TeleGuard’s encryption design appears to undermine its core security claims

A secure-messaging pitch under serious scrutiny

TeleGuard markets itself as a highly encrypted messaging service, but multiple security researchers told 404 Media that the app’s cryptographic design is so weak that its headline security claims may not hold up at all. According to the supplied report, the app uploads users’ private encryption keys to the company’s server and transmits enough additional information to make decryption straightforward.

If accurate, that would cut against the core promise of end-to-end encryption. In a properly designed end-to-end system, the private key used to decrypt messages should remain on the user’s device. The server may help route messages or store public keys, but it should not possess what it needs to unlock private communications.

What researchers say TeleGuard does wrong

The supplied text outlines several problems. First, TeleGuard uploads an encrypted version of the user’s private key to the company’s server when the account is registered. That alone would already be a sensitive design choice. But the report says the app also uploads other information that allows the server to decrypt that key.

Among the details described by researchers are:

• The user’s unique ID is uploaded along with the key.
• A hardcoded salt is used even though salts are normally random.
• A hardcoded nonce is used even though nonces are also expected to vary.

Researchers told 404 Media that this combination means the company has everything needed to decrypt every user’s private key. The report adds that an attacker could at least partially derive the key by intercepting traffic, and that one researcher found it possible to retrieve a specific user’s private key by inserting their user ID into TeleGuard’s API.

Why that matters

Private keys are the foundation of secure messaging. Other users encrypt messages with a public key, and only the holder of the private key should be able to decrypt them. If the server can reconstruct that private key, then the operator of the service is no longer meaningfully excluded from the conversation. If outside attackers can do the same, the risk becomes even more severe.

This is why the report treats the issue as more than an implementation bug. It points to a design problem that undermines the app’s advertised security model. A system can say it offers end-to-end encryption, but that label becomes hard to defend if the service itself can access the keys required to read private messages.

The larger lesson in encrypted apps

The TeleGuard case is also a reminder that the encrypted-messaging market is uneven. Apps often advertise privacy with simple marketing language, but secure cryptographic design depends on exact implementation choices. Those choices are usually invisible to ordinary users.

The supplied report explicitly frames this as part of a broader wild west in encrypted messaging, where not all apps deserve the same level of trust. That distinction matters because many people assume that any service using phrases like secure, encrypted, or end-to-end encrypted must follow the same technical standards as more established privacy tools.

In reality, security hinges on issues that sound small but are not. Randomness has to be real randomness. Private keys have to remain private. APIs should not expose cryptographic secrets. And server-side convenience cannot come at the expense of the trust model the company is advertising.

A credibility problem, not just a coding problem

TeleGuard’s website, according to the supplied text, says “No storage of data. Highly encrypted. Swiss made,” and also says chats and calls are end-to-end encrypted. Those claims now face direct conflict with the researcher findings summarized by 404 Media.

The article does not include a full technical audit or a final legal adjudication of those marketing claims. But it does present a coherent set of reported failures that go to the heart of whether the app should be trusted for confidential communication.

For users, the practical implication is simple. Encryption branding is not enough. When researchers say a service uploads private keys, relies on hardcoded cryptographic values, and makes message decryption trivial, that app stops looking like a secure haven and starts looking like a warning.

This article is based on reporting by 404 Media. Read the original article.