Telegram is not open-source. The API specification and the end client are open, but the backend infrastructure remains closed. Also, the default messaging mode is not end-to-end encrypted and all such messages and media are stored on the Telegram servers, which enables synchronisation between multiple end devices of the same user. Secret chats are end-to-end encrypted and so are voice calls, but the former have to be initiated explicitly.

Still, open-source does not equate secure. Mathematically proving the strength of a cypher algorithm or of an encryption protocol is very hard, and until it has been done for Telegram’s MTT the protocol should not be considered secure.