Someone deleted an interesting comment about adversarial interoperability [0]
I’d love to see and give money to a project to create and maintain easy to use and stable “adversarial interoperability” APIs for as many services and products as possible.
Perhaps companies and projects would not often use these directly because of the risks (hopefully some would, though!) but individuals could drop the library or the URL to a server hosting it into their apps to gain extra features.
If standardised, whole open source apps could be built around them that allow querying and analysis of data from services and aggregating and automating using the services including optimising prices, taking advantage of offers, and using undocumented APIs to the users advantage.
Maybe something architected and incentivised like https://thegraph.com/ for adversarial intercom and undocumented APIs. Building as a network of nodes and funding with crypto would make it harder to attack and take down.
They are bound to get in trouble with Google for this, but they can’t easily pull the feature. They can’t just be like „oh you’ve had translate for two weeks now, but now we can’t pay for it, so it’s gone.“
What is the long term thinking behind this? Or is this just developers and management not communicating?
Yeah I'm a bit shocked honestly that it made it into an application as widely used as Telegram. It's bound to be detected eventually and the feature will suddenly break. Such a strange software engineering decision.
They can't even plausibly pretend that they didn't know and it's all a big misunderstanding given the lengths they went to obfuscate it in the code.
This seems like one of those features that leadership demanded with a “just make it happen” decree and no budget for API calls.
Then some developers facing a deadline cobbled together something that “just made it happen” so they could kick the can down the road with something that worked, ideally long enough to collect their bonuses and find a new job so it becomes someone else’s problem.
Or maybe Telegram the company just likes to abuse other people’s things and see how long they can get away with bad behavior. Who knows.
> They are bound to get in trouble with Google for this
From first look, I don't think they are. Telegram gets a new feature, Google gets more data to mine. It's a win-win. I just hope they'll be clear with their users about sending data to Google.
This can't work for long. Translate is a profit center for google, and this also shows others that they can disregard google's monetization model for translate.
Commercial use of those APIs is common, despite translate being pretty expensive. Also, GCP current leadership is so hell bent on nickel-and-diming their customers, and their compensation packages are so dependent on value share growth, that they simply can't afford anyone openly violating their pricing models. Especially a popular app. My guess is this will be down within the first week of January.
I'm curious what techniques they will use to differentiate between Telegram and non-Telegram users. If I were them, I'd simply use my power leverage and threaten them to remove the app from the Play store unless they remove/fix the offending code - it's much simpler than an eternal mouse-and-cat game, with possible collateral damage.
As someone who has often defended Telegram I am somewhat puzzled by this one.
While the legal aspects of this might have to be decided by someone more skilled than me I feel they are morally on the same ground as early Google and if Google makes a big case of it it might backfire spectacularly.
More interesting is it that Telegram sends user texts directly to Google without any proxying (did I get that right and has the author studied it carefully enough?).
This might (again, if this blog post is correct and I read kt correctly) be an actual dangerous move from Telegram. Unlike the problems that many here worry about regarding E2E-encryption, this can potentially drag Telegram down to WhatsApp levels, sending huge amounts of user data straight into Google.
Then of course, we'll need to see. Very much of what Telegram has done security wise is very well thought out and has improved over time.
Recently for example when I started my backup of one of the groups I participate in I had to confirm from a mobile client or wait 24 hours to start backup. Account recovery is almost automagically simple but has some nifty touches to prevent account hijacking. Settings to delete the account if I fail to log in has existed for years, I wonder if they even did this before Google launched it.
So now I am anxious to know if Telegram has done something brilliant again or if this is a turning point.
> Very much of what Telegram has done security wise is very well thought out and has improved over time
This is not my understanding of the situation at all. There's no end-to-end encryption by default [0], and the end-to-end encryption they do have received significant controversy at launch [1] for being essentially a "roll your own" crypto solution which indeed ended up being found to have some issues [2].
They disable the OS backup and instead they effectively store all their user's contacts, messages, media, etc. directly on their servers except for the conversations that the users directly opt out of by turning on e2e. They've promised since 2014 to open source everything but the backend, which stores all this data, is still closed source.
For small group or individual messaging, whatsapp, signal, or matrix are far better choices. I think it's worth acknowledging that telegram has a much bigger focus on large groups and therefore has to make different security tradeoffs, so I think if we consider telegram a social media service it's pretty good -- but is not the best messenger.
Telegram is great if you like shiny native features like stickers and having lightweight native clients, but at everything else Telegram is at risk of losing in the long-term.
