian government on several occasions. In 2018, Telegram was blocked in Russia for two years. When Roskomnadzor—the Russian media regulator—announced that Telegram would be unblocked in Russia, it referenced an agreement with Telegram’s founder to cooperate with Russian authorities, although did not provide specifics:

We positively assess the readiness of the Telegram founder to counter terrorism and extremism. With the consent of the Russian Prosecutor General's Office, Roskomnadzor is withdrawing the requirement that access to the Telegram messenger service be blocked.

This year Telegram had another close call with the regulator. On October 29, Telegram’s website interface was briefly blocked again, though the ban was lifted shortly afterwards.

Telegram’s popularity comes from its duality as both a chat and an information broadcast medium. In its “broadcast” mode, where it operates conceptually a little like Twitter, users subscribe to “channels” to receive messages blasted out by the channel owner. The range of channels is large. You can subscribe to Russian, Ukrainian, or other official channels, as well as news sites, military groups, open-source intelligence aggregators, influencers, companies, and so on. This feature has been a lifeline for Ukrainians both in Ukraine and abroad by helping citizens keep up with the rapidly moving events and alerts throughout the conflict.

Telegram is also a chat application. In this mode, Telegram operates like WhatsApp, Signal, or iMessage, allowing users to create message groups, or one-to-one chats with an individual contact, who can then exchange chats, files, pictures, or hold audio and video calls.

By default, Telegram’s chats are not end-to-end encrypted, meaning that Telegram’s engineers can access their content via Telegram’s servers.

One-to-one chats (and calls) can also be “upgraded” to use Telegram’s custom-built end-to-end encryption by choosing to communicate via “secret chats”. This encryption has been criticized by specialists because Telegram’s algorithm can’t be easily proven secure in the way that the encryption in most comparable chat apps can. That’s a saga that’s too long to go into here, other than to say that Telegram’s response to those concerns never satisfied the information security community or encryption specialists, and it continues to cause concern.

But despite these concerns about Telegram’s security and its regular run-ins with the Russian security services, Telegram remains widely used in Ukraine, in large part because it is easy to dismiss the security concerns as theoretical, because of the importance of its broadcast functionality as an invaluable news source, and because of Telegram’s assertions that its security hasn’t been broken in practice.

Ihor meets Smoke in central Kyiv. Photo credit: Ed Ram for The Washington Post

The surveillance of Ihor

To understand how the Russian forces were breaking Telegram in occupied Kherson, we need to look at two key paragraphs in the Washington Post’s story:

For months, [Ihor and Smoke] kept up a coded communication over the Telegram messaging app. Sometimes Ihor would be asked to help pinpoint locations from which the Russians were firing artillery. Other times, he sent the man, who asked to be called Smoke, the positions of Russian troops, armored vehicles and ammunition stocks.

…

Because Ihor was still in communication with Smoke, who was based outside in nearby Ukrainian-controlled Mykolaiv, the Russians released him and said they would be monitoring any text exchanges between the two. They asked for Ihor to send screenshots of their conversation any time there was an update — and threatened his life if he did not cooperate.

There’s three claims in here that tell us about the surveillance of Ihor:

1. Ihor and Smoke were communicating via Telegram

2. Ihor had to send screenshots of their conversation any time there was an update

3. Russia was able to monitor all text exchanges between Ihor and Smoke

The first of these two statements tells us that Ihor and Smoke were communicating via Telegram. The second tells us how. In Telegram, secret chats don’t just employ Telegram’s end-to-end encryption technology, they also instruct the phone’s operating system to stop the user taking screenshots of the private chat screen.

That means either Ihor and Smoke were communicating via ordinary Telegram chats, or alternatively, someone disabled the anti-screenshot technology inside Telegram so that Ihor could take screenshots of their “secret chat” conversations.

There’s good reasons to think Ihor and Smoke were using normal chats, and not secret chats. Disabling the phone’s anti-screenshot technology in secret chats is somewhat involved. It would require that the Russian occupation forces jailbreak Ihor’s phone and install malware to circumvent the anti-screenshot technology in the phone’s operating system.

That’s possible, but it’s also unlikely. It would have been obvious to Ihor, and he didn’t mention this fact when talking to the Washington Post when discussing his communications with Smoke.

Moreover, had Russian forces installed malware on Ihor’s phone, it wouldn’t have been necessary to ask Ihor to take screenshots and relay them; they could have instead used the malware to take screenshots directly and relay them quietly back to the Russian occupation forces. That would have allowed the Russian forces to give Ihor his phone back without alerting him to the fact that his conversations with Smoke were now under surveillance.

