Mass Surveillance, is an (un)Complicated Business

triaging a massively popular iOS application, with a dark side

📝 👾 Want to play along? I’ve uploaded a decrypted copy of the application and decrypted traffic captures: Download: ToTok.zip

Traffic.zip

Background

Recently, I was approached by the New York Times (NYT) to assist with the investigation into a massively popular iOS application, ToTok .

Apparently “American officials familiar with a classified intelligence” had determined that ToTok , was actually a spying tool. 😱

“It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.” -New York Times

Read the New York Times report: “It Seemed Like a Popular App. It’s Secretly a Spy Tool”.

Today, we’ll walk thru a triage of the ToTok iOS application.

The main goal of this blog post is to provide the technical details, about how one may go about triaging an iOS application, using ToTok as a “case-study” That is say, the aim is simply to discuss our analysis procedure and binary analysis, and note some (interesting) observations.

ToTok (by “Breej Holding Ltd.”) is a massively popular application in the United Arab Emirates (UAE). In fact recently it was the #1 “trending” app in Dubai:



…while on the iOS app store, similarly ranked quite highly:

It’s reviews (over 32,000!) are largely positive, and mostly laud the fact that this application is not blocked in the UAE (Skype, WhatsApp, etc. are blocked, while using VPNs to access blocked services is illegal).

“Finally a VoIP application which works in UAE. Hopefully it starts this way. The voice and video clarity is simply amazing!! Thanks a lot ToTol and TRA of UAE.” -Mustafa Abdul Ahad

“Really, thank you for this app. I can finally make a call/video call easily with my family since other apps are banned in my current living country. Thankyou” -Jckarhmrv

“I never posted any positive comments or feedback but TOTOK forced me to appreciate your efforts and give love to your unbeatable application. In UAE TOTOK is like water 💧 in desert…” -Saqib Saleem

“…I’m going to give great thanks to all your team that you guys have done great job 😘😘😘 specially for UAE users where all apps are blocked for calling and now this is totally free and still not blocked…” -Pakistan

“Finest app of 2019, really impressive with the way app is designed. Most importantly it works in the UAE and that’s a true blessing” -BeingGaurav

“It’s great to have such an app in a county where Audio & video calls are banned!” -baghya

…it’s almost as if ToTok is too good to be true! 🤔

The app is also recommended on various sites around the Internet, especially as a solution to other apps being blocked in the UAE:



Read: "UAE residents confused by removal of ToTok from Apple store".

It appears that the application has just been pulled from the iOS App Store!

Analysis Setup

Analyzing iOS applications is not the most trivial process, as said applications are distributed (via the iOS App Store) in an encrypted format.

The two main approaches to analyze an iOS application include:

on a jailbroken iOS device

via advanced virtualization (i.e. corellium)

Both are frowned upon by Cupertino, who quickly (when possible) patch all iOS bugs in attempt to thwart jailbreaks or worse, turn to (dubious) legal action.



Unfortunately this leaves security researchers in somewhat of bind, as analysis options are limited.

Apple has promised “developer” devices, to allow independent security researcher both audit iOS proper and analyze iOS applications. “Apple reveals special new iPhones for security researchers” Though these phones have yet to make it into the hands of researches (AFAIK). However if/when they do, they will be hugely welcomed.

Without access a virtualization solution, we’re ‘stuck’ performing our analysis of ToTok on a jailbroken phone. Luckily, thanks to the incredible checkra1n we can jailbreak (and thus analyze iOS applications) even recent versions of iOS!

Assuming you have access to vulnerable device (iPhone5x - iPhone X), setting up an analysis environment is fairly straightforward, and detailed in “From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13”:

Jailbreak with checkra1n …which installs Cydia Setup iProxy Install other tools such as Frida , etc

Hooray! You’re now able to begin analyzing iOS applications on your (jailbroken) iOS device.

Analyzing ToTok

Now, let’s take a peek at ToTok application.

