Pierluigi Paganini December 30, 2019

The United Arab Emirates denied reports that the popular mobile app ToTok was used as part of a government massive surveillance program.

According to a report recently published by the New York Times, the popular app ToTok was used by the UAE government as a surveillance tool. It has been removed from both Apple and Google online stores because authorities were using it to spy on its users, to track the conversations and movements.

The ToTok app is used by millions of users in the UAE and other countries in the Middle East.

The report said US intelligence officials and a security researcher determined the app was being used by the UAE government for detailed surveillance.

“ToTok appears to have been relatively easy to develop, according to a forensic analysis performed for The Times by Patrick Wardle, a former National Security Agency hacker who works as a private security researcher. It appears to be a copy of a Chinese messaging app offering free video calls, YeeCall, slightly customized for English and Arabic audiences.” reads the report published by the NYT.

“ToTok is a cleverly designed tool for mass surveillance, according to the technical analysis and interviews, in that it functions much like the myriad other Apple and Android apps that track users’ location and contacts.”

The popular expert Patrick Wardle published a detailed analysis that shows the abuse of the ToTok app for a “mass surveillance operation.”

“Our analysis showed that ToTok, simply does what it claims to do…and really nothing more. Assuming the claims that ToTok is actual designed to spy on it’s users, this “legitimace” functionality of the app, is really the genius of the whole mass surveillance operation: no exploits, no backdoors, no malware, …again, just “legitimate” functionality that likely afforded in-depth insight in a large percentage of the country’s population.” reads the analysis published by Wardle.

“Think about it this way …you’re a (rather surveillance-happy) foreign government who’d love to monitor your citizens.“

Now the UAE Telecommunications Regulatory Authority clarified in an official statement that local laws “prohibit any kind of data breach and unlawful interception”.

“The TRA reaffirms that all certified telecommunications applications in the UAE are in compliance with these standards.” reads the statement.

The ban on popular apps such as WhatsApp, Skype in UAE, made ToTok very popular for the local population that uses it for free calling and messaging services.

Wardle pointed out that the app was tricking its users into allowing it to access their data and location.

The ToTok app was developed by the firm Breej Holding which is supposed to be a “front company” linked with the hacking firm.

Wardle explained that the UAE government used a strategy composed of the following steps to promote the app:

1. Ban popular apps such as WhatsApp, Skype
2. Create a free alternative app that provides this banned functionality.
3. Submit the app to the iOS app store, where it’s readily approved by Apple.
4. Create fake reviews & social media posts that recommend the application.
5. Wait as the citizens of your country readily embrace the app and it’s popularity soars.”

Pierluigi Paganini

(SecurityAffairs – ToTok, surveillance)

[adrotate banner=”5″]

[adrotate banner=”13″]