Get Started

Telefuel Security and Privacy Model

Overview

Telefuel is an unofficial Telegram client for power-users and teams that lets users organize their chats into workspaces and folders, filter by chat types and unread messages, and access keyboard shortcuts and other productivity features.

Telefuel leverages modern technologies in order to mitigate man-in-the-middle attacks for users. We've taken steps to eliminate any possibility that someone can snoop on your messages, including ourselves.

Telefuel bundles the Telegram API library along with the application so that all data requests to Telegram happen client-side. In other words, your Telegram data stays on your device and never touches Telefuel servers, except in certain cases which we'll outline below.

Your Telegram data stays on your device and never touches Telefuel servers.

Technical Explanation

Telegram uses MTProto, an encrypted messaging protocol optimized for fast file transfers between mobile applications. Realizing that building mobile applications are hard and that they should focus on developing the TON blockchain, the Telegram team released a C++ library called tdlib that manages network and data synchronization between Telegram servers and client applications over MTProto.

We use tdlib for all of our applications so that we can iterate quickly and focus on developing features that delight our users.

Currently, our stack consists of React, Electron and Go. Since tdlib is a c++ library, we took steps to compile tdlib to a WebAssembly module (wasm), which we embed into our web and desktop applications.

The implication of this work is that all your encrypted Telegram data moves between your device and Telegram, and does not pass through Telefuel servers. We do not sit in the middle as illustrated in the diagram below.

Figure 1: Data Flow - Man in the middle mitigation

Example: Authentication

In order to access the Telefuel Application, users must go through Telegram's authentication flow:

  • Enter phone number
  • Enter SMS code or passcode from another client
  • Enter optional password if 2-step authentication is enabled

As you progress through each of these steps, it's important to note that your phone number, passcode, and password are never sent to Telefuel servers.

Instead, all of your data is passed to tdlib (mentioned above), which is then sent to Telegram's servers via MTProto.

Telefuel Authentication

After you've been authenticated by Telegram, you need to establish an authenticated session with Telefuel. The way we do it is a bit clever:

  • Once we've verified that the user is authenticated and can receive updates from Telegram via tdlib, the Telefuel Application will send a /start command to the Telefuel Bot.
  • Telegram sends the command to Telefuel's servers along with the user's information, which is then stored in our database.
  • Now the user is authenticated with Telefuel and can access their workspaces and folders.

What do you store?

In order to provide users with the ability to organize their chats into workspaces and folders across multiple devices, Telefuel needs access to the following Telegram metadata:

Workspaces / Folders

Telegram Chat IDs

You

First Name
Last Name
Username
Telegram ID

We'll never store

(unless given explicit permission and consent by you)
Message texts, photos, videos, documents or any other message types
Who you're chatting with
Chat titles or usernames
Your contact list

FAQ

Do you have end-to-end encryption for Telefuel data?
Currently no, but we're actively researching solutions in a future release.
Do you send any data to third parties?
We send metrics to third party service to improve product experience. You can opt out of this at anytime.
Get the latest Telefuel blog posts and product updates sent to your inbox.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.