“Temu is designed to make this expansive access undetected, even by sophisticated users,” Griffin’s complaint said. “Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place.”
That’s just nuts
Yeah, it is. It’s such an extraordinary claim.
One requiring extraordinary evidence that wasn’t provided.
“It’s doing amazing hacks to access everything and it’s so good at it it’s undetectable!” Right, how convenient.
Libmanwe-lib.so is a library file in machine language (compiled). A Google search reveals that it is exclusively mentioned in the context of PDD software—all five search results refer to PDD’s apps. According to this discussion on GitHub, “the malicious code of PDD is protected by two sets of VMPs (manwe, nvwa)”. Libmanwe is the library to use manwe.
An anonymous user uploaded a decompiled version of libmanwe-lib to GitHub. It reads like it is a list of methods to encrypt, decrypt or shift integer signals, which fits the above description as a VMP for the sake of hiding a program’s purpose.
In plain words, TEMU’s app employed a PDD proprietary measure to hide malicious code in an opaque bubble within the application’s executables
So wait, bit-shifting some integers is now considered being malicious? Is that really the defense here? Using that definition just about all software in existence is malicious.
Bit shifting is not malicious on its own. Bit shifting to specifically conceal the purpose of your policy violating code from the auditors who audit the apps submitted to the App Store is malicious.
It’s about why you are doing it and what you are doing with it and not that it’s bit shifting on it’s own.
deleted by creator
I don’t believe his claims without evidence, but having a legit cover for nefarious acts is pretty standard, no?
deleted by creator
Why steal their money when they can both get them to give their money as well data to also sell?
This is why companies like Apple are at least a tiny bit correct when they go on about app security and limiting code execution. The fact it aligns with their creed of controlling all of the technology they sell makes the whole debate a mess, though. And it does not excuse shitty behavior on their part.
But damn
And if they got this past Apple in their platforms. That’s even wilder.
Shits getting scarier by the day.
deleted by creator
- Dynamic compilation using runtime.exec(). A cryptically named function in the source code calls for “package compile”, using runtime.exec(). This means a new program is created by the app itself.—Compiling is the process of creating a computer executable from a human-readable code. The executable created by this function is not visible to security scans before or during installation of the app, or even with elaborate penetration testing. Therefore, TEMU’s app could have passed all the tests for approval into Google’s Play Store, despite having an open door built in for an unbounded use of exploitative methods. The local compilation even allows the software to make use of other data on the device that itself could have been created dynamically and with information from TEMU’s servers.
Ah yes, delete your original incorrect comment instead of continuing the discussion about how wrong and lazy it was to make, nice.
I’m sure Temu collects all information you put into the app and your behaviour in it, but this guy is making some very bold claims about things that just aren’t possible unless Temu is packing some serious 0-days.
For example he says the app is collecting your fingerprint data. How would that even happen? Apps don’t have access to fingerprint data, because the operating system just reports to the app “a valid fingerprint was scanned” or “an unknown fingerprint was scanned”, and the actual fingerprint never goes anywhere. Is Temu doing an undetected root/jailbreak, then installing custom drivers for the fingerprint sensor to change how it works?
And this is just one claim. It’s just full of bullshit. To do everything listed there it would have to do multiple major exploits that are on state-actor level and wouldn’t be wasted on such trivial purpose. Because now that’s it’s “revealed”, Google and Apple would patch them immediately.
But there is nothing to patch, because most of the claims here are just bullshit, with no technical proof whatsoever.
The study and evidence was already provided months ago
This was also linked in the article if you read it
Here’s the actual relevant part
These are security risks to be sure, and while these permissions are (mostly) on the surface, possibly defensible, together they do clearly represent an app trying to gather all of the data that it can.
However, a lot of info from this report is overblown. For example code compilation is sketchy to be sure, but without a privilege escalation attack, it can’t do anything the app couldn’t do with an update.
