Malcore scans files and programs to detect risks and malware.
To come to a final score out of 100, it assigns 2.5 points per tracker or token found, 0.05 for a severity warning in code analysis results, 0.15 for a high severity warning in code analysis, 0.075 for a suspicious permission and 0.25 for a dangerous permission. The higher the score, the greater the deemed risks and permissions, some of which may be unnecessary for the app’s operation.
“Most applications will need a score to function, normally in the safe zone under 30 is good,” Internet 2.0 co-founder David Robinson told The Australian Financial Review.
“The Malcore scoring process is to give consumers visibility of what access and data is being accessed across industry.
“We hope that by publishing these it encourages social media companies to only access data that is functional, keep their source code up to date and reduce the amount of data they sell into the ecosystem.”
Viber delivered the riskiest score, at 46.7 out of 100 with 11 trackers found, including from Google and Snapchat.
Overall, Telegram scored 17.2 out of 100, and included the Huawei tracker as well as one from Google, ahead of encrypted messaging app Signal, which had one tracker from the Google ecosystem, and scored 21.8.
While nearly all apps had Google trackers, Mr Robinson said it was surprising to find a Huawei tracking token in Telegram.
“Telegram markets itself as secure messenger app to communicate outside of authoritarian regime (Russia) surveillance. The results that some data is being sent to Huawei makes us question Telegram as a safe application,” Mr Robinson said.
“To be certain about what data is sent to Huawei, a dynamic analysis by manual source code review would need to be conducted.”
He said a Huawei tracker was problematic because China co-operated with Russia, and many Ukrainians were using Telegram amid Russia’s invasion of their country.
“It’s openly being used. It’s a standard development operations function. The point is its data is going back to China and Huawei,” he said.
China’s National Intelligence Law of 2017 requires organisations and citizens to “support, assist and co-operate with the state intelligence work”.
The legislation was a major consideration for the Australian government’s 2018 ban of Chinese telecommunications companies, including Huawei and ZTE, from providing equipment in the rollout of 5G mobile phone networks.
An automated bot response from Telegram said the app was committed to protecting user privacy and human rights, such as freedom of speech and assembly.
“[Telegram] has played a prominent role in pro-democracy movements around the world, including in Iran, Russia, Belarus, Myanmar and Hong Kong.”
The founder and owner of Telegram, Pavel Durov, left Russia in 2014, the automated response said, after losing control of his previous company for refusing to hand over the data of Ukrainian protesters to security agencies.
Among popular messaging apps, Facebook Messenger, surprisingly, scored the best at 14.05 – it had one tracker, its own. Whatsapp, which is also owned by Meta, scored 26.25, with one tracker from Google.
“We assess, as they have a lot more resources to keep their code mature, [Facebook] did not include any Google ecosystem trackers and it is only a segment of their Facebook platform,” Mr Robinson said.
Across all the messaging apps, Mr Robinson said users should be able to turn off permissions for access to different data from the phone, or request that it only be used when using the app.
He warned that users should be aware of what permissions they grant apps and not go with the default “grant all access” that apps often seek.
“[Users should] delete apps that they are not currently using and be aware of where the application is headquartered. China and Russia-based applications might have a low score but still have to comply with their authoritarian governments, which puts the data that specific app has access to at more risk.“