As this is more of a basic triage (vs. a full-fledged analysis) our goals will be:

decrypting the application

decrypting (and monitoring) it’s network traffic

First, we install the ToTok application on our jailbroken iOS device:

It will end up in the /private/var/containers/Bundle/Application folder ( <UUID>/ToTok.app ):

As noted, the main application binary will be encrypted (via Apple’s FairPlay DRM ). We can confirm this by dumping the load commands of the application’s binary ( ToTok.app/ToTok ) and observing the presence of a LC_ENCRYPTION_INFO_64 command:

otool -Vl ToTok.app/ToTok ... Load command 12 cmd LC_ENCRYPTION_INFO_64 cmdsize 24 cryptoff 253952 cryptsize 4096 cryptid 1 pad 0

For more information about iOS App encryption, see: “Copy Protection Overview”

We’ll shortly discuss how to fully decrypt the application, but for now there are still lots of unencrypted files to peek at.

Most notably, we can examine the application’s Info.plist file. It’s rather large, but here’s various pieces of it:

$ cat ToTok.app/Info.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ... > <plist version="1.0"> <dict> <key>MinimumOSVersion</key> <string>13.0</string> <key>CFBundleIdentifier</key> <string>ai.totok.videochat</string> <key>UIBackgroundModes</key> <array> <string>audio</string> <string>fetch</string> <string>remote-notification</string> <string>voip</string> </array> <key>NSAppTransportSecurity</key> <dict> <key>NSAllowsArbitraryLoads</key> <true/> </dict> <key>CFBundleLocalizations</key> <array> <string>en</string> <string>Arabic</string> <string>zh_CN</string> <string>zh_TW</string> </array> <key>FacebookAppID</key> <string>1454446651523910</string> <key>NSMicrophoneUsageDescription</key> <string>Allow ToTok to access Microphone to make voice messages and voice/video calls</string> <key>NSCalendarsUsageDescription</key> <string>Allow ToTok to access Calendar to remind you of ToTok Event</string> <key>NSLocationWhenInUseUsageDescription</key> <string>Your location is required for providing local weather informatio</string> <key>NSPhotoLibraryAddUsageDescription</key> <string>Allow ToTok to access Gallery to send/save pictures</string> <key>NSContactsUsageDescription</key> <string>Allow ToTok to read Contacts to find your friends who is using ToTok now</string> <key>NSSiriUsageDescription</key> <string>You can use Siri to call your ToTok contacts directly.</string> <key>NSCameraUsageDescription</key> <string>Allow ToTok to access Camera to take photos and videos</string>

Some observations include:

The presence of the UIBackgroundModes tells iOS that is should (continue) running in the background.

Read more about UIBackgroundModes in Apple’s documentation.

The NSAppTransportSecurity / NSAllowsArbitraryLoads keys tells iOS that the application should be allowed to transmit data via HTTP (normally iOS enforces HTTPS only).

Read more about NSAllowsArbitraryLoads in Apple’s documentation.

The CFBundleLocalizations array contains localizations for English, Chinese ( zh_CN ), Taiwanese ( zh_TW ), and Arabic.

The FacebookAppID ( 1454446651523910 ) appears to be tied to a company named ‘Yeecall’ (more on this later!)

The presences of various *UsageDescription key/value pairs, tells iOS what to display when the app requests permissions.

Here we see the ToTok is interested in the: microphone, calendar, location, photos, contacts, siri integration, and camera.





Explicit user approval is required in order for ToTok to be able to access the mic/camera, and user information (photos, location, etc). …however such access is required for “legitimate” functionality of the app, and thus, most users will allow.

Before we decrypt the binary to perform static analysis, let’s analyze ToTok ’s network traffic.

Network Traffic

Rather unsurprisingly ToToks network communications are all encrypted via SSL. Moreover, the application performs certificate pinning in an attempt to complicate MiTM attacks. However when performing local analysis (on a jailbroken device) neither of these are really obstacles.

First, we setup a remote proxy (say on your MacBook). Then on the iOS device (under the network settings), we specify the address of our proxy to instruct iOS to route all the traffic thru said proxy. I personally use Charles proxy application (though Burp would work as well.

“Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.” -https://www.charlesproxy.com/

There are several detailed tutorials online the describe how to setup and configure a proxy in order to view (even SSL’d) traffic coming off your iOS device. Charles Proxy Tutorial for iOS

Using Charles as SSL Proxy on iOS

In short, we need to install and trust the proxy (Charles’) certificate on the iOS device:

As noted ToTok uses SSL pinning in order to improve the security of its network communications, which means that the application will reject the proxy’s certificate and connections will fail.