Also, there’s some weird language in the report, like counting the green security issues in other apps (like tiktok) as if they were also a problem, despite the image showing that green here means it doesn’t present that particular risk.
All of this to say, if you have temu, probably uninstall it. It’s clearly collecting all the data it can get.
But it’s unlikely to be the immediate threat that will have China taking over your phone like this report implies.
This infographic is really helpful. Stuff like this makes me relieved I use the majority of services in a browser, rather than native apps
Exactly why I use browser and not apps, too. and if they try to strongarm me with better prices or degraded services, I just stop using them all together.
Yup. I used to watch TikTok’s sent to me. Now I can’t. They want me to use their app. LOL. Nah.
Thanks, that brings done useful context here
That… is not a study by anyone who knows what they are talking about. It also does not mention fingerprints at all.
They seem to believe that the app can use permissions undeclared in the manifest file because they obviously think it’s only for the store to show the permissions to the user. Android will not actually allow an app to use undeclared permissions. The most rational explanation is the codebase is shared with different version of the app (possibly not released) that had different manifests.
It also makes a big deal of checking if running as root. That is not evidence of having an escalation exploit. If they have an ability to get root before running the app why would they need to use the app to exploit it? They could just do whatever they wanted and avoid leaving traces in the app. Though I doubt they would root phones to just brick them. It’s the kind of mischief you would expect from a kid writing viruses, not an intelligence agency or criminal enterprise.
Users who root their own phones are very unlikely to run temu as root. In fact a lot of apps related to shopping or banking try to detect root to refuse to work as your system is unsafely. In any case it’s a very niche group to target.
To keep things short, that ‘study’ does not really look credible or written by actual experts.
Yeah, I don’t like Temu, and I’m sure the app is a privacy nightmare, but these claims don’t seem right. If it’s true, I’d like to see someone else verify it.
Haven’t read the article because I’m not interested in an app I don’t use, but does it mean browser fingerprint? Because that’s slang for the fonts/cookies/user-data of your browser, and lots of apps have access to that.
Wouldn’t the phone have to have your fingerprint stored in order to compare it to the one scanned?
Yes, the phone does, but that data is protected in the hardware and never sent to the software, the hardware basically just sends ok / not ok. It’s not impossible to hack in theory, nothing is, but it would be a very major security exploit in itself that would deserve a bunch of articles on it’s own. And would likely be device specific vulnerability, not something an app just does wherever installed.
Pretty sure this is not true. That’s how apple’s fingerprint scanners work. On android the fingerprint data is stored either in the tpm or a part of the storage encrypted by it.
Yeah, so the app never sees it. What are you disagreeing with?
I just corrected that, can’t I without disagreeing?
I mean that I don’t know what part of my comment is “not true”. I welcome corrections, I just don’t see what is being corrected here.
It doesn’t send a yes/no signal it sends the fingerprint to be compared to the stored one
Temu is absolute cancer in terms of business practices so no surprise here at all.
Cancer in terms of, well, everything.
But it’s cheap.
If I wanted garbage I could get it for free from the roadside
Why is Temu so popular then?
Because people get dopamine from shopping, even if it’s garbage. It causes enormous amounts of waste, because most of the crap isn’t used much if at all. They just make it look good on the product page.
…and it’s cheap.
Cheap cancer
How about pass and enforce strong digital privacy protection laws you fucking cowards. When other countries spy on us it’s scary and bad, but for US companies? Best we can do is ban porn and demand backdoors to stop E2EE messaging.
Unfortunately they care more about spying on us themselves.
I’m pretty sure Temu is Chinese.
I can’t believe anyone would buy from Temu. I knew they were Chinese knockoff bullshit the second I saw their first obnoxious ad.
Plenty of items on eBay are just people who buy from China directly and mark up prices. If it is likely made in China and I don’t want it quickly, I’ll buy off aliexpress. That said, alibaba wanted me to upload photo ID which I noped out of. Temu started spamming my email address when I’d never used them. The unsubscribe link went to their website said to adjust your account settings if you didn’t want spam… I never created and account and avoided them completely following that.
