A month ago, Cloudflare labeled MAX as spyware. The label stayed up for a day (then it was removed), but the impression lingered. Now the pendulum has swung the other way: Israeli company Clear Gate conducted an audit of the MAX messenger and gave its security a high rating. Two opposite conclusions in one month — let’s break down what’s happening and who to believe.

Israel confirmed the safety of MAX

MAX Security Check on Android

The MAX team brought in Israeli company Clear Gate for an independent security audit. The audit was conducted against the backdrop of the service expanding to international markets, which is an interesting context in itself: the MAX application is being promoted beyond Russia, and external security confirmations are needed for this.

Clear Gate conducted a series of Black Box and Gray Box tests. These are methods where specialists simulate the actions of real attackers with varying levels of knowledge about the system architecture. Advanced-level threats were modeled: attacks from individuals with access to business accounts and elevated privileges.

The check only covered analysis of resistance to hacker attacks

The result: the architecture of the MAX application on Android and other platforms, the role-based access model, and built-in security systems received a high rating. Clear Gate also provided recommendations for improvement — meaning the result wasn’t perfect. Essentially, it’s an A-minus.

Who Is Clear Gate and How Much Can They Be Trusted

Before accepting the conclusion as a final verdict, it’s worth understanding who issued it. Clear Gate is an Israeli cybersecurity company based in Petah Tikva, founded in 2016. It specializes in penetration testing and security assessment of systems. This is not Kaspersky, not NSO Group, and not some industry giant with decades of reputation. The company has existed for nine years and operates in the B2B segment. Finding high-profile public cases involving them is not easy. This doesn’t mean it’s a bad company — it’s just not the level of authority that by itself closes all questions.

The audit was commissioned by MAX itself, which is important to consider.

Furthermore, it’s important to understand the context: the audit was commissioned by MAX itself. This is a common practice: companies pay for independent reviews to obtain certification or confirmation for partners. There’s formally no conflict of interest, but there’s no absolute independence here either. Security from hacking and security for user privacy are different things — and that’s important to note.

Is the MAX Messenger Safe

The MAX check covered mobile, web, and other platforms. Clear Gate specialists analyzed:

  • the messenger’s architecture (how the system is built internally);
  • the role-based access model (who can access what within the system);
  • built-in protection mechanisms against external attacks.

All of this received a high rating. In other words: MAX on Android is well protected against external attackers — hackers who try to breach the server or intercept data in transit. This is one level of verification, which the Clear Gate audit did not cover.

What Makes the MAX Messenger Dangerous

MAX’s protection from external hackers and the application’s own behavior toward users are fundamentally different things. Clear Gate checked the first. The second remains an open question. What has been documented by independent researchers and was not the subject of the Clear Gate audit is that the privacy policy explicitly provides for the transfer of data to third parties, including government agencies.

The developers openly state they are willing to share data with third parties

Additionally, MAX blocks VPN when you try to send someone a message. This means it effectively monitors the use of third-party applications.

Is It Worth Using the MAX Messenger

Cloudflare flagged the domain due to specific network traffic patterns. Clear Gate assessed the architectural protection against external attacks. They checked different things and both are right in their own way. The danger of MAX is not that hackers can breach it (Clear Gate confirmed this is unlikely). The danger is that the application itself collects data about network activity and sends it to servers.

A MAX virus check and a security audit against external attacks are not the same as a privacy analysis. The Israeli audit adds one important fact: from an architectural security standpoint, MAX is built properly. This is good news for those who feared their account being hacked. But if you’re concerned that the application knows about your VPN and transmits that data to the appropriate parties — the Israeli audit does not answer that question.