Alleged Spy App ToTok Puts Apple in a Bind

Credit to Author: Lily Hay Newman| Date: Wed, 08 Jan 2020 13:00:00 +0000

Apple and Google both banned ToTok after reports that it was a UAE government surveillance tool. After Google reinstated it, Apple has a hard choice to make.

Last month, both Google and Apple removed a popular social messaging app called ToTok from their official app stores. The decisions came after United States intelligence officials told The New York Times that the United Arab Emirates likely uses the app for state surveillance. The report and subsequent research also asserted ties between ToTok developer Breej Holding Ltd. and the Emirati government. But by Saturday, Google had quietly reinstated ToTok in its Play Store for Android. Apple does not seem to have settled on its next steps.

The ToTok imbroglio that both companies find themselves in speaks to the difficulties app stores have in policing their offerings. If an app hides an ad fraud scam behind a puzzle game, Apple and Google can, and do, detect the behavior and remove the listing. But if an app like ToTok calls itself a VoIP calling and messaging app, and does exactly that, there isn't necessarily anything sinister to detect. ToTok’s corporate servers could pipe user data to the government, but that activity would lie beyond Apple or Google’s visibility.

Think about the web services that you use every day. What do Facebook or Amazon do with the information you give them? Is the NSA getting a firehose of phone call and email metadata from US telecoms and tech companies? (Reminder: That happened.)

"Companies have a very hard time when it comes to privacy issues that aren’t directly observable in an app itself."

Will Strafach, Sudo Security Group

It’s a dilemma that Apple and Google have faced before, to a less publicized extent. The secure communication app Telegram has endured numerous, unsubstantiated rounds of accusations that it contains a backdoor for Russian government access. But Apple and Google have never removed the app because of these claims. The massively popular Chinese social communication app WeChat is even more plausibly thought to be a funnel for broad Chinese government surveillance, yet it, too, is available through Google Play and Apple’s App Store around the world. The intelligence community's warning about ToTok—by way of the Times report—is perhaps the most direct and actionable yet, although demonstrably difficult for Apple and Google to deal with.

“It’s a really interesting question to think about with WeChat,” says Will Strafach, an iOS security researcher who has analyzed the WeChat app for potential signs of its use in surveillance. “I think companies have a very hard time when it comes to privacy issues that aren’t directly observable in an app itself. I have a hard time thinking of what the right answer is to the app store policy side.”

Purported ToTok cofounder Giacomo Ziani said in a statement last week that ToTok was having "productive dialogue with Google, which highlighted some areas of improvement on the app." He said it seemed that ToTok would be reinstated on Google Play, but added, "On the Apple side, there is less traction due to the holiday season."

Google declined to comment on its decision to reinstate ToTok, pointing instead its original statement: "We take reports of security and privacy violations seriously. If we find behavior that violates our policies, we take action." This seems to imply that in reviewing ToTok, Google didn't find anything about the app that violates Play Store policies. Apple said on Monday that ToTok is still not present in the iOS App Store, but that its investigation into the app is ongoing, more than two weeks after it began.

In general, Google is known for being fairly specific about how denied or rejected apps are in violation of the Play Store's policies. Meanwhile, Apple has a reputation among developers for blocking or removing apps without explanation or with only opaque commentary.

"If Apple does not reinstate ToTok, that's a crazy precedent to set. Say China claims WhatsApp is a United States government surveillance tool. Would Apple remove it? Or would Apple vet all the developers who submit apps and try to figure out if they are connected to governments,” says Patrick Wardle, a security researcher at the Apple-focused enterprise management firm Jamf, who was the first person to publish a technical analysis of ToTok in late December. "But if they do reinstate it, that also sets a crazy precedent! Basically it green-lights any government surveillance app, as long as the app doesn't violate App Store policies. That would seriously undermine the claims that Apple cares about its users and their privacy."

Google seems to be taking the latter option, making an alleged surveillance app available through its official store to Android's massive user base to avoid applying its app standards inconsistently and potentially unfairly. The version of ToTok that reappeared in Google Play on Saturday included some “key updates,” like a dedicated screen where users can review and accept ToTok's privacy policy and expanded permissions notifications so users have more opportunities to assess whether they want to grant or deny the app's requests for access to contacts and other data.

Overall, tech companies have been loathe to wade into geopolitical conflicts, and often simply say that they must comply with all applicable laws in the countries they operate in. But the ToTok conundrum is conceptually similar to other issues tech giants already face. Google was memorably blocked from the Chinese market in 2010 after it stopped complying with the Chinese government's search censorship requirements. The company considered reentering China in 2018, but seemingly abandoned the idea by the end of that year after enduring months of backlash. And for years, Facebook famously maintained that it was not its place to extensively police content on its platform until nation states began exploiting the service for things like foreign election meddling or disinformation campaigns stoking violence.

ToTok may have touched off the next iteration of this debate for Apple and Google's official app stores. In the meantime, though, it seems safer to avoid ToTok if you can, even if it has an app store imprimatur. For some, it’s not so simple; being selective based on privacy concerns is a luxury not everyone can realistically afford. For users in the UAE, ToTok offers some features that are usually blocked in the country. If the app is available, people are going to use it.

https://www.wired.com/category/security/feed/