For more information on SSL pinning, read: “Preventing Man-in-the-Middle Attacks in iOS with SSL Pinning”

Luckily, it’s fairly easy to locally bypass this (so that we can sniff all ToTok s traffic) by installing and configuring SSL Kill Switch 2 .

Now we’re all set to sniff ToTok ’s encrypted traffic!

Firing up the app, we’re able to observe the (now decrypted) traffic:

The majority of the application’s traffic routes thru the capi.im.totok.ai server. The server uses a self-signed certificate (SHA-256: C9 27 30 CC D5 FE C0 46 3D E8 5A A6 6D FA AB 2F 3B 92 4E 04 C5 1E 0B 6F A4 31 FE 78 33 48 B5 74 ), with the issuing country set to AE (United Arab Emirates):

I’ve uploaded two (decrypted) traffic captures (format: Charles Proxy “sessions”). Download: Traffic.zip

The network traffic is fairly standard, for what we’ve expect to see in fully-feature chat application. Here we’ll peruse through some of the requests.

When the app first launches, it makes various GET requests to capi.im.totok.ai .

For example:

https://capi.im.totok.ai/uc/state/AABqbEEgqCA=/white? n=cJECAUMZzcI=&c=iJXfhRcO4JU=&did=3yDQkh1qf8iai1UKOGNUnr8sJIo=&model=iPhone &pkg=ai.totok.videochat&clientver=1.2.9&loc=en-US_US

Breaking out the parameters:

n: cJECAUMZzcI=

c: iJXfhRcO4JU=

did: 3yDQkh1qf8iai1UKOGNUnr8sJIo=

model: iPhone

pkg: ai.totok.videochat

clientver: 1.2.9

loc: en-US_US

The server simply responds with:

{ "response": { "white": false }, "responseHeader": { "status": 200, "version": "1.0" } }

Another GET request also to capi.im.totok.ai goes to the /api/idc/find API endpoint, which returns:

{ "response": { "uc": "capi.im.totok.ai", "pfm": "capi.im.totok.ai", "doodle": "in.debug.yeecall.com:8080", "uc_ssl": "capi.im.totok.ai", "pfm_ssl": "capi.im.totok.ai", "doodle_ssl": "capi.im.totok.ai", "idcIdx": 1, "wallet_ssl": "capi.im.totok.ai" }, "responseHeader": { "status": 200, "version": "1.0" }

…another reference to yeecall .

Moving on, after verifying the user, the application downloads the user’s profile picture from https://ucdefault-sg.oss-ap-southeast-1.aliyuncs.com/

The site, aliyuncs.com, appears to be part of Alibaba’s Cloud.

If the user has authorized ToTok to access their contacts, the app then attempts to upload the entire address book via a POST request:

https://capi.im.totok.ai/log/report/report?n=cJECAUy9BHI=&c=iJXfhRiqKSU=&did=3yDQkh1qf8iai1UKOGNUnr8sJIo=&model=...

{ "appver": "1.2.9", "os": "iOS", "time": 1576888571519.1421, "app": "ToTok", "event": "contact", "uid": "AAAAAs7FxJY=", "data": { "version": "1.0", "contacts": [{ "familyName": "Smith", "birthday": 0, "modifyDate": 1576134814000, "nickname": "", "displayName": "John Smith", "organizationName": "Apple", "departmentName": "", "namePrefix": "", "nameSuffix": "", "id": 1, "primaryIDs": [{ "value": "(808) 265-3214", "label": "_$! <Home> !$_" }], "middleName": "", "jobTitle": "", "contactType": 0, "note": "", "phoneticMiddleName": "", "phoneticGivenName": "", "emailAddresses": [], "createDate": 1576134814000, "phoneticFamilyName": "", "givenName": "John" }, { "familyName": "Turner", "birthday": 0, "modifyDate": 1576136649000, "nickname": "", "displayName": "Tina Turner", "organizationName": "Apple", "departmentName": "", "namePrefix": "", "nameSuffix": "", "id": 2, "primaryIDs": [{ "value": "(814) 523-4155", "label": "_$! <Home> !$_" }], "middleName": "", "jobTitle": "", "contactType": 0, "note": "", "phoneticMiddleName": "", "phoneticGivenName": "", "emailAddresses": [], "createDate": 1576136649000, "phoneticFamilyName": "", "givenName": "Tina" }] }, "language": "en", "network": "WiFi", "osver": "13.1.3" }