I don’t buy anything from eBay that I can get elsewhere. I didn’t even use those other sites. Sure, everything is made in China, but I’m good not trusting China without a more reputable middleman that’s subject to American laws regarding things like refunds and such.
somethings people don’t care about quality. An example, the one time I checked out Temu way back when it first made its splash I bought some targets for shooting… Hard to fuck that up and got em cheap as fuck with that promo deal they do to hook you. Uninstalled it right after, probably not worth it but I feel like that is a common experience. There are items where you just simply can’t fuck up so the ultra cheapness works out.
With that said, an obligatory FUCK temu and those like it.
Aliexpress seems most straightforward, and not quite as gimmicky.
Have you seen the wheel spin and Fomo coupons?
Maybe not as much but still highly gimmicky in comparison to normal e-commerce sitesThey don’t seem to give overall preference to a given supplier beyond their obvious coupons and paid rankings. Alibaba is better, but who needs 144 of any specific widget…?
If you compare to one of the most preferred e-commerce website, which I would consider Amazon, it’s still not that bad. I have found less lies on Ali express v Amazon. If it comes to any cheaper electronics the Ali description is the real deal as far as I have seen. Amazon I have been shipped differing products, the description or features have just been a lie, or it didn’t come with the things implied. For the most part Ali descriptions are exactly what you will expect when opening the product… in fact many times I discover extra features when receiving the product that seemingly just couldn’t explain in their marketing.
Ali>Aliexpress>Amazon… just depends on needs
My only reasons to buy on Ali is when I need something simple like velcro that can be cut to length or other small scale stuff electronics (e.g. Rasperry Pi 0) and it doesnt have to be fast.
Ironically the shipping is either free or so cheap it’s better than domestic amazon.
I often suspect they sell the same item but order it with DHL shipping (our domestic shipper) with high priority shipping included in the price (2€ item + 8€ shipping = 10€ on Amazon + “free” shipping)
That’s all online shopping
I can’t believe people pay full price on cheap stuff. The only reasonable thing to do is pay cheap on cheap stuff. And the delivery times are unbeatable .
I can’t believe people buy cheap trash that would be sold on Temu.
But here we are, people buy cheap ass trash off Temu. If China started picking through the trash we shipped them and sold it back to us on a site like Temu, something tells me people would still buy it.
People would buy an actual turd on temu if it’s cheap enough. Just read these comments here… But it’s cheap. Congrats, you bought cheap garbage and it got send around the globe by a company that sells your data
With how cheap they are, people will and should buy from TEMU. Aliexpress as a general store never had much of a competition for English speakers outside of Banggood for select electronics. Taoboa is good but it’s harder to use
The irony
First, you use Lemmy, that’s great. But pls use a client without ads…
Been using Boost since it was a Reddit client. By default, it is my go to.
Maybe but you’ve done the transition to Lemmy try to use a libre client
I’m all for Libre but in this case @rmayayo@lemmyworld is my leader.
Who is he?
He is the dev who made Boost.
Why does he done it with ads?
100% this. Boost is great
by “client” do you mean “just use a browser”?
Or, you know, the 98% of clients that don’t have ads. I, for one, recommend Voyager.
Maybe but not only, for phone I recommend an app that’s much more optimized for using on mobile
Lemmy website is fine on mobile imo. Not perfect but usable and optimized.
For sure! Personally I prefer using the app
That’s what you get for using a proprietary Lemmy app. Switch to Thunder, it doesn’t have ads, it’s open source and in my opinion has the best UI out of all Lemmy apps. Also support the development and join their community: !thunder_app@lemmy.world
From the screenshots alone the interface looks similar to sync
Jerboa here but same
I tried using Jerboa and found it to be incredibly buggy and poorly designed. Not sure what’s going on there, considering that it’s the official mobile app made by the Lemmy devs
Has worked mostly fine for me, YMMV
Do you think it’s better than Voyager? That’s what I’ve been using. Pretty satisfied with it.
