First off, it’s “ToTok,” not “TikTok.” One is a messaging app that turned out to be spyware for the United Arab Emirates; the other is that quirky video app that people use to lipsync with their cats to make funny memes. Keep doing that, but definitely remove ToTok from your device if you’re one of the millions of people who installed it, because it’s totally bogus.
The news on ToTok comes from a weekend report by The New York Times, which indicates that ToTok—recently among the most-downloaded apps in the United States—is actually “used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.”
While you’re uninstalling the offending app, and having a slight panic attack about who and what has this data about your whereabouts and discussions, let’s talk prevention. Specifically, is there any way to prevent a scammy app like this—one that’s presumably “vetted by popularity,” as I like to describe it—from infiltrating your life again?
First off, there’s nothing about the app’s description that would typically raise a warning flag. It’s full of marketing-speak, sure, but it’s not full of grammar and spelling mistakes, nor does it read as if it was run through Google Translate six times back-to-back. From a screenshot of the app’s product page on the App Store, we get:
The app also enjoyed a lot of great reviews and hgh ratings—again, all appearing to be written by real people. At least, they didn’t sound as if the app’s developer hired 30 scammers to post random positive junk about the app.
Finally, there’s the trust element. I think a lot of people assume that whenever an app makes it onto Apple’s App Store (for example), it has been thoroughly and properly vetted by Apple’s internal app review teams. While that’s true, to an extent, there’s only so much these teams can check. They would have no way of knowing that the servers used by a messaging app are logging and recording everything you say—not really functionality they have the power to test.
The same is true for location tracking. As long as an app’s use of location services is “directly relevant to the features and services provided by the app,” as Apple says, Apple has no control over how this data is stored, kept, or shared by an app’s developer. An app can “notify and obtain consent before collecting, transmitting, or using location data,” but it can also lie. Apple can’t check for liars.
It’s also unclear whether permissions the app requested—on Android or iOS—would have given away its intent. I suspect that which the app wanted to do probably seemed reasonable, given it’s a messaging app. It would probably want to access your contacts or SMS messages, as well as your camera, your microphone, et cetera. Normally, an app asking for all those permissions en masse would raise a flag, but not when that app, like others, uses those as part of its core functionality.
Is there anything you can do to avoid shitty apps that appear great?
The only advice I have, which isn’t much advice at all, is to really, really think about the kinds of apps you install on your device. Most app categories have frontrunners that have been around for years, used by millions, and probably analysed by security experts and journalists alike. Before you install the next great app to replace some critical component of your device—like a new phone app, a messaging app, or even a camera app—take some time to research it.
Even if you did this, you still wouldn’t have found out about ToTok’s mischief until it was too late, but you also might have not installed the app—given its newness—until more people had more to say about it. You might have paused, wondering why a messaging app you’ve never heard of and none of your friends are using is now insanely popular. Maybe you would have stuck with Signal or WhatsApp instead of jumping ship to a “new” app that offers similar functionality. Is the risk worth an extra feature or two, or a more interesting user interface?
There’s no hard and fast rule you can use to determine whether an app is legitimate or not, just a number of data points you have to weigh before installing something new. Sometimes, these clues tilt the balance toward “obvious”—not a full confirmation, but a strong suggestion that you probably don’t need or want the app you’re about to install. Other times, like in the case of ToTok, it’s hard to figure out what you should do. I tend to ask myself, “Do I really need it,” before I install something new, because I like to not have 1,000 apps on my smartphone. That, and I like to be pretty sure about apps that request a ton of permissions. (I’m less worried about apps I’ve never heard of that don’t need access to, say, my contacts.)
I’m hoping you didn’t get bit by ToTok, but if you did, it’s a helpful reminder that even the best-looking apps that live in the top charts on the world’s biggest app playgrounds can still act in bad faith. And, sometimes, there’s very little you can do about it. Stay on top of the news for the popular apps you download just in case that new and sweet-looking app is actually a complete and total scam (or worse).