{"id":27661,"date":"2019-12-23T16:22:28","date_gmt":"2019-12-23T21:22:28","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=27661"},"modified":"2020-01-07T16:41:27","modified_gmt":"2020-01-07T21:41:27","slug":"totok-and-tiktok","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/12\/23\/totok-and-tiktok\/","title":{"rendered":"ToTok and TikTok"},"content":{"rendered":"

Mark Mazzetti, Nicole Perlroth, and Ronen Bergman<\/a>:<\/p>\n

It is billed<\/a> as an easy and secure way to chat by video or text message with friends and family, even in a country that has restricted popular messaging services like WhatsApp and Skype.<\/p>

But the service, ToTok, is actually a spying tool, according to American officials familiar with a classified intelligence assessment and a New York Times investigation into the app and its developers. It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.<\/p>

[…]<\/p>\n

Apple removed ToTok from its App Store on Friday and was still researching the app, a spokesman said.<\/p><\/blockquote>\n\n

Patrick Wardle<\/a> (tweet<\/a>):<\/p>\n

The main goal of this blog post is to provide the technical details, about how one may go about triaging an iOS application, using ToTok as a “case-study”<\/p>\n

[…]<\/p>\n

It’s reviews (over 32,000!) are largely positive, and mostly laud the fact that this application is not blocked in the UEA (Skype, WhatsApp, etc. are blocked, while using VPNs to access blocked services is illegal).<\/p>\n

[…]<\/p>\n

Based on these embedded strings it’s relatively clear that ToTok<\/code> is largely composed of code from YeeCall<\/a>. According to CrunchBase<\/a> YeeCall is “a software company that has developed Yeecall messenger app for video & voice calling.” It is rather unsurprising that ToTok<\/code>s is simply based on existing code\/an product (vs. written entirely from scratch).<\/p><\/blockquote>\n\n

Random Hash Value<\/a>:<\/p>\n

\n

As a side note.... A good description why locked down platforms make security harder. Needing a jailbreak to reverse a suspect software just to bypass the device vendor is Corp policy gone wrong.<\/p>\n<\/blockquote>\n\n

ToTok is not to be confused with with TikTok.<\/p>\n\n

Matthias Eberl<\/a> (Hacker News<\/a>):<\/p>\n

I did a detailed privacy check of the app TikTok and its corresponding website. Multiple law infringements, trust, transparency and data protection breaches were found.<\/p><\/blockquote>\n\n

M.B. Pell, Echo Wang<\/a> (Hacker News<\/a>):<\/p>\n

\n

Earlier this week the United States Navy banned the social media app TikTok from government-issued mobile devices, saying the popular short video app represented a “cybersecurity threat.”<\/p>\n

[…]<\/p>\n

TikTok is hugely popular with U.S. teenagers, but has come under scrutiny from U.S. regulators and lawmakers in recent months. The U.S. government has opened a national security review of the app’s owner Beijing ByteDance Technology Co’s $1 billion acquisition of U.S. social media app Musical.ly, Reuters first reported last month.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n