That means the most likely case is that Russian forces did not proactively install malware on Ihor’s phone, did not circumvent the anti-screenshot technology in Telegram, and instead what happened here is just that Ihor and Smoke’s communication was via normal (and not “secret”) one-to-one Telegram chats.

What type of surveillance did Russia employ?

We can learn something else from those three statements in the Washington Post article. Let’s recap:

1. Ihor and Smoke were communicating via Telegram

2. Ihor had to send screenshots of their conversation any time there was an update

3. Russia was able to monitor all text exchanges between Ihor and Smoke

The last two of the statements by the Russian forces appear, at least at first glance, to be in contradiction with each other: how can it be that Russian soldiers were monitoring all text exchanges between Ihor and Smoke, and yet still needed Ihor to send screenshots of the conversations?

There’s three possibilities that resolve this apparent contradiction.

Possibility 1: Russia was lying when it said it was monitoring their text exchanges

In this theory, the Russian forces’ claim “we are monitoring all text exchanges” was a bluff; the Russian soldiers had no means to monitor the text exchanges between Ihor and Smoke, but told him this anyway in the hope that Ihor would be so afraid for his life that he would willingly send screenshots of his messages without deception or omissions.

But this theory is unlikely: it would be a personal risk for the Russian soldiers and officers involved if Ihor detected the bluff.

To understand why, remember that Ihor was detained as a Ukrainian saboteur operating in occupied Kherson. These saboteurs were directly undermining the occupation, as well as assassinating senior regime and military officials, and spotting targets for the Ukrainian military to destroy. All of this was happening in the most important theatre of the Russian war in Ukraine at the time—one that Putin himself was personally invested in.

Releasing Ihor back into occupied Kherson knowing that he was in contact with Ukrainian special forces, and simply hoping that Ihor would comply with their demands without deception or omissions would be a huge risk for the Russian soldiers. Had Ihor detected the bluff, he would have been able to communicate freely with Smoke without surveillance and feed the Russian forces deceptive information.

Possibility 2: Russia was monitoring the content of their text exchanges but asked Ihor to send screenshots anyway

Here, the theory is that Russia was monitoring all text exchanges including message content, but required Ihor to (redundantly) send screenshots of their conversations anyway.

This theory isn’t quite as absurd as it sounds. Doing so would serve two purposes. First, it would act as a “source validation” technique, allowing Russia to quickly work out if Ihor was acting deceptively towards them. Secondly it would hide Russia’s signals intelligence capability by hiding this fact from Ihor, us, and quite likely even the Russian soldiers on the ground from figuring out Russia’s ability to read Telegram messages without needing screenshots.

Telegram’s flaws mean we can’t rule this theory out decisively. But there’s two reasons why it’s unlikely at least in this case.

The first of these is straightforward. Operationally, it’s preferable for targets of surveillance to be unaware of it. If Russia did have full content of Ihor and Smoke’s messages without needing Ihor’s help, it would make more sense for them to keep Ihor in the dark about this fact by not asking him for screenshots and hoping he didn’t suspect his chats were being surveilled.

The second reason is hidden elsewhere in the article:

Ihor didn’t even know the first name of the person who contacted him. The man said he was a member of Ukraine’s Special Operations Forces and wanted to know if Ihor was interested in helping fight the Russians occupying his city of Kherson.

…

But Smoke and Ihor had agreed on a subtle code that could act as a warning — for example, responding to a message with “ok” instead of “all right.”

This tells us two important facts. First, all of Ihor and Smoke’s communications were online—and almost certainly entirely via Telegram. The two met when Kherson was already occupied, and they were on opposite sides of the frontlines. In other words, they didn’t meet in person until Kherson was later liberated.

Secondly it tells us that Ihor and Smoke agreed on a covert “tip-off” code early in their interactions. That covert code was later used by Ihor to alert Smoke that their communications were under surveillance after Ihor’s arrest.

If Russian forces had the full content of Ihor and Smoke’s messages, they would have seen Ihor and Smoke’s early discussions about their tip-off code, and would have seen Ihor later using it. Had they done so, they would have known immediately of Ihor’s deception, and likely executed him for it. That means—at least in this case—they almost certainly didn’t have access to those earlier messages.

So how can it be that Russia didn’t have access to Ihor and Smoke’s message content, but also had their communications under surveillance?

The answer—as is often the case in signals intelligence—is metadata.

Possibility 3: Russia was monitoring communications metadata of Ihor and Smoke’s communications.

A better theory is that Russia was monitoring the fact of text communications between Ihor and Smoke, but not the message content directly. In other words, they were accessing chat metadata.

