• dev_null@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    6 months ago

    I’m sure Temu collects all information you put into the app and your behaviour in it, but this guy is making some very bold claims about things that just aren’t possible unless Temu is packing some serious 0-days.

    For example he says the app is collecting your fingerprint data. How would that even happen? Apps don’t have access to fingerprint data, because the operating system just reports to the app “a valid fingerprint was scanned” or “an unknown fingerprint was scanned”, and the actual fingerprint never goes anywhere. Is Temu doing an undetected root/jailbreak, then installing custom drivers for the fingerprint sensor to change how it works?

    And this is just one claim. It’s just full of bullshit. To do everything listed there it would have to do multiple major exploits that are on state-actor level and wouldn’t be wasted on such trivial purpose. Because now that’s it’s “revealed”, Google and Apple would patch them immediately.

    But there is nothing to patch, because most of the claims here are just bullshit, with no technical proof whatsoever.

    • clb92@feddit.dk
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      6 months ago

      Yeah, I don’t like Temu, and I’m sure the app is a privacy nightmare, but these claims don’t seem right. If it’s true, I’d like to see someone else verify it.

      • MajinBlayze@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        6 months ago

        Here’s the actual relevant part

        These are security risks to be sure, and while these permissions are (mostly) on the surface, possibly defensible, together they do clearly represent an app trying to gather all of the data that it can.

        However, a lot of info from this report is overblown. For example code compilation is sketchy to be sure, but without a privilege escalation attack, it can’t do anything the app couldn’t do with an update.

        Also, there’s some weird language in the report, like counting the green security issues in other apps (like tiktok) as if they were also a problem, despite the image showing that green here means it doesn’t present that particular risk.

        All of this to say, if you have temu, probably uninstall it. It’s clearly collecting all the data it can get.

        But it’s unlikely to be the immediate threat that will have China taking over your phone like this report implies.

          • A_Random_Idiot@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            6 months ago

            Exactly why I use browser and not apps, too. and if they try to strongarm me with better prices or degraded services, I just stop using them all together.

            • Shyfer@ttrpg.network
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              6 months ago

              It’s why I stopped using Reddit on mobile lol. No, I don’t want to download your official app, and no you making it so I need it to access NSFW stuff will convince me to.

              Same with X/Twitter. I hate when people put information in those now because you can’t read more than one at a time in some reply to self thread on there without downloading the app. Especially when it’s important news or on the ground reporting. Screw that. All those reporters need to use mastadon.

      • dev_null@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        6 months ago

        The analysis shows it’s spyware, which I don’t question. But it’s spyware in the bounds of Android security, doesn’t hack anything, doesn’t have access to anything it shouldn’t, and uses normal Android permissions that you have to grant for it to have access to the data.

        For example the article mentions it’s making screenshots, but doesn’t mention that it’s only screenshots of itself. It can never see your other apps or access any of your data outside of it that you didn’t give it permission to access.

        Don’t get me wrong, it’s very bad and seems to siphon off any data it can get it’s hands on. But it doesn’t bypass any security, and many claims in the article are sensational and don’t appear in the Grizzly report.

        • hummingbird@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          6 months ago

          That is not entirely correct. The reported found the app using permissions that are not covered by the manifest. It also found the app being capable to execute arbitrary code send by temu. So it cannot be clearly answered if the app can utilize these permissions or not. Obviously they would not ship such an exploit with the app directly.

          • dev_null@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 months ago

            The reported found the app using permissions that are not covered by the manifest.

            It didn’t found them using them, it’s an important distinction. It found code referring to permissions that are not covered by the Manifest file. If that code was ran, the app would crash, because Android won’t let an app request and use a permission not in the Manifest file. The Manifest file is not an informational overview, it’s the mechanism through which apps can declare permissions that they want Android to allow them to request. If it’s not in the Manifest, then it’s not possible to use. It’s not unusual to have a bunch of libraries in an app that have functionality you don’t use, and so don’t declare the required permissions in the Manifest, because you don’t use them.

            It also found the app being capable to execute arbitrary code send by temu.

            Yeah, which is shady, but again, there is nothing to indicate that code can go around any security and do any of the sensational things the article claims.

            The Grizzly reports shows how the app tricks you into granting permissions that it shouldn’t need, very shady stuff. But it also shows they don’t have a magical way of going around the permissions. The user has to actually grant them.

  • dhork@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    6 months ago

    “Temu is designed to make this expansive access undetected, even by sophisticated users,” Griffin’s complaint said. “Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place.”

    That’s just nuts

    • paraphrand@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      6 months ago

      This is why companies like Apple are at least a tiny bit correct when they go on about app security and limiting code execution. The fact it aligns with their creed of controlling all of the technology they sell makes the whole debate a mess, though. And it does not excuse shitty behavior on their part.

      But damn

      And if they got this past Apple in their platforms. That’s even wilder.

      • chiisana@lemmy.chiisana.net
        link
        fedilink
        English
        arrow-up
        1
        ·
        6 months ago

        The article linked to the analysis and on a quick glance, it seems to be done entirely against the Android variant of the app. This makes sense because if the alleged actions are true, they’d never have gotten on to the App Store for iOS Apple users… or at least as of a couple months ago. Who knows what kind of vulnerability is exposed by Apple only doing limited cursory checks for 3rd party App Stores.

    • dev_null@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      6 months ago

      Yeah, it is. It’s such an extraordinary claim.

      One requiring extraordinary evidence that wasn’t provided.

      “It’s doing amazing hacks to access everything and it’s so good at it it’s undetectable!” Right, how convenient.