Snap! Double irony
Lol
I generally think arstechnica.com does a decent job of being a non-garbage news site. I pay a couple bucks a month for the ad-free RSS feed. This story feels terrible to me. I don’t doubt a law suit has been filed, but I would expect some investigation by the reporter of the extra-ordinary claims of privilege escape the application is claimed to be capable of.
Have any of you actually ever stopped to process what the tagline, “I’m shopping like a billionaire” means?
I’ve always interpreted it as,
I’m needlessly buying things that don’t make me happy, but making the purchase without any hesitation, knowing that the purchase price could never financially impact me in any real way. When I purchase the thing, I’ll probably never use it or actually take it out of the box even. It is just empty, hollow. And somewhere inside, I always know that it’s all only possible, because I’m actively exploiting the cheap labor of scores of other people that are made to perpetually suffer in generations of abject poverty to allow for my relative comfort…
🎶*“I’m shopping like a billionaire!”*🎶
I am disabled and have limited income I don’t have control over increasing or decreasing. I use temu to save a lot of money on essential things that should be cheap but are still overpriced in America. Sponges. Rags. Soaps. Pens. Tools. Home improvement hardware. Plant grow supplies. Gifts for me nieces. The tagline, is just a tagline. Billionaires are not like me and scouring for cheap magic sponges.
Edit: also, temu did not invent drop shipping. Shopping on amazon is literally the same thing.
Good to know people that are disabled don’t mind using shitty maleware apps, I guess?
What’s your point combining using the malware app with you being disabled? Is that supposed to make the app better somehow?
You’re not special because you’re disabled. Things you use aren’t magical amazing. You’re still the same as everyone else.
That’s… not what they were saying? They were responding to a comment saying it encourages consumerism by saying that they use it for better prices on things they need regardless
What does being disabled have to do it?
That’s why they’re broke
Well this disabled person thinks you’re a dumb asshole.
For what reason exactly?
Other commenters have already corrected your thinking, don’t pretend like you didn’t read them.
I completely forgot about this post. I’m not going to read any more comments than I did however long ago the conversation originally was. Oh shit it’s almost 2 weeks old lmao I don’t give a fuck
I think you cracked the case on that one, that’s gotta be what it means.
All I want to know is what do these Temu people think my life is like?
Are you a busty outdoorswoman?
Weaponized fishing for covert military operations.
On a skateboard… with tits!
Code Name: Go Fish!
Clearly you use adbloker or something cause temu just got excited when you opened up the link.
It just thinks you’re a garden variety redneck.
Your life looks pretty sick to me!
he’s batman
deleted by creator
Yesterday, I saw a Temu ad for something and I just wanted to open it to read the info and there were so many popups and “spin the wheel for a prize” and “enter your email here” and so on that I gave up and just looked for the info elsewhere. Never clicking on a Temu link again.
I get their CAPTCHA where I have to slide the puzzle piece over to look at one of their ads. More than half the time I will do this and it will fail saying I didn’t do it right. So yeah temu has become a trash site.
"So yeah temu has become a trash site. "
one of the best decisions you’ll ever make, next to dns level blocking it on your network.
Shocked i tell you. I am shocked.
No way an app would collect data it doesnt need. Preposterous.
Next thing you’ll tell me is that tiktok is doing the same thing!
What about Meta and Google?
Them too, but lukewarm by comparison.
Erm, WhatsApp would suggest otherwise.
WhatsApp was the vector for zero click access to a target’s phone from Israel’s weapons grade hacking Pegasus toolkit. They would send a video call, typically in the middle of the night, and with no input from the used they’d get full access. My personal belief is that they used functionality WhatsApp itself uses to access user data.