What that means is that when Smoke sent a message to Ihor, Russia would know that the message was sent, but not what the message said. They needed Ihor to forward them screenshots to obtain the message content.

This theory fits the facts of this case relatively well. But it’s one thing to know that Russia is intercepting communications metadata. It’s a whole other thing to know how.

Unsurprisingly, the article doesn’t answer this directly for us. Ihor wouldn’t know, and in all likelihood, the soldiers interrogating Ihor wouldn’t either. That information would likely be closely held by specialist intelligence officers working further away from the frontlines.

But thanks to Ihor’s starting point, we can spot a defect in Telegram that matches this theory exactly.

The detention facility where Ihor was held by Russian occupation forces. Photo credit: Ed Ram for The Washington Post

Tracking Telegram chats with metadata

To understand how this flaw works, we need a little bit of background into Telegram’s “MTProto” encryption algorithm.

Telegram’s MTProto is used for both normal chats as well as secret ones. The only difference is which encryption keys are used. Secret chats use keys held by the person’s device. Normal chats use keys held by Telegram’s servers.

Telegram’s MTProto takes a chat message, encrypts it into an encrypted box, and labels it with a bit of metadata which isn’t encrypted. A diagram of how that works is shown below—it’s taken from Telegram’s own description of their protocol. But despite looking complicated, it’s not as difficult to understand as it looks.

Here, the original message is up in the bracket at the top right. MTProto’s algorithm processes this message into an encrypted form, shown in the bottom right in blue. MTProto then adds two additional pieces of metadata, shown in the bottom left in gray.

One of these pieces of metadata is called auth_key_id. The other is called msg_key.

I’ve labelled “auth_key_id” in red—this is our culprit.

Here’s how the spec describes auth_key_id:

[The auth key ID is] a 64-bit key identifier (that uniquely identifies an authorization key for the server as well as the user)

…

The first thing a client application must do is create an authorization key which is normally generated when it is first run and almost never changes.

Let’s unpack what that means.

When Telegram runs for the first time, it creates a secret key called the “authentication key”. For now, it doesn’t matter what it does. What matters is that this key has an associated unique number—essentially a “name”—called “auth_key_id”.

This key and its associated auth_key_id are created when the app first installs and stays the same until you delete or reinstall the Telegram app. All chats, whether secret or normal, are sent using MTProto messages, and all of them send this auth_key_id along with the encrypted message. The message itself might be encrypted, but auth_key_id is not. Anyone monitoring the network communication can see it.

From the perspective of someone monitoring Internet traffic—something the Russian government is well known to do—this auth_key_id functionally operates as a unique user ID. In the language of signals-intelligence, it can be used as a “SIGINT selector”.

Let me explain what that means, from the perspective of the Russian government occupation forces.

Suppose you’re the Russian government, and are performing large-scale interception of Internet traffic from all users in an occupied region. As part of that operation, you watch for all Telegram messages. Any time you see one, you store it into a big database. These messages might be encrypted, but the auth_key_id part of each of these messages is not. The Russian government doesn’t need to do anything special to view them.

At some point during the occupation, Russian forces arrest Ihor, and spot that Telegram messages to his device use a specific auth_key_id. It’ll be some number like, say, 718.

After letting Ihor go, you spot another Telegram message traversing the Internet in the region that also uses the same auth_key_id value of 718. That means Ihor is receiving a message. If Ihor fails to send a screenshot shortly afterwards, you know he’s hiding messages from you, and is defying the orders to regularly send screenshots of all of his communications.

It’s important to note that this issue is a feature of MTProto itself. It affects Telegram’s secret chats as well as normal chats. Leaking it gave the Russian occupation forces specific information to keep track of Ihor after his release.

Other end-to-end encrypted messaging apps like Signal, WhatsApp, and iMessage, are more careful, and try to avoid sending specific communications metadata like this directly across the Internet with every message. Ihor’s surveillance was uniquely enabled by his use of Telegram.

Photo: Tank traps line the streets of Kyiv near the beginning of the invasion

Russian forces weren’t decrypting Ihor’s messages.
But they could have.

Perhaps the most surprising thing about Ihor’s interview is that it also reveals what the Russian occupation forces in the region weren’t doing. Specifically, they almost certainly weren’t accessing the content of his messages directly, instead relying on Ihor to send them screenshots.

That’s something of an amazing conclusion, because it turns out that Telegram’s flaws mean Russia could have done so. In fact they could have done so in multiple distinct ways. But the Russian occupation forces neglected to do so—at least in Ihor’s case.

