If you’re active on Twitter, you’ve probably seen some Tweets on this new “giggle” app in the last few days. It is a simple app, which provides girls with some “girls only” spaces to talk about different topics with likeminded girls. That’s all ﬁne and dandy, they’re even nice enough to explicitly declare the app a trans inclusive space on their website.
Now you’re probably wondering how exactly they are enforcing this “girls only” thing, and the answer is obviously “AI”, because honestly what else would it be. If this alone weren’t already bad enough, they also explicitly mention that what they are doing is analyzing bone structure, which is literally Phrenology and not really something you’d want in your app. As expected their app also has major problems even with afab girls, especially if they are POC, and trans persons should just contact their support according to the website. Not a great start, and most backlash on the app was based on this. It was also what ﬁrst got me interested in the app, but it turned out to be technically ﬂawed as well.
It took me about 3 minutes to completely bypass the veriﬁcation.
All it took was initiating the sign up process and tapping through until I’m asked to verify myself. I then used an “Activity Launcher” app to launch the main screen of the app (which is an exported activity so this doesn’t even need root), and I was just signed up now.
This prompted me to take a closer look at just how screwed up this app was, because this already clearly violates just about every best practice ever. As I had already guessed from the package name (
com.appetiser.giggle), this app had not been developed by giggle themselves (“giggle ltd”, “wadd holdings ltd”, or whoever they are), it was contracted to Appetiser. Their website already screams “professionality” and talks about nothing but revenue, “growth” and their great “success”. This path didn’t really lead to much further insight, other than the fact that it’s even sadder that even mobile app contractors produce this kind of trash.
The app further simpliﬁes exploiting and analyzing it by already shipping with the popular Stetho Android debugging tool. Usually one would have to modify the app in some way to get this into a production app for analysis, but they already did this for me.
So at this point it was already almost 3am and I just decided to go to bed, there is probably way more horrible stuff, but I honestly don’t feel like touching this app again anytime soon. If you do ﬁnd something else, please share it with me on Twitter (@deletescape) as I’d love to see it. If you’re from Giggle or Appetiser and would like some input on how to ﬁx this mess of an app feel free to reach out, I usually don’t bite.