On SMS logins: an example from Telegram in Iran

Most mobile messaging apps these days use SMS as a login technique. It’s really convenient because it doesn’t require the user to remember yet another username or identifier and telcos are taking care of the identity management such as re-assigning the phone number to you if you lose your phone. SMS are trivial to intercept for your telecom provider. And in almost all countries, they are actively cooperating with the state to help intercept text messages and phone calls. But it’s not only your telecom provider, devices like IMSI catchers provide a cheap and efficient way of intercepting text messages for a local adversary.

No, other services where you only need to send an SMS to log in are affected by this. But unlike Telegram, a lot of other messaging applications don’t store your messages and content server-side.

This is a reminder for all users of messaging apps in risky environment, verify fingerprints.

SMS activation in most messaging apps can be compared to your server sign in for Jabber when using OTR. It is just your login to the message server, unless you verify fingerprints, you are still at risk of interception.

• Enable 2-Step authentication (and verify active sessions while you’re at it) and only use “secret chats”.
• Or just move to an application that won’t store plaintext messages on their servers if you’re operating in such a risky environment.