The ToTok App Scam: What Happened and How To Avoid It Happening to You

Those of you with your finger on the cybersecurity pulse and an eye on our weekly cybersecurity bulletins will be only too aware of the scandal surrounding the United Arab Emirates chat app, ToTok.

In a damning and, quite frankly, rather inflammatory article published at the end of 2019, The New York Times said that, rather than being an innocent chat and messaging service, ToTok was a spy tool “used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones”.

Like many social media apps, users can opt to give ToTok access to their microphone, calendar, location, camera, and Wi-Fi. What happens to this information once its gathered, however, is the fuel behind the New York Times’ investigatory fire.

Before ToTok: The Demise of WhatsApp

Restrictive privacy laws and a heavy-handed approach to censorship mean that UAE residents can’t always get access to apps those in Europe and the US enjoy on a daily, if not hourly, basis. Popular chat apps including Skype, WhatsApp, and FaceTime have all been banned in parts of UAE, with authorities citing licensing issues as the reason for blocking these services.

This is just one of the most probable reasons, however, with freedom of expression and, inevitably, money, being two other driving factors. According to one report, there’s evidence “to suggest that many Middle Eastern governments have a vested financial interest in ensuring that free voice and video-calling service remain blocked”.

National security concerns are another reason governments cite for blocked social media apps, claiming that popular messaging apps making use of end-to-end encryption could jeopardize national security. You only have to look at US officials and their ongoing battle against the introduction of encryption on Facebook Messenger to know how sensitive this subject is.

Fundamentally, the UAE bans WhatsApp and other encrypted messaging services for the same reasons that US Attorney General William Barr requested “That Facebook does not proceed with its plan to implement end-to-end encryption… without including a means for lawful access to the content of the communications to protect our citizens”.

Inevitably, many UAE citizens have simply changed how they use social media and messaging apps to get around these blocks. Many were using VPNs which enabled them to bypass blocks on certain content and download banned apps. Since then, however, the UAE has also banned VPNs, although the wording of the ban means there’s a sizeable loophole there for those wanting to exploit it.

Nevertheless, these government restrictions lead to the demand for an alternative chat service, which is where ToTok comes into the picture.

The Rise of ToTok

Released last year, ToTok offered free messaging and chat services to UAE residents, and became the “only free government-approved VoIP video app available in the UAE”. ToTok first hit the headlines in August 2019, when Al-Ittihad ran an article praising ToTok’s ability to produce “high purity and video calls in high definition” by using “artificial intelligence (AI) technologies to improve call quality”.

Although ToTok initially targeted those in the UAE, it soon became popular in other countries as well. Statistics indicate that, between the iOS App Store and Google Play, the app was downloaded 7.9 million times during its brief lifetime.

Even at its initial release, some were suspicious about the app, with one UAE-based customer saying, “It is suspicious… that a new app comes up and it’s for free and it works while all the others are blocked”. Those concerns didn’t stop people from jumping on the ToTok bandwagon, however, and certainly didn’t stop them from giving ToTok permission to access a host of information it didn’t necessarily need to operate effectively.

Worse still, the investigation into ToTok which was carried out by Objective-See, revealed that “ToTok uploads your entire address book, pictures you send, locations you’re in, and conversations you have to a server”. A secure server? Well, yes, but a confidential one? Possibly not.

According to Objective-See’s report, the encryption certificate for ToTok communications is held in the UAE, making it the perfect surveillance policy for a totalitarian government. Objective-See noted that the UAE had achieved a clever, step-by-step means of gaining full access to its citizens’ private communications. First, it banned popular chat apps, then it banned VPNs so users couldn’t get around the chat app ban. It then created a free messaging service that encouraged everyone to use and utilize that as a method of mass surveillance.

The Dangers of ToTok

The NY Times reported that all the information gathered by the ToTok app is being shared with UAE government officials, thereby infringing on users’ privacy rights. This is despite claims that users’ data will be protected by encryption. The wording of ToTok’s privacy claims, however, is almost identical to that of Telegram’s privacy policy.

While ToTok’s policy states, “all data is stored heavily encrypted so that local ToTok engineers or physical intruders cannot get access”, Telegram’s says, “ All data is stored heavily encrypted and the encryption keys in each case are stored in several other data centers in different jurisdictions. This way local engineers or physical intruders cannot get access to user data”.

Despite these reassuring claims, ToTok’s privacy policy also states that “the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site”.

ToTok also reserves the right to share user data “with your consent” but also “with other users who are using the App”. Whether users must give their consent before their information is shared with other users is unclear, ambiguous and rather worrying.

What’s more is, even anonymized data isn’t always as private as we might like to believe, and it’s feasible that government authorities could quickly re-identify anonymized data, linking it to an individual user and even tracking that user’s current location and previous online activities.

While these are undeniable dangers associated with the use of ToTok, they were not the focus of The NY Times’ damning report which instead concentrated on the use of ToTok as a spy tool for the UAE government. The NY Times claimed that “one digital security in the Middle East… said that senior Emirati officials told him that ToTok was indeed an app developed to track its users in the Emirates and beyond”.

The clever thing about ToTok is that it performs its underhand processes while operating exactly as it was designed to. According to former National Security Agency employee and security researcher Patrick Wardle, “When you start analyzing an app like this you expect to find a backdoor or some zero-day exploits… But the more I think about it, this is actually a more elegant approach, which is just leverage completely legitimate functionality”.

In effect, there’s absolutely nothing wrong with ToTok – its simply a messaging app that uses the same private data as any other social media platform or communication app. However, as Wardle points out, “The problem is where’s the data going and who has access to it?” Wardle goes on to say, “There’s a large amount of plausible deniability, which is why it’s a no-brainer approach to gain a high degree of surveillance”.

