KIXIFY - Buy & Sell Sneakers app for iOS: Overly intrusive Twitter permissions required to create an account

 iOS 14

KIXIFY - Buy & Sell Sneakers app for iOS (version 3.0.1)

Date: 09/21/20

Description:

Not sure what it is with Sneaker apps, but they sure do love to require extremely intrusive permissions from Twitter in order to create an account using Twitter credentials. 

Take a look at the Twitter OAuth page that KIXIFY presents in order to create an account:

Take a look: "Send Direct Messages for you and read, manage, and delete your Direct Messages."

That's ridiculous, and no app that sells sneakers needs this level of access.

Steps to Reproduce:

1. Download and launch the KIXIFY app for iOS

2. Select the "Sign in with Twitter" option 

3. From the Auth page, scroll down and note that "read, manage, and delete" permissions for Direct Messages is a requirement 

Result: the KIXIFY app requires Twitter users to grant the app read, manage and delete access to Direct Messages in order to use Twitter credentials to create an account

Expected: the access to "read, manage, and delete" should NOT be allowed for Twitter accounts that use their account credentials to create an account on KIXIFY 

Select the "SIGN IN WITH TWITTER" option...

Scroll down and check the permissions.

BIGO LIVE for iOS: BIGO LIVE's Privacy Policy and Terms and Conditions links are dead on Twitter Oauth page

iOS 13.5
BIGO LIVE for iOS (version
Date: 06/09/20

Description:

I just wrote about I what I believe to be the overly intrusive Twitter permissions requested by the BIGO LIVE app for iOS.

There's another issue. When a user exits the iOS app to BIGO LIVE's Twitter Oauth page, there are two dead links. BIGO LIVE's "Privacy Policy" and "Terms and Conditions" links on the Oauth page are dead.

Take a look at this screenshot:

The arrows in the screenshot are pointing to two dead links. These links are supposed to link to BIGO LIVE's Privacy Policy and Terms and Conditions. This is provided as one last opportunity for the user to browse these conditions, before handing over authorization for BIGO LIVE to access the user's Twitter account.

These links really should be working. The fact that they are not working when the app is asking for such intrusive access is troubling.

Steps to Reproduce:

1. Download the app
2. Choose the Twitter option to create an account
3. From BIGO LIVE's Twitter Oauth page, click on the "Privacy Policy" or "Terms and Conditions" links

Result: The "Privacy Policy" and "Terms and Conditions" links on BIGO LIVE's Twitter Oauth login page do not work - they do not link to BIGO LIVE's legal information

Expected: The "Privacy Policy" and "Terms and Conditions" links on BIGO LIVE's Twitter Oauth login page really should be working

BIGO LIVE app for iOS: Overly intrusive Twitter permissions required to create an account or share content

iOS 13.5
BIGO LIVE app for iOS (version 4.36.1)
Date: 06/09/20

Description:

BIGO LIVE is a live streaming app that is currently #35 in the social media networking section of the Apple App Store. I had to do a little research to find out more about this company.

According to an article I stumbled across, the term "BIGO" is acronym that stands for "Before I Get Old."

However, one thing really stuck out to me after I download the app. I saw that like TikTok before it, it had an unusual set-up to share videos via Twitter. In my opinion, there appears to be a concerted effort to allow Twitter users to browse videos, and then hook them into granting third party access to their twitter accounts if user wants to simply share a video.

Take a look at what BIGO LIVE requires of people who try to either share content via Twitter, or who want to user their Twitter credentials to create an account:

Their Twitter Oauth page requires Twitter users to allow the BIGO LIVE app to "Send Direct Messages for you and read, manage, and delete your Direct Messages."

Yikes! Full and complete access to Twitter DMs. Access to anything and everything that might be in your average millennial's Twitter DMs is what's required to sign up for this app. Not only that, but full DM access is required to even share a video from the app to Twitter!

Here's a video of the Twitter Oauth a user (who created an account using a different method) sees when trying to share a video to Twitter from inside the BIGO LIVE app...

Any reason why an app would require full read/manage/delete access to Twitter Direct Messages in order to even share a video? .@BIGOLIVEapp .@BigoLiveNA pic.twitter.com/ADPaCfyT4L

— Random iOS Bugs (@RandomiOSBugs) June 9, 2020

Last Summer, I spotted the same exact behavior and set-up with TikTok. I sent an email to TikTok corporate. I knew they would just ignore an email, so I made sure to overtly CC European based privacy regulators and American academics. And, of course, TikTok quickly removed the option and claimed that it was a mistake to even ask for the permission.

This probably will also be the case with BIGO LIVE. I will shortly draft an email to BIGO LIVE's legal department. I will make the same arguments that I did with TikTok, and i'll CC some of the same people.

So, wait and see. Perhaps these permission requirements will be changed soon. Perhaps not. We'll see.

