Application Security & Online Fraud , Endpoint Security , General Data Protection Regulation (GDPR)

Apple and Google Stop Distributing ToTok Messaging App

UAE Government Allegedly Built App to Spy on Citizens; Rival Offerings Banned
Apple and Google Stop Distributing ToTok Messaging App
ToTok as it appeared on the Apple App Store before being removed

Apple and Google have stopped distributing a messaging app called ToTok over allegations that it's a government-built surveillance tool.

See Also: Cybersecurity for the SMB: Steps to Improve Defenses on a Smaller Scale

Not to be confused with China's TikTok, ToTok is a voice and video chat app developed by Breej Holding in United Arab Emirates and marketed to English- and Arabic-speaking audiences. App-tracking site App Annie last week listed ToTok as being one of the most-downloaded apps in the United States.

But on Sunday, based in part on information provided by U.S. intelligence agencies, The New York Times reported that Breej "is most likely a front company affiliated with DarkMatter, an Abu Dhabi-based cyber intelligence and hacking firm where Emirati intelligence officials, former National Security Agency employees and former Israeli military intelligence operatives work."

In addition, it said that intelligence reports and technical analyses had tied ToTok to Pax AI, a data mining firm that also appears to have ties to DarkMatter. Both DarkMatter and Pax AI, as well as the Emirati signals intelligence agency, have office space in the Aldar Building in Abu Dhabi, the Times reports.

The UAE government didn't immediately respond to a request for comment on the allegations.

Rival Offerings Blocked by UAE Government

But the "genius" of the alleged "mass surveillance operation," as security researcher Patrick Wardle has put it, is that for anyone inside UAE, ToTok is the only messaging game in town. That's because the government has banned rival offerings from the likes of WhatsApp and Skype, and outlawed the use of VPN services to bypass those restrictions.

Allegedly, the UAE government also commissioned numerous reviews for the app on both Apple and Google's app stores, to stoke interest. And by last week, the app was listed as being one of the top "trending" messaging apps in Dubai.

"Finally a VoIP application which works in UAE. Hopefully it starts this way. The voice and video clarity is simply amazing!! Thanks a lot ToTol and TRA of UAE," reads a review by "Mustafa Abdul Ahad" posted to Google Play on Dec. 17.

ToTok is widely referenced as being a "legal" option for UAE users (Source: Patrick Wardle)

After receiving inquiries from Times reporters, Google withdrew ToTok from its app store on Thursday, and Apple removed it on Friday.

“We take reports of security and privacy violations seriously," a Google spokeswoman tells Information Security Media Group. "If we find behavior that violates our policies, we take action.”

Before removing the app for download, Google Play Store listed it as having been downloaded 5 million times. Google declined to comment further on precisely why it removed the app.

Apple didn't immediately respond to a request for comment, including whether it might employ its "kill switch" ability to nuke the app from every iOS device on which it's running.

Users who have already downloaded the app, however, can continue to use it on iOS and Android devices. But what danger might the app pose to users, even if they're outside the UAE? Both the CIA and Britain's National Cyber Security Center - part of intelligence agency GCHQ - declined to comment.

ToTok Blames 'Technical Issue'

On Monday, ToTok confirmed in a blog post that said that "ToTok is temporarily unavailable" for downloading via Google Play Store and Apple App Store "due to a technical issue."

The blog post noted that current users can continue to use the app. "For our new users with Samsung, Huawei, Xiaomi and Oppo phones, ToTok is available in the phone maker's app store," it said. "All other Android users can install the ToTok app from our official website as a temporary solution."

Settings for the iOS version of ToTok (source: Patrick Wardle)

ToTok's privacy policy says the app collects users' mobile number, name, gender and date of birth; as well as contact details, including postal address and email address, together with a variety of technical and usage data, including a user's "internet protocol address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website." In addition, the app can access all contacts stored on the device. ToTok says all messages also get archived on its servers.

In its privacy policy, ToTok promises to comply with the regulations in effect in a user's home country, including - for Europeans - the EU's General Data Protection Regulation.

The privacy policy also states that for messages, "all data is stored heavily encrypted so that local ToTok engineers or physical intruders cannot get access.” But the policy makes no mention of the service offering end-to-end encryption, as messaging apps such as Facebook's Messenger and WhatsApp now do by default, to defend against unauthorized interception.

Whether ToTok complies with its own privacy policy could not be immediately confirmed.

Technical Teardown

But the app may behave as advertised, according to Wardle, the aforementioned security researcher, who formerly worked as an NSA hacker. He's published a technical analysis of ToTok, saying that he'd been approached by Times reporters to help them investigate the app.

Wardle, who's now a security researcher at software firm Jamf, notes that the iOS version of the app requires approval from users to be able to access the microphone, camera and various pieces of user information - including photos and location - but that "such access is required for 'legitimate' functionality of the app, and thus, most users will allow."

Permissions demanded for iOS version of ToTok (source: Patrick Wardle)

Wardle says that based on strings embedded in the ToTok code, the app appears to be a modified version of a Chinese video and voice calling app called YeeCall. "It is rather unsurprising that ToTok is simply based on existing code [or] a product," he says, as opposed to being "written entirely from scratch."

The technical teardown published by Wardle shows that the app performs how a messaging app would be expected to perform, including the app having the ability to access a user's complete contacts, text and video chats and location.

But he says that's the "genius" of the UAE government having allegedly enticed its citizens to use a free messaging app, in a self-surveillance turn.

"Our analysis showed that ToTok simply does what it claims to do and really nothing more," he says. "Assuming the claims that ToTok is actual designed to spy on its users, this 'legitimate' functionality … is really the genius of the whole mass surveillance operation: no exploits, no backdoors, no malware. Again, just 'legitimate' functionality that likely afforded in-depth insight into a large percentage of the country’s population."

The allegations in the Times report follow Reuters reporting in January that former NSA employees had gone to work for DarkMatter as part of an effort initially codenamed "Project Raven." But some of the ex-NSA employees later sounded an alarm to the FBI over the UAE government's DarkMatter activities. The Times reports that the FBI is now investigating some American employees of DarkMatter for potentially violating cybercrime laws.

A spokeswoman for the FBI declined to comment on the report.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.