The big reason for this is that Telegram decided to roll everything mostly on their own (including e.g. MTProto), Telegram is not compatible with Matrix unless you use a bridge, it is not e2e encrypted (unless you use mobile 1-to-1 secret chats. The server side code is proprietary, and the builds of the clients that are published to the app stores could be anything.
While I love using Telegram right now for talking to some groups of friends, I would look at supporting https://matrix.org , since it will likely become the de-facto standard of building messaging platforms.
> Very much of what Telegram has done security wise is very well thought out and has improved over time
Though I'm certainly not a cryptography expert, I used to work on Tails OS and some Tor-related projects, and I feel I know where/how to listen to the experts.
Having said that, I am a hard disagree on the quoted statement.
My understanding is that there has been very few improvements that they weren't dragged into. imho telegram is a reckless tool from a cryptographic point of view, and still highly suspect
> without any proxying (did I get that right and has the author studied it carefully enough?).
Most likely, since the user-agent rotation code is in the app itself. If it were a Telegram proxy, the proxy would do its own UA and IP hopping and the clients would use their default UAs.
At a certain point, I wonder why Google's abuse team don't simply look for 3+ occurrences of User Agent strings because UA rotation is rarely used for legitimate purposes.
it's my understanding that Telegram won't automatically translate messages unless the user chooses to click the translate button, and the option to enable the translate button does disclose that translated message content is sent to google.
I think it's possible construct to construct a (very weak) argument for the random user agent rotation, but why split the spring if not to avoid being flagged.
On the other hand, I find it hard to believe that Telegram would risk a Play Store ToS violation, given how many tens of millions of users use the app.
Pretty sure at the point you have over a billion(!) installs, even Google affords some leniency towards its Play Store policies. Or at least we are about to find out anyway..
Meanwhile, indie developers with smaller user base are subject to unappealable automated decisions.
I'm not sure if Google will start flagging the IP addresses of the users because of each request having a different agent. That would render normal Translate unworkable for them too!
Isn't Google going to move to always having the user agent be the same anyhow? They've already decided to break that contract with the tech community, so I don't see that they have much room to talk there.
On one hand, it's quite asshole-ish. On the other, google is serving broken frontends to their services and charge ridiculous prices on their API's. When I tried to make a third party search using google engine, I've exhausted the limit in less than an hour. It'd cost me like $40/mo to get what I get for free using their crappy frontend.
> On the other, google is serving broken frontends to their services and charge ridiculous prices on their API's.
How does that make this okay? Nobody is entitled to get a company’s services for free just because you think their price is too high or their front ends aren’t built to your liking.
Like telegram did with the translate api, there is also a way to have an unlimited api for search results. You have to find one of the old mobile pages of google.
The following predictable chain of events will happen. Someone working at Google will read this blog post and report it internally. Google will contact Telegram and inform them that they are violating the Play Store agreement and could they please use the official API instead. Telegram will remove the feature as they can't spend the GDP of the Earth on translations. The end.
"It's a bold strategy, Cotton. Let's see if it pays off for 'em"
Deciding to use the Google Translate API in a way that bypasses Google's API-key system seems like a dangerous game. Google controls your access to the Android platform† and now that this blog post has been published, it seems like Google could remove the app from the Play Store for unauthorized access of Google services.
If they'd found a way to use an API from some third party, maybe that third party would try and shut it down or whatnot. In this case, it feels like they're poking the bear - especially given how much traffic they might throw at it. At some point, Google might get annoyed that an API that they charge a lot of money for is being used for free and somewhat legitimately remove Telegram from the Play Store. Google can pretty legitimately claim that the Telegram app was accessing Google's servers in an unauthorized way and that they went through steps to obfuscate their access which shows that they knew what they were doing was wrong and tried to hide it.
This seems like a bold move. Google might simply shrug and not care. Google might decide that they'll remove Telegram from the Play Store permanently. Google might decide they'll only allow Telegram in the Play Store if it doesn't have translation features. If Google removes Telegram from the Play Store, that's basically the end of Telegram. As people bought new phones, the number of people reachable on Telegram would dwindle‡. As the app no longer could receive updates, eventually it would become old and stale. They'd have to start moving to another platform whether WhatsApp or Signal or Matrix.
†sure, other stores and side-loading exist on Android, but Google does control access for the vast majority of Android users (at least in the US/Europe).
‡yes, maybe one can transfer apps and side-loading does exist, but the number of users would dwindle
It allows Telegram users to hide in plain-sight, within the noise of other Google Translate web users.
