Last week, Russia announced it will require that all new phones and tablets sold within its borders pre-install a messaging app called Max. Security experts who did technical analyses of Max’s software for Forbes said it’s a privacy nightmare.
While Russia’s interior ministry has claimed the app, made by Russian social media giant VK, is more secure than competitors, a cybersecurity researcher found that Max constantly monitored all user activity on the app with“excessive tracking.” The researcher, who completed the analysis with phone forensics tool Corellium, asked to remain anonymous for fear of reprisals by Russian intelligence agencies.
“This app just gathers all the data and logs it. I don’t remember seeing that in any messenger app,” they said. “Max is not secure at all. There is no cryptography, unless it’s hidden very well, but I doubt that. It is insecure by design to serve its purpose: people surveillance.”
Max was launched in March, and appears to be limited to Russian and Belarussian phone numbers. Functionally it works similar to messaging apps like Telegram and Whatsapp, but it also has an AI chatbot called GigaChat 2.0 and the ability to book travel and make bank transfers
The researcher also noted that Max asks for permission to access things like the camera and microphone like standard mobile apps. They said its code is largely based on TamTam, an older messenger made by VK.
Patrick Wardle, a former NSA analyst and CEO of Apple-focused security firm DoubleYou, reviewed the analysis and confirmed its findings. Wardle also noted that Max’s code indicates built-in, high-accuracy background location tracking. “Real time location and access to communications of its citizens—what more could an authoritarian government want?” he said.
Asked to review the app, a Russian researcher, who also asked to remain anonymous, said they would advise against using it in any capacity as it’s “just one huge vulnerability.”
VK hadn’t responded to a request for comment at the time of publication. It is best known as the creator of Russia’s biggest social network VKontake. Today, the company is effectively controlled by the state; since 2021, it’s been majority owned by a number of Russian businesses, including state-run Gazprom and Rostec. Its CEO Vladimir Kiriyenko is the son of Sergei Kiriyenko, Putin’s chief of staff. Earlier this month, VK reported revenue of 72.6 billion Russian rubles ($902 million).
The requirement for Max to be pre-installed on all “gadgets,” including mobile phones and tablets, sold in Russia begins September 1, Reuters reported last week. Russia’s domestic app store, RuStore, will also be pre-installed on all Apple devices from the same date. It’s already pre-installed on Android systems.
As it tries to gain greater control over its domestic internet and over the narrative of its war on Ukraine, Russia isn’t stopping at phones. It’s also enforcing the installation of Lime HD TV, an app for watching state-controlled channels, on all smart televisions starting January 1 next year.
MORE ON FORBES
Read the full article here