The argument could be made that this is simply (user-approved) “legitimate” functionality of the application, used to connect users with their friends 😬

If media content such as images are transmitted between users, this generates a POST request (with the contents of the file) to https://capi.im.totok.ai/pfm/up/AABqbEEgqCA=/sendtouser to upload the content. The server responds with information about the successful upload:

{ "response": { "download": { "url": "https://capi.im.totok.ai/pfm/download/file?fid=5dfe1lqtkl9555884b0b0001ae7119 ... "size": 81664, "fid": "5dfe1lqtkl9555884b0b0001ae7119", "md5": "a3b89da4ccb998ef9fa66fb11bafcfa1" } }, "responseHeader": { "status": 200, "version": "1.0" } }

Prior to upload, it appears that the item (here, an image) is both encrypted and compressed:

00000000 73 d6 6d 3c be 5a d0 43 b6 cb 23 b1 46 b2 c2 b7 |s.m

At this time, it is unknown if the application utilizes end-to-end encryption …or (if so), if said encryption is sufficient. ToTok’s privacy policy does state: “Messages: all data is stored heavily encrypted so that local ToTok engineers or physical intruders cannot get access.” …but this seems to only address “stored data”?

Finally, if the user has authorized ToTok to utilize location services, the app will make a request to meiduoyun.ws.amberweather.com :

https://meiduoyun.ws.amberweather.com/api/v1/weather?appid=12027&lang=en&lat=25.276987&lon=55.296249&pkg=ai.totok.videochat...

Note this request contains the user’s exact geo-coordinates (i.e. lang=en&lat=25.276987&lon=55.296249 ).

App Decryption

In order to perform static analysis of ToTok , we need to decrypt its application binary.

To decrypt the application binary on our jailbroken analysis device, we use Clutch ; a “ high-speed iOS decryption tool.” This utility takes the bundle id of the iOS application to decrypt (e.g. ai.totok.videochat ) and outputs a (fully) decrypted .ipa!

root# Clutch -d ai.totok.videochat Clutch[10196:1254709] command: Dump specified bundleID into .ipa file Zipping ToTok.app Dumping (arm64) Patched cryptid (64bit segment) Dumping (arm64) ... Successfully dumped framework ToTokCommonBase! Dumping arm64 Successfully dumped framework PINRemoteImage! Dumping arm64 Dumping arm64 ... Zipping ToTokCommonBase.framework Zipping External.framework Zipping ToTok3rdSDK.framework Zipping ShareExtension.appex DONE: /private/var/mobile/Documents/Dumped/ai.totok.videochat-iOS13.0-(Clutch-(null)).ipa Finished dumping ai.totok.videochat in 9.3 seconds

Another option to dump the encrypted application binary is via Fridump . If run with the -s option, this will also running strings on all the dumped files:

patrick$ python fridump.py -U -s ToTok ______ _ _ | ___| (_) | | | |_ _ __ _ __| |_ _ _ __ ___ _ __ | _| '__| |/ _` | | | | '_ ` _ \| '_ \ | | | | | | (_| | |_| | | | | | | |_) | \_| |_| |_|\__,_|\__,_|_| |_| |_| .__/ | | |_| Current Directory: /Users/patrick/Downloads/fridump-master Output directory is set to: /Users/patrick/Downloads/fridump-master/dump Creating directory... Starting Memory dump... Running strings on all files: Progress: [##################################################] 100.0% Complete Finished!

For a tutorial on using Fridump, checkout: “Fridump – iOS Examples”

Either way, we now have a decrypted application bundle and can poke around at the app’s binary code.

As the application (and it’s frameworks) are a massive 25MB+, due to time constraints our analysis is limited. However, I’ve uploaded the unencrypted ToTok.ipa if you’d like to dig more!

When analyzing a binary, one of the first steps is to extract embedded strings and classes (via Class-dump ). This can often shed significant insight into the capabilities of the binary and/or reveal other interesting contact.