There was also an encrypted phone called ANOM, which had this trick calculator app with a hidden encrypted messager. “Made for criminals, by criminals”. Except, when the guy started his business he got investment from the FBI and Australian Federal Police to pay for the servers and some of the phones themselves. Basically every time it sent an encrypted message it sent a separate encrypted message to the ANOM servers. It’s entirely possible (perhaps even likely) that WhatsApp would do this also.
As for Google, they’re truly insidious. Lots of banks now require you to connect to Google captcha servers - they don’t give you the pictures, it’s just the back end, basically the tracking parts. Then there’s the controversy about them collecting location data when users have said no. They absolutely do collect data they shouldn’t.
I’ll accept that maybe I’m giving Google a pass because of misplaced nostalgia, and while I personally have never used or liked
MetaFacebook, I’ll concede that for a while it provided a service some people valued.It’s still my opinion that Google and Facebook have a large percentage of engineers that personally try to make them a genuinely good service, at least moreso than compared to TikTok and Temu. But I’m willing to concede it’s not as much a practical difference as I would like.
It’s still my opinion that Google and Facebook have a large percentage of engineers that personally try to make them a genuinely good service
Most of those people were sacked long ago. Today’s menu for those that remained is shareholder maximum value extraction sausage fest
Why do you say that?
Cause they are owned by American billionaires and as such are more ethical. /s
Like Tim Apple, iPodJockey?
I was given this nickname by an old guy at work that knew I was good with computers. Never actually owned an ipod lol.
Emphasis on by comparison, as in “molten hot metal is cooler than the surface of the sun, by comparison”.
TikTok and Temu actively have code in them that would be considered a virus in other contexts. They exploit your system to gain more access than they should, violating the point of sandboxed access.
By comparison Meta and Google merely take advantage of user ignorance and apathy by making opting out frustrating - but still technically doable.
Both practices are terrible, but that’s not the same as saying they’re equally bad.
By comparison Meta and Google merely take advantage of user ignorance and apathy by making opting out frustrating - but still technically doable.
This is simply just not true. Meta used an adversary-in-the-middle attack to decrypt Snapchat and other competitors traffic. Facebook, Apple, Twitter and Google have been intercepting traffic since before https/sandbox/anti-virus were the norm. Do you think they didn’t do anything malicious?
Install any Google app on Windows and it will install a task schedule and a always online background service to “check for updates” and downloads and runs their executable without any user consent. I wonder why no body had a problem with that. hmm…
Google runs it own operating system so they could technically do anything they so fucking please. You think Chinese Android variants are using exploits or just scooping data wholesale, because it can. But you think Google and Apple aren’t?
It’s showing your prejudice, bias and concern trolling more than anything.
Like a worse AliExpress
Also fuck their landfillware Chinesium “products”.
That’s also most of what’s on Amazon these days.
Can someone explain to me how you can just simply program something to bypass privacy and security features? What is the point of having these features if you can literally just program something to ignore them? Like…??? Temu is obviously bad if this is true, but if it IS true, it shouldn’t have been possible to begin with!!
Im not sure how they specifically bypass the features in other ways but I imagine some of it is from users accepting permissions under the guise of another use. For example, maybe you accept the microphone permission on tik tok to record video. With that permission in theory the app could now use it maliciously. Of course it should all depend on the users choice for that and im not sure beyond the scope of that.
TORfdot0 shared this comment below:
Someone else posted this report in this thread which does a good job of the deceptive practices and API calls the app uses to trick the user into giving permissions up willingly and otherwise collect data it shouldn’t.
By exploiting unknown vulnerabilities in the operating system.
Looking forward to someone answering this
one of the most obvious ways is to simply not bypass them, and then do it from within the application itself. That way you can essentially man in the middle the rest of it, though this would require a rather specific set of events and a particularly nested design of an app.
Same like wish
