Messenger Requests the Most Android Permissions, Elevating Enterprise Privacy Risks
What Happened — A recent Help Net Security analysis compared Android versions of Messenger, Signal, and Telegram. Messenger requested 87 total permissions (24 dangerous), the highest among the three, while also using the most vendor‑specific “unknown” permissions. All three apps landed in a “medium risk” rating based on static analysis.
Why It Matters for TPRM —
- Excessive permission requests increase the attack surface of any third‑party messaging app used by employees.
- Vendor‑specific unknown permissions can expose data to proprietary services that are hard to audit.
- Cleartext network traffic (Telegram) and risky WebView configurations (Messenger) may enable interception or tampering of corporate communications.
Who Is Affected — Enterprises that allow or encourage the use of consumer messaging apps on corporate‑issued Android devices, especially in finance, healthcare, and government sectors where data confidentiality is regulated.
Recommended Actions —
- Conduct a permissions audit of all approved messaging apps on employee devices.
- Restrict installation of apps that request unnecessary dangerous or unknown permissions.
- Enforce network policies that block cleartext traffic and disable remote debugging in WebViews.
Technical Notes — The analysis used Mobile Security Framework (MobSF) static scans. Messenger’s high permission count includes CALL_PHONE, SYSTEM_ALERT_WINDOW, and account‑management rights. Telegram permits cleartext traffic via usesCleartextTraffic. Signal adopts a more restrictive permission set, omitting phone‑call control and background location. All three apps fall into a “medium risk” category due to a mix of medium‑severity findings. Source: https://www.helpnetsecurity.com/2026/04/03/android-permissions-privacy-risks-research/