Since October 7, 2023, several social media applications have removed content related to Palestine. This shadowbanning, that continues until today, gave rise to several “digital protests” demanding an Arab-led social media application that allows free circulation of Palestine-related footage.
This demand, although legitimate, turns a blind eye to several attempts by countries in the region to promote “native” social media applications that proved to have followed less strict standards than those of Twitter and Meta when it comes to privacy policies, most of which were promoted by the UAE and KSA.
SMEX analyzed several apps that were either launched by a company from a country in the Gulf region or promoted by Gulf media. SMEX’s team has conducted a forensic analysis on each of these applications to better understand their security. The forensic analysis examines how each of the apps collects, stores, and shares our data and the potential privacy breaches these practices imply.
Kwai Kwai, an application developed by the Chinese company Kuaishou, is a short-video platform enabling users to share videos on the app, making it a TikTok competitor with 100+ million downloads on Google Playstore.
Kwai was promoted by Saudi and Emirati media and introduced as an app that “concentrates on Arab culture,” as described by the Saudi website Arab News. The app was also promoted by Emirati Zawaya at the end of last year as “a promising Arab social media platform” claiming “it reflects culturally sound Arabic content and provides an environment that understands and takes into account Arab traditions and norms.”
Joyo Technology Pte. Ltd, the current owner and operator of Kwai, announced in March 2024 that Kwai will be launching its expansion strategy in Saudi Arabia. The strategy involves “localizing the application and customizing it to the local community in the Kingdom,” according to Riyadh Times.
According to the forensic analysis carried out by SMEX’s team, Kwai’s privacy concerns include sharing users’ data with third-parties. Its privacy policy states that “the app will use your data to exercise their rights where it’s necessary to do so, without being specific about the process or to which extent or what is specifically their right in it.
Although the app collects a vast amount of data, its policy is unclear about the type and purpose of data collection, knowing that it collects sensitive information such as personal data and bank account details for in-app purchases. In addition, data is not encrypted before it gets saved in the database, adding to the concerns of a privacy breach. Privacy best practices require that data is encrypted “at rest” to limit any potential breaches.
Konur Metehan Durmaz, a policy analyst at SMEX, explains that “Kwai’s policy is problematic due to its extensive data collection practices, which are not well justified or clearly explained.”
“The app collects a broad range of data, such as battery status and Wi-Fi information, without providing a clear rationale for why this data is needed and what’s the legal basis for its collection.”
ToTokThe second app SMEX analyzed is ToTok. ToTok is an Emirati messaging app developed by G42, an Emirati AI-research company working in several domains including sports, public services, and healthcare, and introduced in 2019. The app later turned out to be a spying tool according to a New York Times report. The report led to the app’s removal from Play Store and Google Store; it was not available on Apple Store.
According to SMEX’s forensic analysis, ToTok collects device data that can be used to track and identify individual devices. If this information is tied to user accounts or other personally identifiable information (PII), it can potentially be used to track and profile individuals across different apps and services, leading to concerns about user privacy and surveillance.
The app also requires the “DISABLE KEYGUARD” permission in Android, allowing the app to temporarily disable the device’s keyguard—the screen lock mechanism used to prevent unauthorised access to the device.
Modifying certain system settings can have significant implications for device functionality, security, and user experience. As a result, access to system settings is typically restricted and tightly controlled on Android devices. Any app that requires reading or writing system settings would likely need to request specific permissions and adhere to strict security guidelines to ensure that user privacy and device integrity are maintained.
When an application holds this permission, it can programmatically disable the keyguard, allowing access to the device without unlocking the screen using a PIN, pattern, password, or biometric authentication (e.g., fingerprint or face unlock).
BaazAnother app analyzed is Baaz, produced by Baz.Inc, Baaz was introduced as the Arabic language version of Clubhouse, a social audio app based on communities with different interests where users can join rooms and communities and have live conversations. The founding company is based in San Francisco and is deployed in the UAE.