Digging thru ToTok strings and classes we gain some potential insight into it’s possible origins:

/Users/jiangyaguang/Downloads/totok/YeeCall/Classes/TKSystemInfo.m /Users/jiangyaguang/Downloads/totok/YeeCall/Classes/Call/TKCallSessionViewController.m

patrick$ class-dump ToTok.app/ToTok @interface YeecallContact : NSManagedObject { } @interface YeecallReminder : NSManagedObject { } @interface YeeCallSecurityPolicy : AFSecurityPolicy { }

As previously noted, we uncovered other ties to YeeCall . Based on these embedded strings it’s relatively clear that ToTok is largely composed of code from YeeCall. According to CrunchBase YeeCall is “a software company that has developed Yeecall messenger app for video & voice calling.” It is rather unsurprising that ToTok s is simply based on existing code/an product (vs. written entirely from scratch).

It’s possible that “Breej Holding Ltd” (that “publisher” of the iOS app), simply contracted or licensed existing code from “YeeCall” to create the ToTok application. This would be a simple and efficient way to quickly create a new fully-featured application. This also explains the rather odd CFBundleLocalizations of <string>Arabic</string> , <string>zh_CN</string> , and <string>zh_TW</string>

Other embedded strings, reveal static.totok.ai , the server which serves up static content for the app (images, icons, etc). The server appears to be misconfigured, and as such, browsing to it’s root reveals a listing of the all hosted files:

Who Done It?

Before wrapping up, let’s briefly discuss who may behind this application, as in a way, that’s the most pressing question.

First, it’s rather clear that “Breej Holding Ltd” is not an actual iOS developer or publishing company:

“A technical analysis and interviews with computer security experts showed that the firm behind ToTok, Breej Holding, is most likely a front company affiliated with DarkMatter, an Abu Dhabi-based cyberintelligence and hacking firm where Emirati intelligence officials” -New York Times

Though the Times does not going into (much) more detail on this claim, recently Bill Marczak (a research fellow a CitizenLab) published an incredibly detailed report on the “corporate structure behind the ToTok”:

NEW: I did a deep dive into the corporate structure behind the ToTok VoIP app. A classified US intelligence assessment (reported by NYT) says that ToTok is a spy tool developed by UAE intelligence. https://t.co/HLMcwWMCZn — Bill Marczak (@billmarczak) January 2, 2020





In his writeup, he rather decisively uncovers the many players and companies behind ToTok including those “…linked to Sheikh Tahnoon bin Zayed al-Nahyan, a ‘senior UAE intelligence official.’” 😱

The following chart, clearly visualizes these connections (image credit: Bill Marczak):

“ToTok appears to be the latest case of a digital platform surreptitiously operated by a nation state to obtain a strategic advantage in intelligence gathering.” -Bill Marczak

Conclusion

In this blog post, we triaged ToTok , an iOS application that the American intelligence community has claimed, was spy tool used by the United Arab Emirates government. 🙈

Our analysis showed that ToTok , simply does what it claims to do…and really nothing more. Assuming the claims that ToTok is actual designed to spy on it’s users, this “legitimate” functionality of the app, is really the genius of the whole mass surveillance operation: no exploits, no backdoors, no malware, …again, just “legitimate” functionality that likely afforded in-depth insight in a large percentage of the country’s population.

Think about it this way

…you’re a (rather surveillance-happy) foreign government who’d love to monitor your citizens.

In five easy steps:

Ban popular apps such as WhatsApp, Skype Create a free alternative app that provides this banned functionality. Submit the app to the iOS app store, where it’s readily approved by Apple. Create fake reviews & social media posts that recommend the application. Wait as the citizens of your country readily embrace the app and it’s popularity soars.

…hooray! Now you have access to users’ address books, chats, location and more, in a completely “legitimate”, Apple-approved manner!

Such collection provides a sufficient “phase 1” (much like the NSA’s bulk metadata collection program) of a more comprehensive intelligence operation. Once you know who’s talking to whom, and perhaps even what they are saying, you can identify specific individuals of interest and target them with more advanced capabilities. This “phase 2” includes more traditional offensive cyber-operations, which are far more targeted, stealthy, and invasive. However, such a phase is far more expensive and difficult to scale and thus requires a sufficient “phase 1” component …like ToTok

For more information on “phase 2” cyber-operations in the Middle East, check out: “Inside the UAE’s Secret Hacking Team Of American Mercenaries”