I'm pretty sure that using the official pre-built java SDK, as suggested by the author, would allow Google to cluster the content of Telegram users (since app-specific id/token should be sent).
Other than that, a great read and kudos to the author for shedding light on it.
I think Google can still cluster Telegram users pretty easily, especially now that that the method is in the open.
Yes, Telegram fakes the user-agent, but the rest of the request still looks very different from a request an actual browser would do. (No referrer, missing headers, different connection pooling behaviour, possibly different TLS and HTTP2 behaviour, etc).
So if Google is doing any detection for browser vs non-browser requests, those requests should show up as suspicious.
I really don't understand this. Is Telegram a legitimate app? If so, then why are they attempting to rip off other companies' work without paying them? You want an integration with a translation API? Then pay a fair price for one, or build your own?
One thing I don't see mentioned here is that the Google Cloud version of Translate is actually different than the user-facing one at translate.google.com. At least when I tried it a year ago, the Google cloud version was vastly inferior. I suspect it has to do with licensing agreements around certain datasets. Very curious if anyone knows more on this...
There are bound to be duplicate phrases for translation over all the many Telegram users. Why not cache to avoid API calls. How many times do you have to use the API to translate "OK" or other commonly used words.
Visiting a publicly available web page doesn’t create contractual obligation between end users and web server owners.
If Google views what telegram doing as abuse, then how it’s different from what end users are doing while interacting with https://translate.google.com/ web page? Especially if these end users are running an ad blocker or two in their web browser? BTW, uBlock origin blocked 4 pieces of content on that web page.
Quite a lot of libraries exist to do this. But doing this in an app with a large user base looks offensive. Solution would be for some decent open source translation APIs to appear.
I guess, given its popularity, Google won't kick Telegram off the store for obfuscating the URL and using an unauthorised (?) API endpoint but I imagine this will get them in some sort of trouble.
> I imagine this will get them in some sort of trouble.
I'm not sure about this.
I bet Google is happy to collect the text data of up to 500 million users with zero restrictions from Telegram's end on how the data is used. I'm not a lawyer, but my hunch is that Google's data privacy policy applies to the official, premium service: https://cloud.google.com/terms/data-processing-terms
Google might make the determination that they'll get more value from allowing Telegram to abuse the unofficial API. However, they might face some angry customers who are paying a premium to use the official API now that this loophole has been published.
I think they could do it. In Germany, Telegram is often cited by media as a platform for (illegal) right-wing, antivax and hatespeech. Some politicians openly demand to go ofter Telegram and/or block it. So google could kill two birds with one stone here. At least remove it from the Play Store in some countries.
[+] [-] barnabee|4 years ago|reply
I’d love to see and give money to a project to create and maintain easy to use and stable “adversarial interoperability” APIs for as many services and products as possible.
Perhaps companies and projects would not often use these directly because of the risks (hopefully some would, though!) but individuals could drop the library or the URL to a server hosting it into their apps to gain extra features.
If standardised, whole open source apps could be built around them that allow querying and analysis of data from services and aggregating and automating using the services including optimising prices, taking advantage of offers, and using undocumented APIs to the users advantage.
Maybe something architected and incentivised like https://thegraph.com/ for adversarial intercom and undocumented APIs. Building as a network of nodes and funding with crypto would make it harder to attack and take down.
[0] https://www.eff.org/deeplinks/2019/10/adversarial-interopera...
[+] [-] leodriesch|4 years ago|reply
They are bound to get in trouble with Google for this, but they can’t easily pull the feature. They can’t just be like „oh you’ve had translate for two weeks now, but now we can’t pay for it, so it’s gone.“
What is the long term thinking behind this? Or is this just developers and management not communicating?
[+] [-] simias|4 years ago|reply
They can't even plausibly pretend that they didn't know and it's all a big misunderstanding given the lengths they went to obfuscate it in the code.
[+] [-] PragmaticPulp|4 years ago|reply
Then some developers facing a deadline cobbled together something that “just made it happen” so they could kick the can down the road with something that worked, ideally long enough to collect their bonuses and find a new job so it becomes someone else’s problem.
Or maybe Telegram the company just likes to abuse other people’s things and see how long they can get away with bad behavior. Who knows.
[+] [-] zenexer|4 years ago|reply
…but with more elegant phrasing.
[+] [-] ComodoHacker|4 years ago|reply
From first look, I don't think they are. Telegram gets a new feature, Google gets more data to mine. It's a win-win. I just hope they'll be clear with their users about sending data to Google.
