Intro
Hello everyone!
The topic of a national messenger has been hyped for more than a month now. Almost every day, there's news related to MAX. If someone were to ask me how I rate MAX's PR, I'd give it a solid D! In my opinion, almost all the news boils down to negativity: 'forcing people to use it,' 'insecure,' 'switch over to receive messages only in MAX,' 'the app is spying,' 'check critics for foreign agency status,' and so on. As a tech person, I want to see more technical news, more information about the technical solutions within the messenger, and arguments refuting the supposedly 'unreliable' information about MAX's vulnerabilities that appears online. But for now, it all comes down to refutations like 'It's all fake,' with no solid arguments provided. Although some bloggers seem to manage to get comments from the messenger's team, I don't understand why these comments aren't made widely and publicly available.
I, at my own risk, decided to install MAX and see what happens after installation. My research will result in at least 2 articles.
This is the first article. In it, I will compare the permissions requested by the MAX app for Android with the permissions requested by Telegram and WhatsApp*.
Introduction
I have absolutely no affiliation with the companies creating and developing the MAX messenger;
This article is not an advertisement. I am not calling for, encouraging, or otherwise urging you to do anything. This article is the result of my personal curiosity and an attempt to answer questions I couldn't find answers to in other sources;
Before this experiment, I had never installed or used MAX;
I am conducting the entire experiment on my personal primary Android smartphone, which I have been using constantly for the last 2 years—a Samsung S22 Ultra with Android 15 and One UI 7.0. I installed MAX from RuStore on August 19, 2025. The MAX version at that time was 25.8.1, dated August 13, 2025;
I am not an Android expert, I don't know its architecture very well, and I don't have a deep understanding of the principles of its security stack, network stack, etc.
The Counting Tool
To understand which permissions the applications use, I will use the Exodus Privacy.
εxodus is a privacy audit platform for Android applications that analyzes Android apps, looks for built-in trackers, and also shows the permissions requested by the app.
But here, the first difficulty arose. While Telegram and WhatsApp* are easily analyzed, MAX refuses to be. Its analysis is not on this platform, and when you explicitly provide its Google Play link for a 'forced' analysis, an error appears. It's as if MAX has some kind of protection against such research.
Here I have a question for the MAX developers: Why? If this wasn't done intentionally, please fix it. Trust in the application will increase. But if it was intentional, then there's a bug, and I'll discuss it below.
I didn't want to give up, so I found a solution—the mobile app Exodus. Its concept is simple: it scans all the installed applications on your phone and pulls information about them from its centralized database. But, as it turned out, the lack of information about MAX doesn't prevent the app from identifying all the permissions it requests.
This is what the application report looks like in εxodus:
I want to say a separate word about trackers. Exodus shows that in the latest versions, neither WhatsApp* nor Telegram have any known trackers. For MAX, the app indicates that there is no information in its database yet. Therefore, in this article, I will only consider permissions.
Next up is a rather large analysis where we will break down absolutely all the permissions. So, if you're too lazy to read or don't have time, feel free to jump straight to the conclusions and summary.
1. Permissions Common to All
Let's look at the permissions that all the messengers under review have. There are 42 of them.
