Telegram with Onion

I’m pretty much a noob for things related to privacy on a phone.
My threat model is using Telegram only on that phone.
Nothing else.

Was thinking on using it with onion.

What could be the best way to achieve that?

Was thinking on Orbot is it the way to go?

I don’t know much about onion / orbot, but AFAIK orbot on android has some issues where some traffic could leak, so I won’t think using them on android for anonymity is a good choice. However my understanding could be outdated as I never really interested in using it. I know nothing about IOS though.

Although Telegram client is open sourced, but the main concern being all the data / metadata to supplied to Telegram, which unless you have excellent OPSEC, you could be tracked over time.

There are other points to think about whether you could safely use Telegram in first place.

1. Telegram officially changed their policy in late 2024 saying they would cooperate with LE. For example, data of thousands of users had been handed to US
2. Last month Chinese government demonstrated their ability to mass surveil Telegram Users, more explanation from a Telegram Channel could be found here (written in Chinese)
3. Unless you use anonymous, deactivated phone number to hold the account, otherwise you could also be tracked if Telegram handed your user info to LE.
4. Telegram is a buggy programme which enabled a lot of attacks in the past. Again, unless you have excellent OPSEC, using it to discover random topics, chat with random people is risky.
5. If you use Telegram bots / business, it opens another attack factor.

I do have Telegram account and I still use it from time to time, but you really need to know what you are doing before using it.

source?

It is due to how VPN on android works. IIRC orbot uses VPN slot.

Even if you use the Tor Network and register your account with a disposable phone number/device, Telegram can still read your messages if you don’t use secret chats. If you are active on group chats, there is nothing preventing someone from identifying you based on fingerprinting.

At that point, you might as well just use Matrix or Signal.

Telegram offers private groups and offers feature that restrict message copy and forwarding.

While it is useful for very basic users, these are useless to stop more advanced users and userbots to scrape those content.

Those feature give users a false sense of security, which is very bad.

That being sad, Telegram is still a feature rich messenger, and could be useful for some usecases.

They’re not private if random Telegram users can’t read them. They’re private if Telegram as a service provider can’t read them. Which is not the case. Telegram doesn’t have end-to-end encrypted group chats.

Orbot has no obvious leaks I know of right now, and this can be further enforced by using the “Block connections without VPN” system setting.

Using the VPN function is directly what makes it so robust.

Orbot on iOS does have issues, but it is very reliable on Android.

Orbot in full device VPN mode with block connections enabled in system settings and additionally I’d recommend enabling the Tor isolation options in Orbot settings:

• Isolate destination addresses
• Isolate destination ports
• Isolate client protocls

Actually I argue, “Block connections without VPN” still has issues on stock Android: Google Issue Tracker

eh, yes, there are some edgecases, many of them are mitigated on GrapheneOS, but those are not Orbot specific.

Thanks for clarifying for me.

On the other hand, I am not sure if Telegram’s official client encrypts push notification. I tried to read their documentation but could not make sense of it.

If OP uses stock android or GOS with GMS installed, I think it is something worth finding out beforehand. (Depends on OP’s threat model)

I only have my telegram on my PC, so this is not my top concern.