The Dark Matter Behind ToTok

One of the most worrying things about ToTok is that it appears to be linked to an organization known as DarkMatter. This cyberintelligence and hacking company is based in Abu Dhabi and believed to employ “Emirati intelligence officials, former National Security Agency employees, and former Israeli military intelligence operatives”. 

DarkMatter is currently under investigation by the FBI for suspected cybercrimes, claiming that “cyber mercenaries working for DarkMatter turned a prosaic household item, a baby monitor, into a spy device”.

Although the company officially behind the ToTok app is called Breej Holding, The NY Times believes this is, most likely, just a front company. In addition to its dubious connections to DarkMatter, investigations also revealed a link to Pax AI, a so-called AI-technology company that The NY Times refers to as a “data-mining firm that appears to be tied to DarkMatter”.

Calls to Breej Holdings went unanswered and no one from Pax AI responded to any emails or messages left during the investigation into ToTok. Subsequently, the FBI released a rather tentative statement saying, “while the FBI does not comment on specific apps, we always want to make users aware of the potential risks and vulnerabilities that these mechanisms can pose”.

A more in-depth report suggested that all three companies, ToTok, DarkMatter, and Pax AI all have links to “Sheikh Tahnoon bin Zayed Al-Nahyan, the UAE’s National Security Advisor”.

ToTok: The Fall Out

It didn’t take long for Google Play and the Apple Store to respond to warnings about ToTok and both removed the app within days of The NY Times article being published. Although ToTok developers tried to sweep the surveillance accusations under the carpet, saying the app was “temporarily unavailable… due to a technical issue”.

Google Play removed the app on 19th December with the Apple store following suit the next day. While an Apple spokesperson said the company would be investigating the situ9ion, Google Play issued a statement saying that it takes “reports of security and privacy violations seriously. If we find behavior that violates our policies, we take action”.

Surprisingly, ToTok passed the stringent rules put in place by both app stores to prevent the distribution of corrupt apps, apps designed with a different purpose to the one stated, or apps bundled with malware. Google Play even goes so far as to ban apps that fail to protect user privacy or lack developer integrity. Despite these efforts, however, if it hadn’t been for The NY Times exposing the alleged use of ToTok as a spy tool, there would have been little to alert either app store to its potential dangers.

According to Bob Rudis, the chief data scientist at IT company, Rapid7, not only would app stores have no way to detect ToTok’s surveillance features or identify them as potentially damaging to users’ privacy, it’s also, “virtually impossible to defend any commercial process against a determined and well-resourced nation-state.”

ToTok Resurrected

Despite being attacked from all sides, ToTok’s developers remain unrepentant and are vehemently denying the accusations. Co-founder Giacomo Ziani said the reason the UAE government approved ToTok so quickly was that it’s comparatively small market share meant that it wouldn’t “cut as deeply into their [telecommunications companies’] business” as major companies like WhatsApp and Skype potentially would.

Ziani also denied that the ToTok app collected any information from users’ conversations, insisting that it complied with Emirati legislations that “prohibit any kind of data breach and unlawful interception”. Ziani went on to say, “We are not linked to any government, not the UAE, the U.S., or China”. He also reminded Google Play and Apple Store of the fact that “each version of the ToTok app went through your rigorous review process”, arguing that the app should be reinstated.

Ziani complained that ToTok was removed from the app stores without any prior notice and was causing serious damage to his company. While a computer science researcher at the University of California, Bill Marczak still insists that, “by using this app, you’re allowing your life to be opened up to the whims of national security as seen by the UAE government”, Google Play has relented and reinstated ToTok to its online store.

From early January, ToTok reappeared on the Google Play site, although Google has declined to comment on why they decided to reinstate it. Nevertheless, the fact that it was removed and then returned suggests that it was examined for potential service violations and came through those investigations with a clean slate.

While celebrating his app’s return to Google Play, Ziani said, “On the Apple side, there is less traction due to the holiday season”. It seems its more than just the holidays that are delaying Apple’s decision, however, and there’s still no sign of ToTok in the Apple Store.

Patrick Wardle believes whatever Apple does it will set a “crazy precedent”. It reinstates it, what would it do if China claimed WhatsApp was a spy tool and “would Apple vet all the developers who submit apps and try to figure out if they are connected to governments?” On the other hand, if they do reinstate it, Wardle says, “it green-lights any government surveillance app, as long as the app doesn’t violate App Store policies”.

How to Avoid Government Surveillance in the UAE

The first step is obvious – if you’ve downloaded ToTok, remove it immediately and use a more reputable and less controversial messaging app that utilizes end-to-end encryption and thereby protects your data in transit as well as in storage.

A VPN can also add another layer of encryption that can prevent anyone, including the app developers and any third parties they may be sharing data with, from seeing your original IP address, location, and pretty much any other kind of data you choose to keep secret.

ToTok won’t work as efficiently if it can’t gain access to information like your location, which it uses to send through accurate weather forecasts, but at least it means you can potentially use the app without sharing details of your personal life with UAE officials.

Of course, using a VPN in the UAE is a bit more difficult as the government officially banned VPNs a couple of years ago. Fortunately, there is something of a loophole that means you could be on the right side of the law even you decide to use the best VPN for Dubai (namely the formidable ExpressVPN) to protect against ToTok surveillance.

While it is illegal to use a VPN to hide illegal online activity, it’s not illegal to use a VPN. Nevertheless, it’s a bit of gray area and VPN users in Dubai should err on the side of caution by making sure they select a no-logging VPN to keep them safe and anonymous while using VoIP, social media apps, and other connected services.