Ihor is extremely lucky they didn’t, because he probably would not have survived otherwise.

The reason we can make that conclusion is because of Ihor’s tip-off to Smoke. Ihor met Smoke via Telegram and pre-agreed how Ihor would covertly alert Smoke if their communications fell under surveillance. Ihor later used that method to tip-off Smoke after his arrest by Russian forces.

If Russia had successfully decrypted and read all of Ihor and Smoke’s messages, it would have been possible for them to read this earlier agreement, and spotted Ihor’s deception.

Russia’s failure to read Ihor and Smoke’s historic Telegram chats is a testament to Russian incompetence, not to Telegram’s security. There’s two different ways that Russia could have exploited to obtain all of these messages.

Both of those ways are known to Telegram.

Both have been intentionally left open.

Photo: a train leaves for Kherson, shortly after its liberation by Ukrainian forces

Getting full content via Telegram’s servers

Telegram’s chats are not end-to-end encrypted by default. Users must “opt-in” to using secret chats to get this benefit. That’s different to comparable chat applications like Signal, WhatsApp, and iMessage-to-iMessage chats. In those applications, messages are always end-to-end encrypted. It just happens quietly in the background regardless of your settings.

When chats are not end-to-end encrypted, it means that the content of the messages are visible to the servers in the middle—in this case Telegram’s servers. We know that Ihor’s chats with Smoke were not secret chats because the Russian occupation forces demanded screenshots of his messages, and he was able to comply. But that also means that Ihor’s messages with Smoke were not end-to-end encrypted. Their communications could have been intercepted directly via Telegram’s servers.

Russian occupation forces could have got access to those messages in several different ways. They could have done it with Telegram’s assistance: a secret agreement to turn over some or all messages in exchange for money, or influence, to avoid a threat, or out of a sense of patriotism. But they could also do it secretly without Telegram’s knowledge by hacking Telegram’s servers and taking it directly. Or by planting insiders at Telegram to steal those messages without asking.

That didn’t happen in Ihor’s case. But that’s not to say that the Russian government doesn’t in other cases. It also doesn’t mean Telegram doesn’t have agreements with different Russian security service agencies that these particular Russian occupiers just didn’t know about and didn’t use.

For other encrypted chat applications, it’s easy to rule out such agreements, hacking, and insider threats. But because of Telegram’s inexplicable decision to make chats not encrypted by default, we can’t rule that out here.

Counterintuitively, giving users the option to opt-in to end-to-end encryption is really bad for user security even when—or perhaps especially—when they need it most. This is perhaps one of the greatest example of why. It’s hard to dream up an example of a chat that is more sensitive than an actual insurgency operation behind enemy lines. Ihor’s life literally depended on the security of his chats.

It was an error by both Ihor and Smoke to use normal chats and not secret ones. But it’s an error that was only possible thanks to Telegram. Had Ihor and Smoke chosen virtually any other encrypted chat application, the opportunity for that error would never have existed in the first place; their chat would have just been end-to-end encrypted without asking.

Getting full content via device access

Ihor and Smoke screwed up by using normal chats and not secret chats. But if Russia was slightly competent, using secret chats wouldn’t have saved Ihor anyway: Telegram’s end-to-end encryption isn’t enough.

To understand why, let’s look at this very revealing paragraph in the MTProto specification:

The protocol's principal drawback is that an intruder passively intercepting messages and then somehow appropriating the authorization key (for example, by stealing a device) will be able to decrypt all the intercepted messages post factum. This probably is not too much of a problem (by stealing a device, one could also gain access to all the information cached on the device without decrypting anything)

This paragraph is talking about why MTProto’s cryptography doesn’t have two properties known in cryptography as forward secrecy and perfect forward secrecy. Telegram is explaining why it doesn’t matter that their protocol doesn’t use them.

[Update] Curiously this paragraph is at odds with other statements elsewhere in the official documentation. According to Telegram, MTProto does use perfect forward secrecy for secret chats in its official client, and can use it for normal chats. Telegram does not explain this apparent contradiction in their specification.

But let’s take Telegram’s specification at face value, and that loss of an authorization key would allow retrospective decryption of messages. What would this mean?

The point of this cryptographic property is to protect encrypted messages in the event that a device key is stolen. Device keys can be stolen by hacking into the phone remotely, or by physically extracting them directly from the device forensically.

Telegram’s paragraph says that it “probably doesn’t matter” that its cryptography doesn’t have this property. According to them, if a device is stolen, all of the prior messages can probably be accessed anyway.

