Key Takeaways:
- An obscure Israeli company called TeleMessage offers modified versions of secure messaging apps like Signal, WhatsApp, Telegram, and WeChat, primarily for archiving purposes to meet compliance requirements for organisations, including the U.S. government.
- Former National Security Advisor Mike Waltz was reportedly photographed using a modified version of Signal by TeleMessage, labelled "TM SGNL," during a cabinet meeting, bringing attention to the use of such apps in sensitive government contexts.
- Despite being based on Signal’s open-source code, TeleMessage lacked core security defences such as robust app attestation and secure token-based API access control. This allowed the repackaged and unverified app to establish trust with the Signal backend and interact with secure infrastructure as if it were legitimate.
- A hacker successfully breached TeleMessage and stole customer data, including contents from direct messages and group chats from its modified apps. This hack demonstrated serious vulnerabilities, revealing that archived chat logs were not end-to-end encrypted between the modified app and the archiving destination.
- Data related to sensitive entities, including Customs and Border Protection (CBP) and the cryptocurrency giant Coinbase, were reportedly included in the hacked material.
- The incident underscores the critical need for app attestation, which ensures only authentic, unaltered app versions running in secure environments can access backend APIs.
- Key components of effective app attestation include runtime integrity verification and dynamic token issuance. This approach prevents repackaged, emulated, or jailbroken clients from accessing protected endpoints or receiving secrets.
- Solutions like Approov offer third-party app attestation services that provide comprehensive coverage across iOS and Android, including on jailbroken or rooted devices where platform-native solutions may be limited. Approov also includes features like dynamic certificate pinning and runtime secrets protection.
- The sources suggest that widespread API insecurity is partly due to limitations in platform-native security tools from Apple and Google and their resistance to allowing deeper integration of third-party security solutions.
- While Signal’s end-to-end encryption is a strong foundation, its leadership has been criticised for not addressing the security mechanics that uphold it, specifically app attestation. Encryption alone is not sufficient if the app client itself can be easily repackaged and compromised.
- The lack of attestation enforcement has tarnished Signal's brand reputation, as users cannot easily differentiate between the legitimate app and a clone.
- Organisations handling sensitive data should mandate app attestation and token-based API access, utilise robust third-party attestation services, and hold app providers accountable for architectural flaws that enable brand misuse. Security must begin with verifying the source of every API call.
- Read more about the TeleMessage hack: Based on "The Signal Clone the Trump Admin Uses Was Hacked" and "What Is TeleMessage? Mike Waltz Reportedly Caught Using Obscure App". (Note: Specific URLs are
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!