An Empirical Comparison of Security and Privacy Characteristics of Android Messaging Apps

TL;DR

This study compares the security and privacy features of Android messaging apps using static and dynamic analysis, revealing differences in attack surface, permissions, and network activity among Meta Messenger, Signal, and Telegram.

Contribution

It introduces a methodology for analyzing messaging apps' implementation characteristics and applies it to compare popular Android clients.

Findings

Messenger has the largest attack surface and most static warnings.

Telegram requests the most dangerous permissions.

Signal shows minimal design with fewer dependencies and permissions.

Abstract

Mobile messaging apps are a fundamental communication infrastructure, used by billions of people every day to share information, including sensitive data. Security and Privacy are thus critical concerns for such applications. Although the cryptographic protocols prevalent in messaging apps are generally well studied, other relevant implementation characteristics of such apps, such as their software architecture, permission use, and network-related runtime behavior, have not received enough attention. In this paper, we present a methodology for comparing implementation characteristics of messaging applications by employing static and dynamic analysis under reproducible scenarios to identify discrepancies with potential security and privacy implications. We apply this methodology to study the Android clients of the Meta Messenger, Signal, and Telegram apps. Our main findings reveal discrepancies in application complexity, attack surface, and network behavior. Statically, Messenger presents the largest attack surface and the highest number of static analysis warnings, while Telegram requests the most dangerous permissions. In contrast, Signal consistently demonstrates a minimalist design with the fewest dependencies and dangerous permissions. Dynamically, these differences are reflected in network activity; Messenger is by far the most active, exhibiting persistent background communication, whereas Signal is the least active. Furthermore, our analysis shows that all applications properly adhere to the Android permission model, with no evidence of unauthorized data access.