The problem with Telegram’s hand-waving here, though, is that this scenario is exactly the one Ihor faced. When Ihor was arrested, Russian occupation forces gained access to his device. They will have certainly have read all of the messages he had previously exchanged with Smoke that were still available on the device.

But here’s the thing: we also know that those were only some of the messages Smoke and Ihor had previously exchanged. That’s because Ihor and Smoke had previously discussed their way of secretly alerting each other if their communication became compromised—something which Ihor later did. Russian forces were fooled, which means they didn’t read those earlier messages.

If the Russian forces had been a bit more competent, they could have used this flaw in Telegram to read those earlier messages and to detect and punish Ihor’s deception. In fact, this flaw would have let the Russian occupiers decrypt all of Ihor’s messages—including secret and self-deleting messages—as well as all messages that he sent to Smoke after his detention without needing Ihor to send them screenshots.

All Russia needed to do to exploit this flaw was to extract the authorization key from Ihor’s device. That key, according to Telegram’s own documentation, would have allowed Russia to go back to their big database of all intercepted Telegram communications and to decrypt all of the ones belonging to Ihor. That would reveal not just copies of all the Telegram chats on Ihor’s phone, but also all the ones he’d subsequently deleted. It would decrypt all of his normal chats and calls.

Telegram’s decision to not consistently use this cryptographic property in all messages stands in contrast to all other major encrypted chat applications. If Ihor had instead used WhatsApp, Signal, or iMessage, this risk would simply never have existed.

To be sure, regardless of which encrypted app they used, Russian forces could (and would) have compelled him to open his phone and show them the messages on the device, but there would be simply no way to view the messages deleted from the device prior to his detention: the cryptography would guarantee it.

Photo: a tank trap in Kyiv, painted in the colors of the Ukrainian flag

Telegram’s flaws put everyone at risk. It’s time to switch

Ihor was extremely brave in his actions behind enemy lines. But he was also extremely lucky. He and Smoke made a minor screw-up by using normal chats and not secret chats—an error that is only possible in Telegram because chats are not end-to-end encrypted by default.

Russia could have used this error to extract their communications from Telegram’s servers, detect Ihor’s deception, and execute him for it. For some reason they didn’t here. At least not in this case.

Had Russian forces done this, Ihor’s tip-off to Smoke would have been detected, and he likely would not have survived to see his city liberated by Ukrainian forces.

Russia instead relied on a third defect in Telegram to surveil communications metadata between Ihor and Smoke, allowing them to watch Ihor’s communications and to ensure he sent them screenshots of his chats with Smoke.

All three of these issues exist only because of Telegram’s choice to leave their app insecure. The two most serious of these flaws are well-known to Telegram’s engineers—they chose to not fix them on purpose.

Ihor—and others like him—placed their personal safety in the hands of Telegram, and Telegram repeatedly let them down. And it’s important to remember that just because Russia did not exploit all of these in this case, there’s no way to know if the Russian government has exploited these flaws in other cases before, nor any guarantee they will not do so in future.

Had they exploited them in this case, Ihor would be dead, and we’d never know this was the reason why.

The long-story short is that it’s not safe to use Telegram for chats and calls. Anywhere. For anyone. But especially in Ukraine.

WhatsApp, iMessage, and Signal all take user security far more seriously, and proactively fix security issues when they arise. Had Ihor and Smoke used any of these apps, all three of these defects would never have been available for Russian forces to exploit.

It’s also important to switch even if you’ve got nothing to hide. If Ukrainian saboteurs in an occupied region are the only ones using, say, Signal or WhatsApp, that itself becomes a red flag for Russian occupiers. Other people need to switch too in order to let those who need the security blend in with everyone else.

Ihor survived due to Russian incompetence, not Telegram’s security. Or to put it in the immortal words of one Ukrainian soldier, “we’re very lucky they’re so fucking stupid”. It’s become almost an informal motto of the entire war.

But he, and others, shouldn’t have had to rely on Russian incompetence to be safe. Telegram promised them communications security. Ihor trusted his life to it.

Only thanks to sheer luck and Russian incompetence he didn’t pay the ultimate price for doing so.

Use Telegram for subscribing to channels, or broadcasting your own messages if you want. But for your own safety, and the safety of others, use a different app for chat and calls.

Correction: an earlier version of this post stated that Telegram does not have perfect forward secrecy on any chats. The official Telegram client does use perfect forward secrecy for secret chats with a key updating on a one-week period (or every 100 messages). Non-secret chats can, but are not obliged, to use perfect forward secrecy; Telegram clients are not required to use it, nor is a minimum key-rotation period required.