Study Shows Which Messengers Leak Your Data, Drain Your Battery, and More

An anonymous reader quotes a report from Ars Technica: Link previews are a ubiquitous feature found in just about every chat and messaging app, and with good reason. They make online conversations easier by providing images and text associated with the file that's being linked. Unfortunately, they can also leak our sensitive data, consume our limited bandwidth, drain our batteries, and, in one case, expose links in chats that are supposed to be end-to-end encrypted. Among the worst offenders, according to research published on Monday, were messengers from Facebook, Instagram, LinkedIn, and Line. More about that shortly.

The researchers behind Monday's report, Talal Haj Bakry and Tommy Mysk, found that Facebook Messenger and Instagram were the worst offenders. As the chart below shows, both apps download and copy a linked file in its entirety -- even if it's gigabytes in size. Again, this may be a concern if the file is something the users want to keep private. It's also problematic because the apps can consume vast amounts of bandwidth and battery reserves. Both apps also run any JavaScript contained in the link. That's a problem because users have no way of vetting the security of JavaScript and can't expect messengers to have the same exploit protections modern browsers have.

LinkedIn performed only slightly better. Its only difference was that, rather than copying files of any size, it copied only the first 50 megabytes. Haj Bakry and Mysk reported their findings to Facebook, and the company said that both apps work as intended. Meanwhile, when the Line app opens an encrypted message and finds a link, it appears to send the link to the Line server to generate a preview. "We believe that this defeats the purpose of end-to-end encryption, since LINE servers know all about the links that are being sent through the app, and who's sharing which links to whom," Haj Bakry and Mysk wrote. Discord, Google Hangouts, Slack, Twitter, and Zoom also copy files, but they cap the amount of data at anywhere from 15MB to 50MB. [This chart] provides a comparison of each app in the study.

The good ones

[AmiMoJo]

For reference the good ones that encrypt end-to-end, don't leak data and don't make ridiculous security gaffes are:

WhatsApp
Viber
Threema
Signal
iMessage

Re:The good ones

[Anonymous Coward]

I would remove WhatsApp from that list solely because of who owns them.

Re:

[AmiMoJo]

Practically speaking WhatsApp is the most useful because it has the most users.

Signal's Android app is bloated to hell and tries to take over everything. I wish there was a Light version.

The others I haven't heard of apart from iMessage which is Apple only.

Re: The good ones

[Evtim]

Vieber rules in Eastern Europe and Russia. It's pretty good...

Re: The good ones

[Evtim]

Viber. Sorry...damn autocorrect...

Re:

[jbmartin6]

Do you have a malware version of Signal? The one I got from the Google store isn't bloated and isn't trying to take over everything.

Re:The good ones

[AmiMoJo]

It requires your phone number to sign up. To be fair so does WhatsApp but Signal is supposed to be private.

Anyway, from the Google Play store, here are the permissions it wants:

Photos / Media / Files
- read the contents of your USB storage
- modify or delete the contents of your USB storage
Microphone
- record audio
Calendar
- read calendar events plus confidential information
- add or modify calendar events and send email to guests without owners' knowledge
Contacts
- find accounts on the device
- read your contacts
- modify your contacts
Location
- approximate location (network-based)
- precise location (GPS and network-based)
Camera
- take pictures and videos
Identity
- find accounts on the device
- modify your own contact card
- read your own contact card
Device ID & call information
- read phone status and identity
Storage
- read the contents of your USB storage
- modify or delete the contents of your USB storage
Phone
- directly call phone numbers
- read phone status and identity
Wi-Fi connection information
- view Wi-Fi connections
SMS
- send SMS messages
- receive text messages (SMS)
- edit your text messages (SMS or MMS)
- read your text messages (SMS or MMS)
- receive text messages (MMS)
Other
- send WAP-PUSH-received broadcast
- receive data from Internet
- send sticky broadcast
- use accounts on the device
- toggle sync on and off
- create accounts and set passwords
- change your audio settings
- set wallpaper
- connect and disconnect from Wi-Fi
- install shortcuts
- read sync settings
- view network connections
- change network connectivity
- run at startup
- pair with Bluetooth devices
- disable your screen lock
- prevent device from sleeping
- control vibration
- full network access

Aside from anything else this vast number of permissions creates a massive attack surface and makes Signal itself a prime target. Personally I don't want it to take over handling of SMS messages or be able to change my wallpaper or replace my phone dialer thanks.

I think this would be a more reasonable list:

Photos / Media / Files
- read the contents of your USB storage
- modify or delete the contents of your USB storage
Camera
- take pictures and videos
Other
- full network access

All you need is to chat and maybe send a few photos.

