This study addresses the lack of systematic evaluation regarding how architectural, permission-related, and network-behavioral differences among mainstream Android instant messaging applications impact security and privacy. The authors propose the first reproducible hybrid static and dynamic analysis framework to conduct a comprehensive comparison of Meta Messenger, Signal, and Telegram, examining their attack surfaces, permission usage, and network activities. Findings reveal that Messenger exhibits the largest attack surface and most frequent background communications, Telegram requests the highest number of dangerous permissions, and Signal adopts the most minimalistic design with the least network activity. All three apps comply with the Android permission model, and no instances of privilege escalation or unauthorized access were detected. This work provides the first systematic characterization of implementation-level security and privacy disparities among widely used messaging platforms.

Mobile messaging apps are a fundamental communication infrastructure, used by billions of people every day to share information, including sensitive data. Security and Privacy are thus critical concerns for such applications. Although the cryptographic protocols prevalent in messaging apps are generally well studied, other relevant implementation characteristics of such apps, such as their software architecture, permission use, and network-related runtime behavior, have not received enough attention. In this paper, we present a methodology for comparing implementation characteristics of messaging applications by employing static and dynamic analysis under reproducible scenarios to identify discrepancies with potential security and privacy implications. We apply this methodology to study the Android clients of the Meta Messenger, Signal, and Telegram apps. Our main findings reveal discrepancies in application complexity, attack surface, and network behavior. Statically, Messenger presents the largest attack surface and the highest number of static analysis warnings, while Telegram requests the most dangerous permissions. In contrast, Signal consistently demonstrates a minimalist design with the fewest dependencies and dangerous permissions. Dynamically, these differences are reflected in network activity; Messenger is by far the most active, exhibiting persistent background communication, whereas Signal is the least active. Furthermore, our analysis shows that all applications properly adhere to the Android permission model, with no evidence of unauthorized data access.