A recent article by The New York Times claims that ToTok, an emerging Emirati messaging application, is a spy tool for the United Arab Emirates (UAE) government. This has led to ToTok being removed from Google Play store and Apple’s App Store.

ToTok markets itself as an easy and secure way to chat by video or text, and has become increasingly popular in the Emirates as an alternative to messaging services like WhatsApp and Skype, which are restricted in the country. The app has also become popular abroad, being among the top 50 free apps in Saudi Arabia, India, Sweden and other countries, according to Google Play rankings.

Investigations into the matter

The New York Times report cites US officials familiar with a classified intelligence assessment and the newspaper’s own investigation as sources. It claims that the UAE government can track users’ conversations, movements and relationships. ToTok reportedly requests and tracks user location by offering accurate weather forecasts, and ‘hunts’ for new contacts by suggesting people for users to connect with – similar to the way in which Instagram flags Facebook friends. ToTok also has access to a user’s microphone, camera, calendar and other phone data.

The firm behind ToTok, Breej Holding Ltd, is supposedly likely “a front company affiliated with DarkMatter,” an Abu Dhabi-based cyberintelligence and hacking firm allegedly under investigation by the FBI for possible cybercrimes.

According to Patrick Wardle, a former US National Security Agency hacker who analyzed the app for The New York Times, ToTok has an apparent “legitimate” functionality and “simply does what it claims to do” as a messaging app. Wardle, who is now a private security researcher, explains in a blog post that this is, in fact, the “genius of the whole mass surveillance operation” – since ToTok contains “no exploits, no backdoors, no malware” and therefore is able to gather in-depth insight into millions of users using common functions.

ToTok’s response

The company claims the app is “fast and secure”, despite not verifying that it features end-to-end encryption – similarly to WhatsApp and Skype. ToTok’s privacy policy states that it “may share your personal data with group companies”, as well as with “law enforcement, officials, regulatory agencies and other lawful access requests”. However, the Emirati government is not mentioned.
On Monday, December 23, ToTok released a statement addressing Google and Apple’s removal of the app from their stores, claiming that it’s due to a “technical issue” and that they are “engaged with Google and Apple to address the issue.” On December 24, ToTok released another statement, this time from its cofounders, denying the spying allegations and stating that “since day one, we have built ToTok with user security and privacy as our priority.”

Have a tip or story? Get in touch with our reporters at tips@themilsource.com