[+] [-] cj|4 years ago|reply
If they don't want to pay, they should be using a free open source alternative like https://github.com/LibreTranslate/LibreTranslate
[+] [-] aenis|4 years ago|reply
Commercial use of those APIs is common, despite translate being pretty expensive. Also, GCP current leadership is so hell bent on nickel-and-diming their customers, and their compensation packages are so dependent on value share growth, that they simply can't afford anyone openly violating their pricing models. Especially a popular app. My guess is this will be down within the first week of January.
[+] [-] hdjjhhvvhga|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] skinkestek|4 years ago|reply
While the legal aspects of this might have to be decided by someone more skilled than me I feel they are morally on the same ground as early Google and if Google makes a big case of it it might backfire spectacularly.
More interesting is it that Telegram sends user texts directly to Google without any proxying (did I get that right and has the author studied it carefully enough?).
This might (again, if this blog post is correct and I read kt correctly) be an actual dangerous move from Telegram. Unlike the problems that many here worry about regarding E2E-encryption, this can potentially drag Telegram down to WhatsApp levels, sending huge amounts of user data straight into Google.
Then of course, we'll need to see. Very much of what Telegram has done security wise is very well thought out and has improved over time.
Recently for example when I started my backup of one of the groups I participate in I had to confirm from a mobile client or wait 24 hours to start backup. Account recovery is almost automagically simple but has some nifty touches to prevent account hijacking. Settings to delete the account if I fail to log in has existed for years, I wonder if they even did this before Google launched it.
So now I am anxious to know if Telegram has done something brilliant again or if this is a turning point.
[+] [-] chrisfosterelli|4 years ago|reply
This is not my understanding of the situation at all. There's no end-to-end encryption by default [0], and the end-to-end encryption they do have received significant controversy at launch [1] for being essentially a "roll your own" crypto solution which indeed ended up being found to have some issues [2].
They disable the OS backup and instead they effectively store all their user's contacts, messages, media, etc. directly on their servers except for the conversations that the users directly opt out of by turning on e2e. They've promised since 2014 to open source everything but the backend, which stores all this data, is still closed source.
For small group or individual messaging, whatsapp, signal, or matrix are far better choices. I think it's worth acknowledging that telegram has a much bigger focus on large groups and therefore has to make different security tradeoffs, so I think if we consider telegram a social media service it's pretty good -- but is not the best messenger.
[0]: https://www.howtogeek.com/710344/psa-telegram-chats-arent-en... [1]: https://www.vice.com/en/article/wnx8nq/why-you-dont-roll-you... [2]: https://eprint.iacr.org/2015/1177.pdf
[+] [-] danpetrov|4 years ago|reply
The big reason for this is that Telegram decided to roll everything mostly on their own (including e.g. MTProto), Telegram is not compatible with Matrix unless you use a bridge, it is not e2e encrypted (unless you use mobile 1-to-1 secret chats. The server side code is proprietary, and the builds of the clients that are published to the app stores could be anything.
While I love using Telegram right now for talking to some groups of friends, I would look at supporting https://matrix.org , since it will likely become the de-facto standard of building messaging platforms.
[+] [-] patcon|4 years ago|reply
Though I'm certainly not a cryptography expert, I used to work on Tails OS and some Tor-related projects, and I feel I know where/how to listen to the experts.
Having said that, I am a hard disagree on the quoted statement.
My understanding is that there has been very few improvements that they weren't dragged into. imho telegram is a reckless tool from a cryptographic point of view, and still highly suspect
[+] [-] judge2020|4 years ago|reply
Most likely, since the user-agent rotation code is in the app itself. If it were a Telegram proxy, the proxy would do its own UA and IP hopping and the clients would use their default UAs.
At a certain point, I wonder why Google's abuse team don't simply look for 3+ occurrences of User Agent strings because UA rotation is rarely used for legitimate purposes.
[+] [-] gcr|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] ckastner|4 years ago|reply
On the other hand, I find it hard to believe that Telegram would risk a Play Store ToS violation, given how many tens of millions of users use the app.
[+] [-] vesinisa|4 years ago|reply
Meanwhile, indie developers with smaller user base are subject to unappealable automated decisions.
[+] [-] lima|4 years ago|reply
[+] [-] arihant|4 years ago|reply
[+] [-] wccrawford|4 years ago|reply
[+] [-] Bombthecat|4 years ago|reply
[+] [-] drath|4 years ago|reply
[+] [-] PragmaticPulp|4 years ago|reply
How does that make this okay? Nobody is entitled to get a company’s services for free just because you think their price is too high or their front ends aren’t built to your liking.
