In a troubling development that should alarm everyone involved in mobile security and privacy, a cloned version of the Signal app—TeleMessage—was deployed by the U.S. government and subsequently compromised. The clone, built from open-source Signal code, lacked basic protections like app attestation and secure token-based API access. The result? A door wide open to adversaries.
And this isn’t just about one app. It’s about a systemic failure to adopt known security solutions—failures that even respected platforms like Signal and Telegram have been slow to address.
TeleMessage was essentially a repackaged version of Signal, modified and rebranded. It was not authorized by Signal, and yet it was used in environments expecting Signal-grade security. Without proper backend validation, the app was able to interact with secure infrastructure as if it were legitimate.
This isn’t an isolated incident. Telegram has faced similar issues, with unofficial forks leading to compromised user environments. The pattern is clear: failure to enforce app integrity at the API level puts users and systems at risk.
App attestation is the gold standard for ensuring that only verified, untampered instances of a mobile app are granted access to backend APIs. Here's how it helps:
With a solution like Approov, this can be done dynamically, at scale, across iOS and Android—even on rooted or jailbroken devices.
It’s a fair question.
Signal, under CEO Meredith Whittaker, continues to champion end-to-end encryption—rightfully so. But encryption means nothing if your client is compromised before the first message is sent.
The lack of attestation and API-level controls makes it easy for malicious actors to exploit Signal’s good name by creating clones that aren’t easily distinguishable by backend systems. The result? A tarnished brand, broken trust, and real-world security lapses.
Let’s not forget the ecosystem enablers.
Both Apple and Google provide native app attestation services—App Attest and PlayIntegrity—but these are incomplete. They don’t work reliably on jailbroken/rooted devices, and neither company allows third-party solutions to integrate fully into their security stacks.
This closed approach actively suppresses innovation in mobile app security and makes life harder for vendors working to secure the entire API surface.
If your organization values trust, data protection, and operational integrity, it's time to act:
We can’t rely on encryption alone. We must validate the source of every API call—and we have the tools to do it.
Let’s make this the wake-up call the industry needs.
If your team is looking to shore up mobile app defenses, get in touch or explore Approov’s SDK and integration toolkit at approov.io.