Would an F-Droid release have found this issue? 

PSA on anyone who used this. Terminate your session via active sessions on another telegram app after you "log out"

This app ALSO doesn't properly invalidate your session token like most apps do, so even though it "logs out" on the UI, the auth token to the telegram stays active.

While there hasen't been any evidence that it transmits auth tokens, since it was confirmed AND admitted that they logged phone numbers, it's better to be safe than sorry.

Well shoot. That was a good messenger too.

Edit: Looking into it. It looks like the dev even admitted to it as well. So that's surprising.

Link may require telegram

Hasn't Telegram being Russian spyware been known for years now?

So, assuming good faith, they used two Telegram bots for some service functionality

these two bots are used to resolve username from user id, eg tg://user?id=25

Obviously, that should never happen silently. But these findings don't necessarily mean data has been compromised [beyond the scope of the app itself].

I get they may be very frustrated and annoyed at the negative blowback after their FOSS efforts, but dismissing concerns isn't a good way to respond.

I use Forkgram but it acts a little weird sometimes. First it shouts empty notifications randomly, usually 2 back to back. When I open Firefox somehow Forkgram opens a notification too. It doesn't happen every time but still it's weird. Anyone with similar behaviors on that app?

Why the fuck do people who know what a "github" is, much less how to post issues use Telegram?