iOS 13.5
BIGO LIVE app for iOS (version 4.36.1)
Date: 06/09/20
Description:
BIGO LIVE is a live streaming app that is currently #35 in the social media networking section of the Apple App Store. I had to do
a little research to find out more about this company.
According to
an article I stumbled across, the term "BIGO" is acronym that stands for "Before I Get Old."
However, one thing really stuck out to me after I download the app. I saw that like TikTok before it, it had an unusual set-up to share videos via Twitter. In my opinion, there appears to be a concerted effort to allow Twitter users to browse videos, and then hook them into granting third party access to their twitter accounts if user wants to simply share a video.
Take a look at what BIGO LIVE requires of people who try to either share content via Twitter, or who want to user their Twitter credentials to create an account:
Their Twitter Oauth page requires Twitter users to allow the BIGO LIVE app to
"Send Direct Messages for you and read, manage, and delete your Direct Messages."
Yikes! Full and complete access to Twitter DMs. Access to anything and everything that might be in
your average millennial's Twitter DMs is what's required to sign up for this app. Not only that, but full DM access is required to even share a video from the app to Twitter!
Here's a video of the Twitter Oauth a user (who created an account using a different method) sees when trying to share a video to Twitter from inside the BIGO LIVE app...
Last Summer, I spotted the same exact behavior and set-up with TikTok. I sent an email to TikTok corporate. I knew they would just ignore an email, so I made sure to overtly CC European based privacy regulators and American academics. And, of course, TikTok quickly removed the option and claimed that it was a mistake to even ask for the permission.
This probably will also be the case with BIGO LIVE. I will shortly draft an email to BIGO LIVE's legal department. I will make the same arguments that I did with TikTok, and i'll CC some of the same people.
So, wait and see. Perhaps these permission requirements will be changed soon. Perhaps not. We'll see.
Steps to Reproduce:
1. Download and launch the BIGO LIVE app for iOS
2. Choose the Twitter option for account creation
3. Note that the Oauth page requires read/manage/delete direct message access to Twitter DMs
OR:
1. Launch the app
2. Create an account using Google or Facebook login
3. Browse videos
4. Select the share option
5. Select Twitter
6. Head to Oauth page and notice that the app requests read/manage/delete direct message access to Twitter DMs
Result: The BIGO LIVE app for iOS requires full read/manage/delete direct message access to the Twitter direct messages of users who want to user the Twitter credentials to either create an account or share a video
Expected: The requirement of read/manage/delete access to twitter direct messages is too intrusive. I have yet to read any valid justification for a third party app requesting this access. I believe that there is even less reason for a streaming app targeted to young people to request this
