Every other wannabe blogger on the internet now knows how to open an app's permission list. Oh look, it's asking for access to contacts! Oh, it wants geolocation! Oh, the number of permissions grew since version one — it's surveillance!

Good job. You learned to tap "About App." Unfortunately, the thinking stops there.

Everyone's discussing Max Messenger. How awful, the government is forcing you to install an app, it will spy, collect data, control. Petitions, Telegram posts, righteous outrage.

Meanwhile, RuStore sits quietly on every new phone in Russia. Already installed. Already running. Already collecting.

You can choose not to install Max. RuStore — you can't.

What This Article Is About

I'm not going to repeat what hundreds of bloggers have already written: oh, the app requests lots of permissions, the number grew since version one, it's a scandal.

That's not news. All apps collect data. Google collects. Apple collects. Yandex collects. The question isn't how much they collect — the question is who collects and why.

Google collects data to sell you ads. That's their business model. It's economically disadvantageous for them to use your data against you personally — they make money on aggregated profiles for advertisers.

The state is a different story. The state can use data in a targeted way. Against a specific person. For a criminal case, tax audit, draft notice.

This is called a threat model — who you're protecting yourself from. And this is where RuStore gets interesting.

What I Found Inside

I decompiled the APK and looked inside. Spoiler: there's a lot.

17 different SDKs for analytics and tracking. Almost five thousand files just for data collection. Here are the main ones:

AppMetrica (Yandex) — 1,817 files. Core analytics: events, payments, errors, user profile.

VK Stat — 1,253 files. VK's internal statistics.

Cybertonica — 83 files. Device fingerprinting, anti-fraud, root access detection.

MyTracker (VK/Mail.ru) — 149 files. Attribution, campaigns, installs.

OK Tracer (Odnoklassniki) — 199 files. Crash reports, performance.

Plus TNS Counter, RuStore Metrics, Kaspersky Stats, Google Firebase, Huawei HMS Ads.

Where It All Goes

https://startup.mobile.yandex.net/
https://session.cybertonica.ru
https://reef.vk-cdn.net/
https://tracker-api.my.com/
https://sdk-api.apptracer.ru
https://stats.rustore.ru
https://clientapi.mail.ru/tracer

Yandex, VK, Mail.ru, RuStore's own servers. The entire Russian tech ecosystem in one app.

What Exactly Gets Collected

  • All user actions within the app
  • Device information
  • List of installed applications
  • Geolocation
  • Payments and purchases
  • Phone number

Cybertonica separately checks for root access and developer mode. Why would an app store need to know if you have root?

So This Is Bad?

Not necessarily. The fact that data is collected doesn't mean it's used maliciously. Google collects ten times more and nothing terrible happens.

The problem is different.

Google is a commercial company. They're interested in money. Your data is an advertising profile to them, nothing more. They don't care about some random Ivan Petrov from Saratov.

The state is not a commercial company. The state has different interests. And the capability to use data against a specific person — exists.

Google:

  • Why: money (advertising)
  • Worst case: shows you ads for sneakers you googled

The State:

  • Why: control
  • What it can theoretically do: criminal case, draft notice, tax audit. Precedents of using app data in cases already exist — remember the cases with geolocation from fitness trackers.

"But Google is under the Americans!" you'll say. Theoretically, yes. The FBI can request data, the NSA may have access, Snowden didn't flee for nothing.

But there's a nuance. You live in Russia. The American government isn't interested in you. You're not a terrorist, not a spy, not an arms dealer. To them, you're a statistical error in an advertising profile.

But the Russian state might very well be interested in you. You live here, pay taxes here, are subject to conscription here, can be summoned for questioning here.

The threat from Google is theoretical and distant. The threat from RuStore is practical and close.

What the State Can Learn Through RuStore

Technically, RuStore collects enough data to:

Find out what apps you have installed:

  • Do you have a VPN? Which one?
  • Do you have Tor Browser?
  • Do you have encrypted messengers?
  • Do you have foreign media apps?

Link the device to a person:

  • Device ID + phone number + geolocation = you

Track your movements:

  • Where you live, where you work, where you travel

Build a behavioral profile:

  • When you're active
  • What you buy
  • What apps you use

But Isn't This the Same Everywhere?

Yes, the same data exists with mobile carriers, phone manufacturers, Google. RuStore isn't the only source.

But RuStore is a Russian source. Under Russian jurisdiction — data can be requested under Federal Law 152 without international procedures. The access threshold for authorities is significantly lower than for Google.

And it's already on your phone.

Why I Don't Understand the Max Hype

Here's what surprises me.

Max Messenger is an app you can choose not to install. Yes, there's pressure, yes, there's fear-mongering, but physically no one is forcing you. You can use TOTP, you can ignore it.

RuStore is an app that's already there. On every phone sold in Russia. By default. Without your consent. And on most devices, you can't delete it — only disable it.

17 analytics SDKs. 5,000 tracking files. List of your apps, geolocation.

And yet the entire internet is discussing Max.

I don't get it.

P.S. And no, this is not an ad for Max. They're both garbage. It's just that one garbage you can choose not to bring home, while the other is already under your bed.