Permission | Description |
|---|---|
| Access to approximate (network-based) location (e.g., via cell towers and Wi-Fi). |
| Access to precise (GPS) location. |
| View network connection status (whether there is internet). |
| View information about Wi-Fi connection. |
| Ability to work with accounts on the device (e.g., create a messenger account in settings). |
| Connect to paired Bluetooth devices (e.g., for calls via a headset). |
| Send notifications to update the badge on the icon. |
| Access to the camera for photos and videos. |
| Change the badge on the application icon. |
| Technical permission for the secure operation of the application's internal components. |
| Run a foreground service (shows a persistent notification). |
| Service for using the camera. |
| Service for data synchronization. |
| Service for screen recording or casting. |
| Service for using the microphone. |
| Access the list of accounts on the device (e.g., to find friends). |
| Open network sockets (basic internet access). |
| Manage accounts on the device (add, remove). |
| Modify volume and other system audio settings. |
| Display notifications to the user. |
| Manage badges for widgets and icons at the system level. |
| General permission to read data. Often used for working with contacts and profile. |
| Read the device's contact list to find friends in the messenger. |
| Read images from the phone to send in chats. |
| Read videos from the phone to send in chats. |
| Access only specific media files selected by the user (enhanced privacy). |
| Read phone numbers associated with the device (for verification and finding contacts). |
| Read system settings on devices from the respective manufacturer. |
| Read system settings on devices from the respective manufacturer. |
| Receive data from the internet (part of the messenger's operation). |
| Start application services after the device boots to receive messages. |
| Record audio from the microphone for voice messages and calls. |
| Request to install packages (e.g., for updating the app outside of the store). |
| Update shortcuts on the home screen. |
| Use biometric authentication (fingerprint scanner, Face ID). |
| Use fingerprint scanner (deprecated, replaced by |
| Display full-screen notifications (e.g., for an incoming call). |
| Access to device vibration. |
| Prevent the device from going to sleep (e.g., during a call or file download). |
| General permission to write data. |
| Write contacts (e.g., adding a found friend to the address book). |
| Modify system settings on devices from the respective manufacturer. |
I had no doubts or second thoughts here. IMHO, this is the core set of permissions necessary for the basic functioning of any modern messenger. The only thing that caught my eye is that all 3 messengers are tuned for the HUAWEI shell.
2. In Telegram and WhatsApp*, but not in MAX
This intersection is interesting because it's highly likely that some of these permissions may appear in future versions of MAX. There are 19 such permissions. I've commented on each one as I see it, and you know, in my opinion, it's a very good thing that many of them are not currently in MAX.
Permission | Description | Why not in MAX? (My assumption) |
|---|---|---|
| Access to location metadata in media files (geotags). | Not a critical feature. |
| Access to the API for making paid in-app purchases (e.g., buying stickers). | MAX doesn't have in-app purchase functionality yet, but it will likely appear soon. |
| Scan for and connect to Bluetooth devices. | MAX uses a broader permission |
| Directly call a phone number without manual confirmation. | MAX is not yet a messenger with the ability to call phone numbers. |
| Service for location tracking. | MAX does not yet allow tracking location coordinates in a mode with a persistent notification |
| Create application shortcuts on the home screen. | MAX does not allow this yet. |
| Create application shortcuts on the home screen. | MAX does not allow this yet. |
| Manage its own calls (for working with the Android call API). | Perhaps calls in MAX are implemented using other methods. I don't know if that's good or bad. |
| Receive data from map services. | MAX does not allow this yet. |
| Read the device's call history. | MAX is not yet a messenger with the ability to call phone numbers. |
| (Deprecated) Read files from external storage. Replaced by | Uses modern permissions |
| Access Google Play Services settings. | A specific permission, possibly not required for MAX's functionality. |
| Read audio files from the phone. | Access to audio files may not be required for basic functions. |
| Access phone state (knows when a call is coming in to mute the sound). | May not be implemented or may be replaced by other methods. |
| Read the user's personal profile data. | Not required for operation (IMHO, this is very good). |
| Read synchronization settings. | No active data synchronization with the cloud, or it's replaced by other methods. |
| Delete shortcuts from the home screen. | Not a critical feature. |
| (Deprecated) Write files to external storage. Replaced by other methods. | Perhaps MAX uses modern APIs for saving files. |
| Modify synchronization settings. | No active data synchronization with the cloud, or it's replaced by other methods. |
3. In WhatsApp* and MAX, but not in Telegram
This is a very frightening intersection. Let's take a look:
Permission | Description | Assumption why it's not in Telegram |
|---|---|---|
| Access to the advertising ID. | Telegram uses its own advertising network. |
| Use a service to track application installation sources (advertising campaigns). | Perhaps Telegram either doesn't need this or has implemented it differently. |
