Which messaging app takes the most limited approach to permissions on Android?
Messaging apps handle sensitive conversations, contacts, and media, and their behavior on a device varies in ways that affect privacy. An analysis of Android versions of Messenger, Signal, and Telegram shows that differences in permissions, background activity, and system exposure shape how much data each app can access and how often it communicates.
Permissions define access to device and user data
The three apps take different approaches. Telegram has the lowest total number of permissions at 71, though it includes the highest number of dangerous permissions at 25. Signal has 72 permissions, including 19 dangerous ones.
“Messenger, by contrast, requests the most (87) permissions in total, of which 24 are dangerous, and further stands out for requesting the most vendor specific “unknown” permissions,” researchers said.
These unknown permissions are not part of the standard Android system and are typically used either for communication between app components or for interaction with vendor-specific services.
Core messaging features rely on sensitive permissions
Access to sensitive resources such as contacts, camera, microphone, location, storage, and calendar is part of how messaging apps deliver core features.
Contact permissions support address-book integration, storage access enables media exchange, and camera, microphone, and location access are used for voice messages, video calls, and live location sharing.
Telegram and Messenger extend this access further with system-level permissions such as CALL_PHONE, SYSTEM_ALERT_WINDOW, and account management, which support functions like in-app calling and overlay interfaces.
Signal takes a more limited approach, omitting phone-call control, overlay windows, background location, calendar access, and package installation rights.
Configuration and network handling differences
Static analysis using the Mobile Security Framework (MobSF), a tool used to scan mobile apps for potential security issues, shows how these apps are set up and where problems can appear.
All three fall into the same “medium risk” range, meaning they include a mix of findings that could matter depending on how the apps are used. Messenger stands out for having far more flagged issues than the others, especially in the medium-severity range.
One difference appears in how network traffic is handled. Telegram allows cleartext connections by default through the usesCleartextTraffic setting, which leaves its traffic open to interception. Signal uses encrypted connections by default and allows limited cleartext traffic only for certificate checks.
Messenger’s findings are more varied. These include world-writable files and WebViews with remote debugging enabled, both of which can allow data tampering or inspection at runtime. A certificate-related warning was examined more closely and turned out to be a false positive, since Messenger uses its own TLS implementation with built-in certificate validation.
The apps also differ in how they rely on external services. Messenger includes third-party SDKs such as Google Analytics and Mapbox. Signal and Telegram do not declare third-party trackers. All three use Firebase Cloud Messaging to deliver notifications, and the analysis did not find any leakage of sensitive data through that channel.
Where data travels
Messenger exchanges most of its traffic with North America, with additional connections in South America and Europe.
Telegram’s traffic is concentrated in Europe, with smaller volumes in the United States, Asia, and Oceania. Signal’s traffic is also centered in Europe, with additional connections in the United States and Asia.