
The investigation into ToTok - DyslexicAtheist
https://objective-see.com/blog/blog_0x52.html
======
diebeforei485
This paradigm of apps demanding access to your entire contacts list must end.
I should be able to choose individual contacts to add to any given app.

~~~
cmroanirgo
I think it's high time the host os takes responsibility for the privacy of
sensitive things, such as contact lists and personal data.

One way could be to not return any identifiable information about others at
all, but just a hash of each contact. (Kudos points if the host os returns a
different hash for the same contact in different apps.) If that contact is
known to the app, (because they've also installed it) then the app has all the
information it needs to set up contact between two parties. The host os will
probably need to provide a way to render a contact list for the app.

I'd be much happier with this arrangement. This way my personal data isn't
uploaded to third parties simply because an acquaintance of mine wants to
install some rubbish app. It's only if I install the same (rubbish) app will
that third party finally get my personal info.

Host OS should also give me the power to determine what personal info it's
given to any app. For instance, why did WhatsApp ever need my personal phone
number while creating an account? It doesn't, and as such, should be regarded
as an antitrust requirement.

~~~
Despegar
The only actual solution to this is legal, not technical.

~~~
stazz1
If only all my lawmakers weren't busy in flamewars with bots on twitter, we
could maybe get this done!

------
userbinator
_Analyzing iOS applications is not the most trivial process, as said
applications are distributed (via the iOS App Store) in an encrypted format._

I've not done much with mobile but have RE'd a bunch on the PC, and there an
application which attempts to obfuscate its code in any way (e.g. classic case
being a packed EXE) already warrants suspicion. At least there I always have
the ability to open a file in a hex editor or even debugger for further
inspection. IMHO this locked-down nature of platforms that makes it difficult
for you to analyse the behaviour of the device which you ostensibly own is a
huge obstacle to freedom and privacy in general. Ditto for all the other stuff
like IoT which often communicates without your knowledge (and the traffic is
encrypted, again ostensibly for protection on the Internet --- which it does
do --- but with no way to inspect it locally).

It's true that not everyone has the skills to inspect, and that's a classic
excuse for locking it down; but by making it harder to even get started and
restricting that to "approved" people, there's even fewer motivated to try.
The nature of Apple's platform is already disturbingly close to the situation
in Stallman's classic story over 20 years ago:
[https://www.gnu.org/philosophy/right-to-
read.en.html](https://www.gnu.org/philosophy/right-to-read.en.html)

~~~
rjzzleep
Huh? That doesn't sound like you've done much RE at all. On PC contrary to
their Mac counterparts virtually all shareware was PE protected from simple
UPX which was often used to just compress the executables to more
sophisticated polymorphic code with import obfuscation.

I've been out of the domain for a while but pretty much all shareware
licensing was doing interesting things. It was more or less an arms race and a
pretty fun one on top of that.

IoT which communicates without your knowledge is one thing but IoT that used
alternative encryption because e.g. stock bluetooth was easily sniffable is
another. You don't want anyone to be able to just sniff your health monitoring
data.

~~~
aliswe
Would be nicer of you to add "or we've been RE'ing different stuff" to your
"doesn't sound like you've done much RE at all".

------
spectramax
There needs to be serious scrutiny to amount of network traffic that an app
can have on iOS/Android. For applications such as WhatsApp/TikTok/Snapchat,
etc., there needs to be a new controller/view for accessing private
information such as the address book. This view will allow the user to see all
of the contacts and select one to call, only then the app has access to that
particular contact. Just simply allowing full access to address book is
reckless. Ability to screenshot should also be completely disabled. Any other
ideas?

It is just a normal thing to accept access to Contacts or Photos, and all of a
sudden, all of your data is being siphoned off.

The more I see this kind of stuff, the more terrified I am about the future.
Data doesn't just erode away. 40 years later, it is going to bite us.

~~~
JoshTriplett
> For applications such as WhatsApp/TikTok/Snapchat, etc., there needs to be a
> new controller/view for accessing private information such as the address
> book. This view will allow the user to see all of the contacts and select
> one to call, only then the app has access to that particular contact.

This is what Android already does. Without any special permission, an app can
ask the user to choose a contact, a photo, a freshly snapped image from the
camera, or various other things, and the app gets access to what the user
explicitly gives it.

That is what almost every app _should_ do.

~~~
saagarjha
iOS has a similar thing for photos, but apps don’t use it. (The reason that
the “give us your entire photo album API” exists is ostensibly so you can show
it using your own UI. The number of apps that abuse this reason is very high,
including some that absolutely should know better–as in, they’re market
towards privacy-conscious users.)

------
WilTimSon
The points at the end are nice but it does make me wonder if there was
something more to the intelligence community's conclusions about ToTok.

It's terrifying to think just how fast some countries are moving toward full
control of the internet and communication means for their citizens. From
internet blackouts to intranets (just saw a BBC article on it [0]), it seems
like the hot new thing for regimes is to take control of the internet because
it's where people go for information.

[0]
[https://www.bbc.com/news/technology-50902496](https://www.bbc.com/news/technology-50902496)

~~~
srcmap
Welcome to Balkanization of internet.

As much as internet Jedi like a free/secure internet, the force of Empires
(governments of ru, UAE, cn, US, UK, EU, etc) are striking back.

It is not "some" countries. It is "all" countries - they all feel the
power/needs to monitor, control the internet.

------
29athrowaway
I copied and pasted the contents of this into a text editor so I could read
it.

The font sizes and colors in this article are all over the place.

~~~
saagarjha
Luckily, Reader View makes quick work of it.

~~~
29athrowaway
I always forget that thing. Thanks

------
sturza
Please do the same analysis on Whatsapp/Messenger/Instagram and any google
app.

------
ficklepickle
ToTok is quoting this article to proclaim their innocence.

[https://totok.ai/news-dec24](https://totok.ai/news-dec24)

------
saagarjha
TL;DR: the app does nothing out of the ordinary for a messaging app, which is
why it’s so nefarious. It uploads contact information and location data…but
after asking the user’s permission for seemingly legitimate reasons. The
danger is that it’s hard to know what they’re doing with the uploaded data.

~~~
atemerev
Yes; the difference between it and, say, WhatsApp, is that we trust Facebook
to do nothing particularly evil with our contact list... Or do we?

~~~
grecy
I think the difference is that evil American companies are more acceptable
than evil Chinese companies.

~~~
bouchard
ToTok and TikTok are two different apps. ToTok is used in the UAE where
Whatsapp and others are banned.

------
xrd
Where is the Edward Snowden that worked on this app?