Re:The good ones

[BAReFO0t]

Yes, and
1. Google groups permissions. You cannot request one of the functions listed for a group without requesting the entire group. The listed functions for a group are just a broad list of examples anyway Frankly, I think Google made this misleading by design.
2. it ONLY asks for those permissions when you actually need them for the requested function. (E.g. camera when you want to send a.picture without a third party camera app playing man in the middle.) And how do you expect an SMS replacement app to work as expected without SMS permissions? Or send a voice message without microphone access? Etc.
3. Have you taken a peek at WhatsApp's permissions? Which is closed source, btw. A 100% deadly absolute no-go.

Had you actually looked into it, then you'd know Moxie explains it all on great detail, and it is implemented well, and ypu should frankly verify thet in the source yourself with your big mouth regarding chexking what a thing does.

Clearly you want something nobody but you and your obsessive minimalism that is bordering on unhealthy wants. And clearly, what you want isn't even compatible with the permissions you listed.

I bet you're the type who yells at others they should read the 20-page terms & coditions and license agreements, but secretly syncs to the "cloud" and clicked "I agree" every time.

Re:

[AmiMoJo]

To be clear I'm not saying WhatsApp is any better. I'm saying that Signal shouldn't be as bad as WhatsApp.

Maybe it's time for a fork. I don't know if it can be done in a way that removes the need for a phone number though.

I did have Signal on my phone for years, but don't know anyone who uses it. I'd keep if it wasn't so bloated. Very slow to open and always seemed to be nagging about something.

Re:

[BAReFO0t]

Wat? On what planet is Signal "bloated"? Take over? Did you install some malware from a fake site or something?

Especially from somebody praising WhatsApp... which is, frankly, insane.

If you are a forum troll, partisan, or something, you are doing a really transparent job.

Oh, and your sig seems to be pro-SJW... No comment.

Re:

[JaredOfEuropa]

Signal is becoming more popular here in Europe, it seems more people are switching every day. These days almost all my messaging is done on Signal; I use WhatsApp for a handful of contacts and a few groups.

Re:

[AmiMoJo]

I wish that was the case in the UK but my friends all seem to prefer WhatsApp or email, and I've tried to get them to switch. Managed to get one on to GPG for email for a while but he got fed up with it.

Re:

[arglebargle_xiv]

Signal's Android app is bloated to hell

The desktop version is just as bad, and apart from the massive bloat it also leaks memory even more than Firefox, I have to restart it about once a day to release the enormous amount of memory it's sucked up by then.

Re:

[egyas]

Amen to this! +1

Re:

[thegarbz]

I would remove WhatsApp from that list solely because of who owns them.

Yes I remember learning "let's judge all books by their cover" at school.

Re:

[1s44c]

Telegram doesn't seem to be mentioned anywhere in this research. How odd.

Re:

[AmiMoJo]

They left a couple off because they were still talking to the developers about fixing some of the issues and didn't want to tip off the bad guys, but it's pretty obvious that Telegram is one of them.

Re:

[GuB-42]

Viber is not one of the good ones.

It has the "Crashing Apps and Draining the Battery" problem. Which seems to be that you can have the app download huge files with no limit.

Redacted

[esperto]

There are two app names redacted, I assume one is Telegram as it is a big player not listed there. The author says it is redacted because the issues were informed to the developers and are being corrected, but I don't see the point of redacting the names, just put a big asterisk next to it and explain that the behavior is being changed and once confirmed the text will be updated to reflect it. Who they think they are, the CIA?

Re:

[Gravis Zero]

I don't see the point of redacting the names

They may have received compensation to avoid damaging the PR for brand names.

Sorry

[SlashbotAgent]

Sorry. I tried to must a shocked face.

But, I just couldn't do it.

The table has been totally reformatted

[MilliMicro]

For anyone else who was confused as hell by the table in that link they've updated it to have notes which aren't stupid [arstechnica.net]. I don't know why they thought it was a good idea to use a big green tick to mean both "Yes, it is encryped end-to-end" and "No, it doesn't drain your battery".

Signal is awkward but excels at privacy

[Traverman]

Signal is open-source and has designed their link previews in a safe manner. It's not even possible to determine the size of the shared content precisely, which could potentially compromise it in the event that it's published somewhere. There are also timing delays involved with all chat functions so it's unclear as to who is chatting with whom (unless one is having a live call and is not routing the traffic through Signal servers). Telegram has a history of security flaws, so unless it gets its act togethe

Study contains..

[1s44c]

.. Stupid black rectangles over the text. If they don't want to tell us then why bother publishing it?

Say No To Facebook Apps

[Thelasko]

If you must use Facebook on your phone, use mbasic.facebook.com. All of the features you need, without the crap.

Great, for IP based messaging

[kamakazi]

But it seems sms/mms applications on phones also do link previews etc. It would have been nice if they had included the texting apps that ship with phones or are available on the app stores in at least the data usage parts of the review.

Re:

[DarkVader]

If you care about privacy, you're not using SMS/MMS.