Messaging applications serve as vital conduits for sensitive conversations, contacts, and media, yet their operational behaviors on devices can significantly influence user privacy. A recent analysis of the Android versions of Messenger, Signal, and Telegram reveals that variations in permissions, background activities, and system exposure play crucial roles in determining the extent of data access and communication frequency for each app.
Permissions define access to device and user data
The trio of messaging apps adopts distinct strategies regarding permissions. Telegram, for instance, maintains the lowest total number of permissions at 71, albeit with the highest count of dangerous permissions at 25. Signal follows closely with 72 permissions, including 19 that are deemed dangerous. In stark contrast, Messenger requests the most permissions overall, totaling 87, of which 24 are classified as dangerous. Notably, Messenger also stands out for its request for the highest number of vendor-specific “unknown” permissions, which are not part of the standard Android framework and typically facilitate communication between app components or interactions with vendor-specific services.
Core messaging features rely on sensitive permissions
Access to sensitive resources such as contacts, camera, microphone, location, storage, and calendar is essential for messaging apps to deliver their core functionalities. For instance, contact permissions enable address-book integration, while storage access facilitates media exchange. Furthermore, permissions for the camera, microphone, and location are crucial for features like voice messaging, video calls, and live location sharing. Telegram and Messenger extend their access with system-level permissions such as CALLPHONE, SYSTEMALERT_WINDOW, and account management, which support functionalities like in-app calling and overlay interfaces. In contrast, Signal adopts a more conservative stance, refraining from requesting permissions for phone-call control, overlay windows, background location, calendar access, and package installation rights.
Configuration and network handling differences
Utilizing the Mobile Security Framework (MobSF), a tool designed to identify potential security issues within mobile applications, the analysis sheds light on the configuration of these apps and potential vulnerabilities. All three apps fall within a “medium risk” category, indicating a blend of findings that could vary in significance based on user behavior. Messenger is particularly noteworthy for having a considerably higher number of flagged issues compared to its counterparts, especially in the medium-severity range. One notable distinction is in their network traffic management. Telegram permits cleartext connections by default through the usesCleartextTraffic setting, which exposes its traffic to interception. Conversely, Signal employs encrypted connections by default, allowing limited cleartext traffic solely for certificate checks. Messenger’s findings present a more mixed picture, including world-writable files and WebViews with remote debugging enabled, both of which could potentially facilitate data tampering or inspection during runtime. A certificate-related warning was scrutinized further and determined to be a false positive, as Messenger utilizes its own TLS implementation with integrated certificate validation. Additionally, the apps differ in their reliance on external services; Messenger incorporates third-party SDKs such as Google Analytics and Mapbox, while Signal and Telegram do not disclose the use of third-party trackers. All three apps utilize Firebase Cloud Messaging for notification delivery, and the analysis did not uncover any leakage of sensitive data through this channel.
Where data travels
In terms of data exchange, Messenger predominantly routes its traffic through North America, with additional connections in South America and Europe. Telegram’s traffic is primarily concentrated in Europe, with lesser volumes observed in the United States, Asia, and Oceania. Signal’s data flow also centers around Europe, supplemented by connections in the United States and Asia.
