Telegram is one of the most popular secure communication apps, and is especially popular in the crypto community. However, some question whether it offers the strongest security and privacy options. If you value security/privacy above all else, consider using Signal as a complement or alternative. If you’re using Telegram, read on.
Secure your Mobile number
If possible, use a separate phone number (e.g., Google Voice) to create your Telegram account.
Use Two-Step Verification
When you (or an attacker) signs into your Telegram on a new device, Telegram solely relies upon an SMS code to your mobile number (which puts you at risk in a SIM swap attack). You should enable two-step verification which requires you to enter a password when you sign into new devices. This is done in Settings > Privacy and Security > Two-Step Verification.
Set a Passcode Lock
The passcode is device specific and not tied to your Telegram account. When you set up an additional passcode (4 digit pin), a lock icon will appear on the chats page. You can tap it to lock and unlock the App. By setting a passcode, you can also toggle hiding the Apps content from displaying in the Android task switcher.
By default, chats that you send over Telegram are encrypted in Telegram’s cloud (meaning that Telegram can access your chats). You must specifically start a “secret chat” to encrypt a chat end-to-end. Secret chat messages can also be set to self-destruct after they have been read or opened by the recipient.
In Settings > Privacy and Security, there are multiple bits of data that you can restrict those that can view it (e.g., your phone number, when you were last online, your profile photo). You should restrict all of these to either “Nobody” or “My contacts”