[+] [-] typingmonkey|4 years ago|reply
[+] [-] zarzavat|4 years ago|reply
[+] [-] mdasen|4 years ago|reply
Deciding to use the Google Translate API in a way that bypasses Google's API-key system seems like a dangerous game. Google controls your access to the Android platform† and now that this blog post has been published, it seems like Google could remove the app from the Play Store for unauthorized access of Google services.
If they'd found a way to use an API from some third party, maybe that third party would try and shut it down or whatnot. In this case, it feels like they're poking the bear - especially given how much traffic they might throw at it. At some point, Google might get annoyed that an API that they charge a lot of money for is being used for free and somewhat legitimately remove Telegram from the Play Store. Google can pretty legitimately claim that the Telegram app was accessing Google's servers in an unauthorized way and that they went through steps to obfuscate their access which shows that they knew what they were doing was wrong and tried to hide it.
This seems like a bold move. Google might simply shrug and not care. Google might decide that they'll remove Telegram from the Play Store permanently. Google might decide they'll only allow Telegram in the Play Store if it doesn't have translation features. If Google removes Telegram from the Play Store, that's basically the end of Telegram. As people bought new phones, the number of people reachable on Telegram would dwindle‡. As the app no longer could receive updates, eventually it would become old and stale. They'd have to start moving to another platform whether WhatsApp or Signal or Matrix.
†sure, other stores and side-loading exist on Android, but Google does control access for the vast majority of Android users (at least in the US/Europe).
‡yes, maybe one can transfer apps and side-loading does exist, but the number of users would dwindle
[+] [-] kedmi|4 years ago|reply
It allows Telegram users to hide in plain-sight, within the noise of other Google Translate web users.
I'm pretty sure that using the official pre-built java SDK, as suggested by the author, would allow Google to cluster the content of Telegram users (since app-specific id/token should be sent).
Other than that, a great read and kudos to the author for shedding light on it.
Edit: typo.
[+] [-] xg15|4 years ago|reply
Yes, Telegram fakes the user-agent, but the rest of the request still looks very different from a request an actual browser would do. (No referrer, missing headers, different connection pooling behaviour, possibly different TLS and HTTP2 behaviour, etc).
So if Google is doing any detection for browser vs non-browser requests, those requests should show up as suspicious.
[+] [-] hdjjhhvvhga|4 years ago|reply
On the contrary - it's the most stupid thing to do. The only result will be their users wondering soon why this function is broken.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] giomasce|4 years ago|reply
[+] [-] rossmohax|4 years ago|reply
[+] [-] Anunayj|4 years ago|reply
[+] [-] fault1|4 years ago|reply
Well, the plain text, not the IP, but that should be implicit with how web services work.
[+] [-] Gigachad|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] Krasnol|4 years ago|reply
[+] [-] bencollier49|4 years ago|reply
[+] [-] yosito|4 years ago|reply
If Telegram really can't afford an integration, just make a translate button that opens a link to https://translate.google.com/?sl=es&tl=en&text=API%20de%20tr...
Edit: not to mention the privacy implications of sending messages to Google.
[+] [-] 01acheru|4 years ago|reply
It is now blocked, always responds 403, maybe tweaking some request parameters can make it work again.
Edit: if you want to try it out the parameters I used were:
- container: focus (there are other values I cannot find anymore)
- url: urlencoded URL of the image to be resized
- resize_w: width in px
- resize_h: height in px
[+] [-] dandiep|4 years ago|reply
[+] [-] ape4|4 years ago|reply
[+] [-] Const-me|4 years ago|reply
If Google views what telegram doing as abuse, then how it’s different from what end users are doing while interacting with https://translate.google.com/ web page? Especially if these end users are running an ad blocker or two in their web browser? BTW, uBlock origin blocked 4 pieces of content on that web page.
[+] [-] morelish|4 years ago|reply
[+] [-] bencollier49|4 years ago|reply
[+] [-] ssl232|4 years ago|reply
[+] [-] robby_w_g|4 years ago|reply
I'm not sure about this.
I bet Google is happy to collect the text data of up to 500 million users with zero restrictions from Telegram's end on how the data is used. I'm not a lawyer, but my hunch is that Google's data privacy policy applies to the official, premium service: https://cloud.google.com/terms/data-processing-terms
Google might make the determination that they'll get more value from allowing Telegram to abuse the unofficial API. However, they might face some angry customers who are paying a premium to use the official API now that this loophole has been published.
[+] [-] littlecranky67|4 years ago|reply