A messenger who knows more about your smartphone than you do.
The MAX messenger was again in the center of a high-profile dispute about privacy. The author of the technical review said that he had studied the APK of the application and found in it mechanisms that can collect information about installed programs, contacts, VPNs, network connections, calls and mini-applications. Some of the findings look serious, but requires independent verification and comments from developers.
According to the author, the MAX has a built-in MEX module from VK, which receives a list of user applications installed on the phone. System packets are filtered out, and for the rest, the name of the package and the installation time are allegedly collected. If the list has changed, the application can send to the server not only the difference, but a full updated list.
A separate part of the analysis is devoted to a VPN. The author writes that MAX checks the presence of a VPN connection with standard Android tools and can show a warning requesting to disable VPN. According to him, the server flag is able to tighten the behavior of the application - up to the point that the chats and mini-applications will be blocked until the user disables the VPN.
Serious questions are caused by the work with the address book. The analysis says that the app tracks changes in contacts, sends the size of the phone book and can transmit hashes of numbers, including the numbers of people who are not registered with the MAX. How often to collect data and what portions to send them, according to the author, the server asks.
The author also claims that the application supports forced updating through its own server, bypassing Google Play. When the server flag is turned on, the current version may stop sending messages and receiving calls, and the user will see the screen with the requirement to update the application.
Another controversial find is related to mini-applications and NFC. The analysis describes a service that can transmit to the NFC terminal data prepared by the open mini-application. The author clarifies that we are not talking about bank payment, but such a mechanism is potentially suitable for passes, loyalty cards and other non-payment scenarios.
The material lists other finds: server flags for fake chat rooms and built-in application evaluation, checking the availability of external services like Telegram and WhatsApp, hidden push commands to remove messages from the local base, coordinate requests, setting up the call route and disableing the TLS session check through the server parameter.
Separately, the author describes audio modules. According to him, in the old versions of the MAX there were components to recognize speech and keywords on the device, and in version 26.16.0 part of this code was removed. At the same time, the infrastructure that allows you to download models from the server, allegedly, remained.
The most difficult statements relate to the fact that the application can record raw audio during the calls, collect a real external IP address through the hidden trace_flow module, use Widevine DRM for a stable device print, as well as ZipSlip vulnerabilities in the file download service. The latter, according to the author, could allow re-recording files inside the sandbox of the application, including settings and local bases.
Another risk is related to the Mobile ID. The analysis says that MAX allows unencrypted HTTP requests to the domains of Russian telecom operators so that they can add a phone number to the headers of the request. This approach is used for authorization without SMS, but the open channel creates obvious questions about security and access control. The author also argues that a similar mechanism is available to trusted mini-applications through an indoor interface.
The issue is a one-sided technical statement and is not a final conclusion.
The MAX messenger was again in the center of a high-profile dispute about privacy. The author of the technical review said that he had studied the APK of the application and found in it mechanisms that can collect information about installed programs, contacts, VPNs, network connections, calls and mini-applications. Some of the findings look serious, but requires independent verification and comments from developers.
According to the author, the MAX has a built-in MEX module from VK, which receives a list of user applications installed on the phone. System packets are filtered out, and for the rest, the name of the package and the installation time are allegedly collected. If the list has changed, the application can send to the server not only the difference, but a full updated list.
A separate part of the analysis is devoted to a VPN. The author writes that MAX checks the presence of a VPN connection with standard Android tools and can show a warning requesting to disable VPN. According to him, the server flag is able to tighten the behavior of the application - up to the point that the chats and mini-applications will be blocked until the user disables the VPN.
Serious questions are caused by the work with the address book. The analysis says that the app tracks changes in contacts, sends the size of the phone book and can transmit hashes of numbers, including the numbers of people who are not registered with the MAX. How often to collect data and what portions to send them, according to the author, the server asks.
The author also claims that the application supports forced updating through its own server, bypassing Google Play. When the server flag is turned on, the current version may stop sending messages and receiving calls, and the user will see the screen with the requirement to update the application.
Another controversial find is related to mini-applications and NFC. The analysis describes a service that can transmit to the NFC terminal data prepared by the open mini-application. The author clarifies that we are not talking about bank payment, but such a mechanism is potentially suitable for passes, loyalty cards and other non-payment scenarios.
The material lists other finds: server flags for fake chat rooms and built-in application evaluation, checking the availability of external services like Telegram and WhatsApp, hidden push commands to remove messages from the local base, coordinate requests, setting up the call route and disableing the TLS session check through the server parameter.
Separately, the author describes audio modules. According to him, in the old versions of the MAX there were components to recognize speech and keywords on the device, and in version 26.16.0 part of this code was removed. At the same time, the infrastructure that allows you to download models from the server, allegedly, remained.
The most difficult statements relate to the fact that the application can record raw audio during the calls, collect a real external IP address through the hidden trace_flow module, use Widevine DRM for a stable device print, as well as ZipSlip vulnerabilities in the file download service. The latter, according to the author, could allow re-recording files inside the sandbox of the application, including settings and local bases.
Another risk is related to the Mobile ID. The analysis says that MAX allows unencrypted HTTP requests to the domains of Russian telecom operators so that they can add a phone number to the headers of the request. This approach is used for authorization without SMS, but the open channel creates obvious questions about security and access control. The author also argues that a similar mechanism is available to trusted mini-applications through an indoor interface.
The issue is a one-sided technical statement and is not a final conclusion.