Some users suspected that Baaz was a spying tool, an allegation that might be contradicted by Baz’s availability on Play Store and App Store, where applications’ security is tested before they are available to download.
Nonetheless, having headquarters in the UAE, Baaz is governed by the Emirati federal law for the protection of personal data, the “PDPL,” which entered into force on the 2nd of January 2022.
One of the major issues of the UAE’s PDPL is that the scope of governance of this law weakens its scope of protection. Among these exceptions is the exclusion of government data as the law does not apply to government entities that control or process personal data.
This means that a large part of personal data processing is not subject to privacy compliance. By excluding public sector entities from the provisions of this law, the PDPL leaves room for surveillance.
BotimLastly, SMEX analyzed Botim, UAE’s most used internet-calling app developed by Algento, a private American technology company that designs, develops, and sells mobile products and services. The app is considered a government-allowed alternative for WhatsApp’s banned video and voice calls. WhatsApp is end-to-end encrypted, making it impossible for third parties to access users’ data. On Botim, data is only encrypted while being transmitted over the internet, although the app provides users with the option to request their data deletion.
“Governments can demand access to user data or request that apps collaborate with authorities under the guise of national security or public safety,” explained Durmaz. “If an app refuses to comply, it risks being banned, making it difficult for citizens to access and use the platform freely.”
“Governments can also request from social media platforms to take specific actions related to user data or content. It is important to know that these are normal procedures for criminal investigations,” he added. “However, these government requests are based on draconian local laws and when local laws are prone to be used for censorship, these requests often turn out to carry the same purpose.”
Botim allows ads for free accounts, exposing users to malicious actors that may exploit the ad-serving infrastructure to distribute malicious advertisements, a practice known as malvertising. Clicking on a malicious ad could lead to malware infections, phishing attacks, or other security breaches on the user’s device.
According to the audit, VirusTotal suggests that the application is linked to sources that are considered malicious due to a list of weird links the application uses. These trackers are often used for analytics, advertising, or marketing purposes, but they can also serve other functions such as crash reporting or user authentication.
The app mentions in its policy that it will not be responsible for collection, storing, retrieving and safe keeping any such data provided to third parties. Advertisers may track users’ online activities and behaviour within the communication app to create targeted advertising profiles. This tracking can lead to invasive profiling practices and compromise users’ privacy and anonymity, similar to that of Meta.
Reach or Privacy: The Eternal Dilemma Based on the forensic analysis SMEX’s team conducted, we can derive risk levels of the aforementioned apps. The results are based on software permissions, hardware permissions, security practices, context, features and data collected. The results are listed in the table below:
ApplicationTotal Risk/ 22Risk LevelBotim14HighBaaz15HighToTok10Medium to HighKwai15High
Although all social media and messaging applications collect data, these apps pose significant security threats as they “might collect more data than necessary, have weaker security measures, or not provide users with sufficient control over their privacy settings,” explained Durmaz.
And as there are few messaging apps options in the SWANA region that respect user privacy, internet users have no option but to use decentralized social media platforms in order to protect their data since these platforms “operate through a network of independent servers, or ‘instances,’ each managed separately,” Durmaz added. “This means that no single company has control over all the data and interactions on the platform.”
This analysis depicts the unfortunate reality that in 22 Arabic-speaking countries, home to over 450 million people, Meta and X continue to monopolize communication platforms. If anything, the absence of regional social media platforms indicates the unwillingness of wealthy Arab countries to improve local regulations on data privacy and instil a culture of cybersecurity. Instead, these countries, namely the UAE and KSA, preferred to invest in spyware rather than communications while seeking out data collection rather than innovation. On the other hand, users are obliged to compromise their data privacy to attain a high reach on mainstream social media platforms like Meta.
Image by ESRA HACIOGLUA / NADOLU AGENCY / Anadolu via AFP
The post ToTok, Baz and Others: UAE and KSA Promote Unsafe Communication Apps appeared first on SMEX.