Steps to Reproduce:

1. Download and launch the BIGO LIVE app for iOS
2. Choose the Twitter option for account creation
3. Note that the Oauth page requires read/manage/delete direct message access to Twitter DMs

OR:

1. Launch the app
2. Create an account using Google or Facebook login
3. Browse videos
4. Select the share option
5. Select Twitter
6. Head to Oauth page and notice that the app requests read/manage/delete direct message access to Twitter DMs

Result: The BIGO LIVE app for iOS requires full read/manage/delete direct message access to the Twitter direct messages of users who want to user the Twitter credentials to either create an account or share a video

Expected: The requirement of read/manage/delete access to twitter direct messages is too intrusive. I have yet to read any valid justification for a third party app requesting this access. I believe that there is even less reason for a streaming app targeted to young people to request this

TikTok Account Creation and Twitter: Privacy Policy and Terms and Conditions Links are Dead

iOS 13.4.1
TikTok app for iOS (version 15.9.1)
Date: 04/30/20

Description:

Here's an issue that similar to something that was happening over the summer.

TikTok allows users to use Twitter to create accounts. When the user selects the Twitter option to create an account, the user is take to a Twitter Oauth page.

Below, you'll see what it looks like at this very moment:

Steps to Reproduce:

1. Download the TikTok app for iOS
2. Select the "me" option in bottom right
3. Select the "Sign Up" button
4. From the "Sign up for TikTok" page, select the "Continue with Twitter" option
5. From the "Authorize TikTok" twitter Oauth page, scroll down
6. Select either the "Privacy Policy" or "Terms and Conditions" link

Result: TikTok's Twitter Oauth page has two dead links: Privacy Policy and Terms and Conditions

Expected: The Privacy Policy and Terms and Conditions links on the Twitter Oauth page should link to TikTok's pages

DHgate - Online Wholesale Stores app: Full Twitter DM access requested for account creation

iOS 13.3.1
DHgate - Online Wholesale Stores app for iOS (version 5.0.4)
Date: 03/22/20

Description:

Yet another app that goes way too overboard in regards to Twitter permissions and account creation. Like some other apps, DHgate has an option to use either Facebook or Twitter to create an account.

The Twitter option with the DHgate app has a Twitter login page explaining permissions. This particular app requests the ability to "read, manage and delete" the direct messages of the connected Twitter account.

NO third party app - under any circumstances - should have that access. Most especially an e-commerce app.

Take a look at the permissions requested:

The "Send Direct Messages for you and read, manage, and delete your Direct Messages." is far too intrusive. I've seen this with other apps, reported it, and seen it changed instantly.

Steps to Reproduce:

1. Download and launch the DHgate - Online Wholesale Stores app for iOS
2. Select the Account option
3. From the "My Account" page, select the "Sign in or Join Free" option
4. From under the "Sign in with your social account" options, select the Twitter icon
5. Note the Twitter permissions requested

Result: The Twitter permissions requested by the DHgate app are too intrusive - the app requires the ability to "Send Direct Messages for you and read, manage, and delete your Direct Messages"

Expected: Read, manage and delete permissions for Twitter account creation with the DHgate app are too intrusive!

ZerAppa iOS apps – Twitter sign-in requires “full access to Direct Messages”

Numerous ZerAppa apps

Date: 05/16/2017

Description:

Looks as if many (perhaps all) apps released by ZerAppa require “full access to Direct Messages” if you want to use your Twitter credentials to create a new account inside of the app.

That’s asking for a permission that very few apps ask for. It’s also something that large corporations have routinely had to apologize for - namely, trying to trick users into granting them access.

This should be changed, and small restaurants, bars or exercise places shouldn’t be giving the impression they are able to peek into the private messages of users who use Twitter to create accounts.

Please see the attached screenshots taken from the HonestAbe’s Tap & Grill app.

I’m not OCD enough (at least not yet!) to download all 121 apps released by ZerAppa to see if they all require this permission. But, since the first seven I downloaded all did require this permission, I am willing to guess this is pretty common with apps released by ZerAppa.

Steps to Reproduce:

1.     Download Honest Abe’s Tap & Grill for iOS

2.     Launch the app, dismiss the pop up messages

3.     Select the settings icon in the upper right hand corner of the screen (above Abe)

4.     From “Accounts” select the “Connect >” next to Twitter

5.     Note that “full access to Direct Messages” is a requirement for creating an account using your twitter credentials

Result: Numerous apps released by ZerAppa require “full access to Direct Messages” for users who want to use their Twitter credentials to create an account

Expected: The requirement of “full access to Direct Messages” should NOT be required for users who want to use their Twitter credentials to create new accounts in ZerAppa apps

Select the settings option in upper right...

Choose the connect option for Twitter...