Last month, both Google and Apple removed a popular social messaging app called ToTok from their official app stores. The decisions came after United States intelligence officials told The New York Times that the United Arab Emirates likely uses the app for state surveillance. The report and subsequent research also asserted ties between ToTok developer Breej Holding Ltd. and the Emirati government. But by Saturday, Google had quietly reinstated ToTok in its Play Store for Android. Apple does not seem to have settled on its next steps.
The ToTok imbroglio that both companies find themselves in speaks to the difficulties app stores have in policing their offerings. If an app hides an ad fraud scam behind a puzzle game, Apple and Google can, and do, detect the behavior and remove the listing. But if an app like ToTok calls itself a VoIP calling and messaging app, and does exactly that, there isn’t necessarily anything sinister to detect. ToTok’s corporate servers could pipe user data to the government, but that activity would lie beyond Apple or Google’s visibility.
Think about the web services that you use every day. What do Facebook or Amazon do with the information you give them? Is the NSA getting a firehose of phone call and email metadata from US telecoms and tech companies? (Reminder: That happened.)
“Companies have a very hard time when it comes to privacy issues that aren’t directly observable in an app itself.”
Will Strafach, Sudo Security Group
It’s a dilemma that Apple and Google have faced before, to a less publicized extent. The secure communication app Telegram has endured numerous, unsubstantiated rounds of accusations that it contains a backdoor for Russian government access. But Apple and Google have never removed the app because of these claims. The massively popular Chinese social communication app WeChat is even more plausibly thought to be a funnel for broad Chinese government surveillance, yet it, too, is available through Google Play and Apple’s App Store around the world. The intelligence community’s warning about ToTok—by way of the Times report—is perhaps the most direct and actionable yet, although demonstrably difficult for Apple and Google to deal with.
“It’s a really interesting question to think about with WeChat,” says Will Strafach, an iOS security researcher who has analyzed the WeChat app for potential signs of its use in surveillance. “I think companies have a very hard time when it comes to privacy issues that aren’t directly observable in an app itself. I have a hard time thinking of what the right answer is to the app store policy side.”
Purported ToTok cofounder Giacomo Ziani said in a statement last week that ToTok was having “productive dialogue with Google, which highlighted some areas of improvement on the app.” He said it seemed that ToTok would be reinstated on Google Play, but added, “On the Apple side, there is less traction due to the holiday season.”
Google declined to comment on its decision to reinstate ToTok, pointing instead its original statement: “We take reports of security and privacy violations seriously. If we find behavior that violates our policies, we take action.” This seems to imply that in reviewing ToTok, Google didn’t find anything about the app that violates Play Store policies. Apple said on Monday that ToTok is still not present in the iOS App Store, but that its investigation into the app is ongoing, more than two weeks after it began.
In general, Google is known for being fairly specific about how denied or rejected apps are in violation of the Play Store’s policies. Meanwhile, Apple has a reputation among developers for blocking or removing apps without explanation or with only opaque commentary.
“If Apple does not reinstate ToTok, that’s a crazy precedent to set. Say China claims WhatsApp is a United States government surveillance tool. Would Apple remove it? Or would Apple vet all the developers who submit apps and try to figure out if they are connected to governments,” says Patrick Wardle, a security researcher at the Apple-focused enterprise management firm Jamf, who was the first person to publish a technical analysis of ToTok in late December. “But if they do reinstate it, that also sets a crazy precedent! Basically it green-lights any government surveillance app, as long as the app doesn’t violate App Store policies. That would seriously undermine the claims that Apple cares about its users and their privacy.”