In a troubling development that should alarm everyone involved in mobile security and privacy, a cloned version of the Signal app—TeleMessage—was deployed by the U.S. government and subsequently compromised. The clone, built from open-source Signal code, lacked basic protections like app attestation and secure token-based API access. The result? A door wide open to adversaries.
And this isn’t just about one app. It’s about a systemic failure to adopt known security solutions—failures that even respected platforms like Signal and Telegram have been slow to address.
What Went Wrong?
TeleMessage was essentially a repackaged version of Signal, modified and rebranded. It was not authorized by Signal, and yet it was used in environments expecting Signal-grade security. Without proper backend validation, the app was able to interact with secure infrastructure as if it were legitimate.
This isn’t an isolated incident. Telegram has faced similar issues, with unofficial forks leading to compromised user environments. The pattern is clear: failure to enforce app integrity at the API level puts users and systems at risk.
The Missed Opportunity: App Attestation + Token-Based API Access
App attestation is the gold standard for ensuring that only verified, untampered instances of a mobile app are granted access to backend APIs. Here's how it helps:
- Verifies app integrity and runtime environment.
- Issues short-lived tokens only to valid apps on uncompromised devices.
- Blocks repackaged, emulated, or jailbroken clients from receiving secrets or accessing protected endpoints.
Why Aren’t Signal and Telegram Doing This?
It’s a fair question.
Signal, under CEO Meredith Whittaker, continues to champion end-to-end encryption—rightfully so. But encryption means nothing if your client is compromised before the first message is sent.
The lack of attestation and API-level controls makes it easy for malicious actors to exploit Signal’s good name by creating clones that aren’t easily distinguishable by backend systems. The result? A tarnished brand, broken trust, and real-world security lapses.
The Role of Apple and Google
Let’s not forget the ecosystem enablers.
Both Apple and Google provide native app attestation services—App Attest and PlayIntegrity—but these are incomplete. They don’t work reliably on jailbroken/rooted devices, and neither company allows third-party solutions to integrate fully into their security stacks.
This closed approach actively suppresses innovation in mobile app security and makes life harder for vendors working to secure the entire API surface.
A Call to Action
If your organization values trust, data protection, and operational integrity, it's time to act:
- Mandate app attestation in your mobile development lifecycle.
- Deploy token-based API access with runtime integrity verification.
- Reject repackaged or unauthorized apps at the server boundary.
- Advocate for open ecosystems that welcome third-party security tools.
We can’t rely on encryption alone. We must validate the source of every API call—and we have the tools to do it.
Let’s make this the wake-up call the industry needs.
