• MajinBlayze@lemmy.world
      link
      fedilink
      English
      arrow-up
      58
      arrow-down
      1
      ·
      edit-2
      6 months ago

      Here’s the actual relevant part

      These are security risks to be sure, and while these permissions are (mostly) on the surface, possibly defensible, together they do clearly represent an app trying to gather all of the data that it can.

      However, a lot of info from this report is overblown. For example code compilation is sketchy to be sure, but without a privilege escalation attack, it can’t do anything the app couldn’t do with an update.

      Also, there’s some weird language in the report, like counting the green security issues in other apps (like tiktok) as if they were also a problem, despite the image showing that green here means it doesn’t present that particular risk.

      All of this to say, if you have temu, probably uninstall it. It’s clearly collecting all the data it can get.

      But it’s unlikely to be the immediate threat that will have China taking over your phone like this report implies.

    • azuth@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      6
      ·
      6 months ago

      That… is not a study by anyone who knows what they are talking about. It also does not mention fingerprints at all.

      They seem to believe that the app can use permissions undeclared in the manifest file because they obviously think it’s only for the store to show the permissions to the user. Android will not actually allow an app to use undeclared permissions. The most rational explanation is the codebase is shared with different version of the app (possibly not released) that had different manifests.

      It also makes a big deal of checking if running as root. That is not evidence of having an escalation exploit. If they have an ability to get root before running the app why would they need to use the app to exploit it? They could just do whatever they wanted and avoid leaving traces in the app. Though I doubt they would root phones to just brick them. It’s the kind of mischief you would expect from a kid writing viruses, not an intelligence agency or criminal enterprise.

      Users who root their own phones are very unlikely to run temu as root. In fact a lot of apps related to shopping or banking try to detect root to refuse to work as your system is unsafely. In any case it’s a very niche group to target.

      To keep things short, that ‘study’ does not really look credible or written by actual experts.