Monday, December 23, 2019

ToTok and TikTok

Mark Mazzetti, Nicole Perlroth, and Ronen Bergman:

It is billed as an easy and secure way to chat by video or text message with friends and family, even in a country that has restricted popular messaging services like WhatsApp and Skype.

But the service, ToTok, is actually a spying tool, according to American officials familiar with a classified intelligence assessment and a New York Times investigation into the app and its developers. It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.


Apple removed ToTok from its App Store on Friday and was still researching the app, a spokesman said.

Patrick Wardle (tweet):

The main goal of this blog post is to provide the technical details, about how one may go about triaging an iOS application, using ToTok as a “case-study”


It’s reviews (over 32,000!) are largely positive, and mostly laud the fact that this application is not blocked in the UEA (Skype, WhatsApp, etc. are blocked, while using VPNs to access blocked services is illegal).


Based on these embedded strings it’s relatively clear that ToTok is largely composed of code from YeeCall. According to CrunchBase YeeCall is “a software company that has developed Yeecall messenger app for video & voice calling.” It is rather unsurprising that ToToks is simply based on existing code/an product (vs. written entirely from scratch).

Random Hash Value:

As a side note.... A good description why locked down platforms make security harder. Needing a jailbreak to reverse a suspect software just to bypass the device vendor is Corp policy gone wrong.

ToTok is not to be confused with with TikTok.

Matthias Eberl (Hacker News):

I did a detailed privacy check of the app TikTok and its corresponding website. Multiple law infringements, trust, transparency and data protection breaches were found.

M.B. Pell, Echo Wang (Hacker News):

Earlier this week the United States Navy banned the social media app TikTok from government-issued mobile devices, saying the popular short video app represented a “cybersecurity threat.”


TikTok is hugely popular with U.S. teenagers, but has come under scrutiny from U.S. regulators and lawmakers in recent months. The U.S. government has opened a national security review of the app’s owner Beijing ByteDance Technology Co’s $1 billion acquisition of U.S. social media app, Reuters first reported last month.


Update (2020-01-06): Bill Marczak:

This report examines the corporate structure of ToTok, a Voice over IP (VoIP) app associated with an Abu Dhabi-based company, Breej Holding Ltd. In December 2019, the New York Times reported that American officials said that the UAE Government spies on ToTok’s users, and that Breej was connected to UAE companies involved in earlier spying attempts. Google and Apple removed the app from their app stores, and ToTok has begun to aggressively fight the charges, calling them “defamat[ory],” a “shameless fabrication,” “vicious rumours,” “deranged,” and “absurd.”

Update (2020-01-07): Joseph Cox:

ToTok, a social media/messaging app that is reportedly a secret surveillance tool for the UAE, is back on the Google Play Store. Originally Google said the app violated policies; now the app makes it explicit it gathers your contact information.

5 Comments RSS · Twitter

Is something wrong with comments? I posted one earlier today and it never showed up.

Trying again:

Isn't this the whole point of the App Store, as Apple tells it? To keep this kind of malicious crap off our iOS devices? Yet... junk apps from bad actors keep getting approved over and over again.

Meanwhile, Apple is busy rejecting benign music player apps from indie developers. And apps that Hong Kong protesters are using to protect their own safety. What the hell.

@Ben Sorry, they got caught as spam.

ben g no system is perfect, they have fooled everyone for years, to expect them to have this level of security is a bit much. the us government was not even aware of this you are expecting apple to somehow know this? the government spent probably millions of this project of fraud and spying.

There is nothing Apple could have done to detect or prevent this, because this app did nothing unusual. It did the exact same thing every other crappy insecure messaging app does. It uploaded the user's address book to a server, and then just acted as a normal messaging app. The problematic thing happened not in the local app, but on the server, where the address book and the messages were then accessed by the UAE.

There are two things we can learn from this, though:

1. Never rely on any encryption that isn't truly end-to-end. If there is anyone between you and the recipient who can decrypt your message, then you should just assume that somebody will, and it's probably going to be somebody who doesn't have your interests in mind.
2. Locked-down systems like iOS are more secure than open systems for some kinds of threats, but they're a lot less secure for other kinds of threats, because while they make the attacker's life a bit harder, they make security research a lot harder.

And I guess the third thing to learn here is probably that we're all screwed. Our phones know way too much about us, and are just too insecure to effectively isolate that data from attackers.

Leave a Comment