| Enable and disable mobile data, Wi-Fi. | Not required for Telegram's basic functionality. For MAX, it's probably to get a signal in the parking lot. ) |
| Connect to and disconnect from Wi-Fi networks. | Not required for Telegram's basic functionality. For MAX, it's probably to get a signal in the parking lot. ) |
| Use credentials from the system's keystore. | I don't understand the use case for this permission. It's probably for integration with external services, and Telegram doesn't have such functionality right now. |
4. In Telegram and MAX, but not in WhatsApp*
Permission | Description | Assumption why it's not in WhatsApp* |
|---|---|---|
| Read the number for the badge on the application icon (number of unread messages). | WhatsApp* may not need to read the current badge value from the system, as it manages it exclusively through its internal mechanisms and server-side push notifications. |
| Set the number for the badge on the application icon. | Similarly, WhatsApp* may use other, more standardized or manufacturer-specific APIs to update the badge, which do not require this permission. |
| Foreground service for media playback (music, video). | WhatsApp* likely uses standard media playback mechanisms or other types of services that do not require this specific permission. |
| Read the current value of the badge on the application icon. | WhatsApp* may rely on its own notification and badge systems that do not require reading this value from the system. |
| Read system settings on OPPO devices. | Integration with specific manufacturers (like OPPO) may not be implemented in WhatsApp*, or it is achieved through other methods that do not require this permission. |
| Draw windows on top of other applications (e.g., for chat 'bubbles'). | WhatsApp* deliberately avoids this permission due to its aggressive nature and potential risks to security and user experience. |
| Update the badge on the application icon. | WhatsApp* uses standard notification APIs to manage badges, which do not require this permission. |
| Update a counter (likely an internal function for managing notifications). | A notification implementation in Telegram and MAX that WhatsApp* does not use. |
| Modify system settings on OPPO devices. | As with |
5. Unique Permissions for Each Messenger
Unique Telegram Permissions (2)
Permission | Description |
|---|---|
| Access location in the background (when the app is closed). |
| Read data from the clipboard. |
Unique WhatsApp* Permissions (19)
Permission | Description |
|---|---|
| Directly answer incoming calls (without needing to open the app). |
| Advertise itself via Bluetooth (for working with Nearby Devices). |
| Scan for Bluetooth devices. |
| Send system broadcast messages. |
| Send 'sticky' broadcast messages (which are retained after a reboot). |
| Detect when the user takes a screenshot or starts screen recording. |
| Non-standard permission. Possibly internal to WhatsApp*. |
| Service for handling phone calls. |
| Non-standard permission. I think its purpose is clear from the name. |
| Scan for nearby devices via Wi-Fi (for file sharing features, etc.). |
| Exchange data via Near Field Communication (NFC). |
| (Deprecated) View running applications. |
| Access basic phone state (a more limited version of |
| Read synchronization statistics. |
| Receive SMS messages (likely for automatic number verification). |
| Non-standard permission. Possibly internal to the account registration process. |
| Start user-initiated tasks even with background work restrictions. |
| Set an exact time for an alarm or reminder to trigger. |
| Send SMS messages (likely for verification or inviting friends). |
Unique MAX Permissions (3)
Permission | Description |
|---|---|
| Scan for and pair Bluetooth devices (broader capabilities than |
| Disable the lock screen (e.g., to play video when the screen is locked). |
| Download files without showing a notification in the status bar. |
So that's the picture we have. Let's try to summarize and draw some conclusions.
Summary and Conclusions
The claim allegedly made by the MAX developers—that their app requests fewer permissions than their competitors—is confirmed. Well, it's true. At the current stage of MAX's development, it really does have fewer: 59 versus 72 for Telegram and 85 for WhatsApp*;
What 'scares' me the most, of course, is WhatsApp*. The permissions confirm that it is, with high probability, a 'tool in the service of American intelligence.' The purpose of permissions like
ANSWER_PHONE_CALLS, BLUETOOTH_ADVERTISE, DETECT_SCREEN_CAPTURE, NFCand some others is clear to me, but it would be better if they weren't in the messenger;It's obvious that MAX will evolve, and many permissions related to calls, mapping, etc. (or any, really) may appear in future versions;
Regarding MAX, I have questions about its unique permissions, especially
DOWNLOAD_WITHOUT_NOTIFICATION и BLUETOOTH_ADMIN -—what are they for? I would also like to see fewer permissions in the intersection of MAX and WhatsApp* that are not in Telegram. Perhaps the development team will see my article and provide comments.
What conclusions would you draw based on this data? Write them in the comments. I would be grateful for any feedback.
The second article will be out next week. In the second article, I want to show what requests are sent by the MAX application and where they go. For 7 days (maybe a little more), I will be observing and recording outgoing requests to show them to you and conduct an analysis.
And subscribe to my Telegram.
*belongs to Meta, which is recognized as an extremist organization in the Russian Federation.