Watan-The digital safety advocacy platform “SMEX” has highlighted the UAE’s promotion of unsafe communication applications that violate data privacy, such as “ToTok,” “Baaz,” and “Botim,” as part of Abu Dhabi’s extensive surveillance and espionage strategy.
The platform reported that since October 7, 2023, several social media applications have removed content related to Palestine. This ongoing digital blackout has led to the emergence of “digital protests” calling for the development of an Arabic social media platform that guarantees the free exchange of content related to Palestine.
While this demand is legitimate, it overlooks the fact that certain regional governments are promoting so-called “local” social media apps that have been found to follow less strict privacy standards than companies like X (formerly Twitter) and Meta. The UAE and Saudi Arabia have promoted most of these applications.
SMEX’s Security Analysis of Gulf-Promoted Applications
The SMEX organization examined several apps launched by Gulf-based companies or promoted by Gulf media outlets. It conducted a forensic analysis of each app to assess their security, focusing on how they collect, store, and share user data, as well as potential privacy violations.
Kwai
The Chinese company “Kuaishou” developed Kwai, a platform that allows users to share short videos, making it a competitor to TikTok. It has over 100 million downloads on the Google Play Store.
Saudi and Emirati media outlets have promoted Kwai, branding it as a platform that “focuses on Arab culture”—as described by Saudi Arabia’s “Arab News”. Similarly, the UAE-based “Zawaya” presented Kwai at the end of last year as “a promising Arab social media platform” that provides a culturally appropriate environment aligned with Arab traditions.
In March 2024, Kwai’s parent company, Joyo Technology Pte. Ltd., announced its expansion strategy for Saudi Arabia, which includes “localizing the app to fit the Saudi community”, according to Riyadh Daily.
However, SMEX’s forensic analysis raised concerns about privacy risks associated with Kwai, including data sharing with third parties. The app’s privacy policy vaguely states that user data “will be used to exercise our rights wherever necessary” without specifying the scope or nature of these rights.
The app also collects a vast amount of user data, including personal information and banking details for in-app purchases. Additionally, data is not encrypted before being stored, increasing the risk of privacy breaches. Best practices in digital security require data encryption during storage to prevent unauthorized access.
Connor Metehan Durmaz, a policy analyst at SMEX, warned that Kwai’s data collection practices are extensive, unjustified, and lack transparency. He added that the app collects information such as battery status and Wi-Fi network details without providing clear reasons for why such data is needed or the legal basis for collecting it.
ToTok
The second app analyzed by SMEX was “ToTok”, a UAE-based messaging app developed by “G42,” an Emirati company specializing in AI research across multiple sectors, including sports, public services, and healthcare. Launched in 2019, the app was later exposed as a surveillance tool, according to a New York Times report. Following this revelation, Google removed the app from its Play Store, while it was never available on Apple’s App Store.
According to SMEX’s forensic analysis, ToTok collects device-specific data that can be used to track individual devices. If such information is linked to user accounts or other personal data, it could be used to monitor individuals and track their activities across different apps and services, raising significant privacy and surveillance concerns.
Additionally, the app requests permission to disable the security keyguard (DISABLE_KEYGUARD) on Android devices, which bypasses screen lock protections. This modification significantly affects device security, performance, and user experience.
Apps that require access to system settings or the ability to modify them must follow strict security guidelines. However, ToTok’s permission request allows it to disable the lock screen programmatically, making it possible to access the device without needing a PIN, pattern, password, or biometric authentication (fingerprint/face recognition).
Baaz
The third app analyzed was “Baaz,” developed by Baz.Inc. It was introduced as the Arab version of “Clubhouse,” a social audio app based on interest-driven groups where users can join rooms and engage in live discussions. Although Baz.Inc. is based in San Francisco, the app was launched in the UAE.
Some users have suspected Baaz of being a surveillance tool, but its availability on both Google Play and Apple’s App Store contradicts this claim, as apps undergo security checks before approval.
However, since Baz’s developer has offices in the UAE, it falls under the UAE’s Federal Data Protection Law, which took effect on January 2, 2022. A major flaw in this law is that it exempts government-related data, meaning government agencies are not bound by the law’s privacy regulations, allowing them to engage in surveillance activities without legal restrictions.
Botim
Finally, SMEX examined “Botim,” one of the most widely used VoIP apps in the UAE. It was developed by Algento, a U.S.-based private company specializing in mobile services.
Since WhatsApp’s calling features are blocked in the UAE, Botim serves as an alternative. Unlike WhatsApp, which uses end-to-end encryption, Botim only encrypts data during transmission, meaning data stored on its servers remains vulnerable. However, the app allows users to request the deletion of their data.
According to Durmaz, governments can pressure apps to grant them access to user data under the pretext of national security or public safety. If an app refuses to comply, it risks being banned, limiting citizens’ ability to use it freely.
Moreover, Botim displays ads to free-tier users, which exposes them to malicious actors who can exploit ad structures to spread harmful content—a practice known as “malvertising”. Clicking on such ads could lead to malware infections, phishing attacks, or security breaches.
A security audit conducted by VirusTotal found that Botim is associated with suspicious links used for tracking, analytics, advertising, and crash reporting. However, its privacy policy states that the app is not responsible for how third parties collect, store, or use such data. Advertisers can track user activities within the app, creating targeted ad profiles that could lead to intrusive data profiling and privacy violations—similar to Meta’s practices.
SMEX concluded that these applications pose serious security threats, as they over-collect data, follow weak security standards, and fail to provide users with adequate control over privacy settings.
Due to the lack of privacy-respecting messaging apps in the Southwest Asia and North Africa region, users have no choice but to rely on decentralized social media platforms to protect their data.
According to Durmaz, decentralized platforms operate through independent servers (“nodes”) managed separately, meaning no single company controls all data and interactions.
SMEX criticized the UAE for prioritizing investment in spyware over social media platforms, focusing on data collection rather than innovation. Meanwhile, users are forced to sacrifice their privacy in exchange for access to a wider audience on popular social media platforms.
-
-
-
-
-
-
