HackApp: Telegram secret chat geolocation leak. How you should NEVER design your App. Part 2

UPD: I've just received  confirmation from Telegram, that  patched version, was released few  hours ago.  Here is patch on github.

Few days ago Mr. Durov announced bug bounty, for Telegram protocol decryption. Futher will be shown, how private data from secret chat can be captured without any decryption methods, because of design failure.

Test environment:
Android 4.3 launched in Virtual Box
Wireshark launched on host machine
HTC One with Android 4.0.3
Telegram 1.3.800 (in virtual box)

Method:
Let's  install   Telegram and call users Alice and Bob. After that, we creating acconts in telegram and adding each device to other's contact list.

Now we are starting secret chat:

Sending test message:

As we can see in wireshark - all data goes through SSL, and looks encrypted.

But what if we'll try to send attachment, as example, geolocation? Geolocation of secret chat members could be quit interesting in some cases :)? Let's tap 'send' button...

Bum!! We've got clear-text TCP session!  Let's take a look a bit closer..

Telegarm uses default  unencrypted google-maps API to resolve map snippet. From security and anonimity point of view  this is THE fail.  It means that person who controls channel can capture all "geo-attachments" going through secret chat in both ways (incoming and outgoing) using just passive sniffer.

In practice,  if  Mr. Snowden will send his geo-location using Telegram to someone, who is under NSA wiretapping, a tomahawk will be enough to make Gen. Alexander satisfied.