Most of these criticisms of TEMU are legitimate, but I think there's some inaccuracies in the risk being represented here. It has "unrestricted access"? It's reading users texts without their...
Most of these criticisms of TEMU are legitimate, but I think there's some inaccuracies in the risk being represented here.
"gain unrestricted access to a user's phone operating system, including, but not limited to, a user's camera, specific location, contacts, text messages, documents, and other applications."
It has "unrestricted access"? It's reading users texts without their permission? This is a bold claim, and I can't find any evidence to back this up. This also doesn't seem to be what "Grizzly Reports" claims either. This would mean TEMU burned at least one zero-day (unless only targeting unpatched devices) and is comfortable widely distributing that exploit to anyone with the TEMU app. It's somewhat surprising that TEMU can execute code that isn't part of the distributed app, but that doesn't entail that it can bypass sandboxing. The only thing this would accomplish would be to skirt app store protections, which have often found to be lacking anyway. This will either be quickly confirmed or dis-confirmed by security researchers (unless it was only specific users receiving malicious payloads, which doesn't match the mass data collection alleged.)
From grizzlyreports.com:
“That’s bad. That’s really bad, because if they are locally compiling packages, then they can literally do anything they want at any time. It means that you can’t analyze because the system is truly dynamic.”
It doesn't follow that they can do "anything they want". They can only do what the TEMU app had permissions to do in the first place. If I develop an app that you install on your device, I can almost certainly find ways to execute off-board code. This recompilation stuff can be sketchy, sure, but it'd be hard to prevent an app from finding endless ways to change its execution based on data received post-compilation. Either way, the app will only run exactly with the permissions it was granted when installed; it cannot bypass permissions sandboxing without relying on exploits, exploits that likely need to be unknown to Google and Apple to be affective and hidden.
I'm actually not sure I believe Grizzly's claims. They're not a security company. They're a market/business research company- one that might actually match Temu's description of being a "short...
I'm actually not sure I believe Grizzly's claims. They're not a security company. They're a market/business research company- one that might actually match Temu's description of being a "short seller" - though I can't confirm that. I will say Grizzly's site seems sketchy itself. It matches what I'd expect from a short seller. No attention to detail. Generic squarespace-ass looking website template. A business positioning (investing research) that seems to make it advantageous for them to sensationalize everything to benefit themselves.
Any GrizzlyReports page you go to has a FULL PAGE disclaimer (huge red flag IMO) you have to agree to before even seeing the website- a disclaimer that explains that they're simply a "gatherer" of information that is publicly available elsewhere and aggregate this information together as "research" of companies to help investors make investing decisions. Their site does not have the pedigree of design, detail, and otherwise you'd expect from actual security researchers.
Is there an actual security-researcher report on these supposed (and very suspicious/incredible) claims?
Temu might be doing the shitty surveillance BS that nearly every other tech company (US or not) is doing these days with their apps, I'm not convinced they're doing anything significantly more nefarious than the industry norms, though. Doesn't make it right, but doesn't mean I'm going to avoid using their app if I also use Facebook, for instance.
I'm actually quite surprised ArsTechnica hasn't done more digging on Grizzly and those making the claims themselves. They also might be worth of an investigation by journalists to ensure they're not swindling the journalists into some short-selling game. It's even less surprising, given Tiktok/DJI scrutiny and given much of the US public's very propagandized US-goverment-approved lens they view China through. China isn't sinless for sure, but it does make a convenient target.
Yeah, their "extensive forensic investigation" makes a LOT of claims and accusations, but without providing much actual evidence to back them up, AFAICT. A few snippits of decompiled code (which...
Yeah, their "extensive forensic investigation" makes a LOT of claims and accusations, but without providing much actual evidence to back them up, AFAICT. A few snippits of decompiled code (which don't seem to be all that damning), and putting the APK through an automated malware checking tool is not exactly what I would call "Smoking Gun" proof that Temu is malware. And reading through it all, it comes across as increbily amateurish, sensationalized, and slightly unhinged, TBH. It reads more like a conspiracy theory rant or hit piece, rather than a proper forensic security analysis report.
And yeah, their site seems super sketchy too. The biggest red flag to me is their About section though, which makes a bunch of claims about their employees' expertise, the services they offer, and their client base, but has very little information about the company itself, its history, any previous actual clients, or their employees.
[...] Our US-based analyst team consists of trained accountants, economists, and engineers. We maintain our own private investigators in China that enable us to conduct site visits and interviews with locals, suppliers, customers and other stakeholders.
[...] We serve institutional clients including family offices, hedge funds, investment banks, and operating companies.
Our capacities include: Forensic Accounting Analysis, Channel Checks, Background Checks, In depth Financial Analysis and Modeling, Financial/Deal Structuring, Local expertise and network access in China
Uh huh. Sure. Why do I get the distinct impression the only actual employee of this company is the only name mentioned on the site, Siegfried G. Eggert?
(Surprise surprise. LinkedIn for Grizzly Research LLC = 1 associated member. Can you guess who?)
I'm not a fan of Temu, but their claim that this is misinformation coming from a short-seller seems to be an accurate assessment.
I rememer reading very similar in tone (panic and a lot of sensational but not strictly correct assumptions) article about TikTok.. For me it looks like USA big corps (Meta, Amazon) are in process...
I rememer reading very similar in tone (panic and a lot of sensational but not strictly correct assumptions) article about TikTok..
For me it looks like USA big corps (Meta, Amazon) are in process of blocking competitors. Or its a false conspiracy?
Unfortunately, people are easily susceptible to hand-waving and FUD. I'm equally skeptical about this as well as various claims made about TikTok. It's always bold claims of things that iOS or...
Unfortunately, people are easily susceptible to hand-waving and FUD. I'm equally skeptical about this as well as various claims made about TikTok. It's always bold claims of things that iOS or Android have security controls for, and breaking out of OS-level app sandboxes would be a huge deal, or vague and undefined "data" (waves hands mysteriously) being collected that is somehow different from the usage metrics domestic companies collect.
I'm more familiar with iOS, but the way it works is every application has a separate Unix user with permission only to access files within its home directory. And access to things stored outside of that, such as photos, is mediated through APIs that use the privacy settings exposed to the user. (Access to SMS isn't even allowed at all on iOS.) If someone had found a vulnerability that went that deep into iOS or Android/Linux, that would be a weird way to squander the short period where it would remain unknown, as it assuredly would be caught.
Occam's razor: super advanced security exploits that are undetectable and cannot be documented convincingly...or big corporations leveraging xenophobia for protectionism when their products underperform the popular foreign one? I know I can find a lot more examples of the latter.
On the latest versions of Android its the same (as far as I know, I have small experience developing for Android few years ago). Each app can have access only to files that belongs to the app. You...
I'm more familiar with iOS, but the way it works is every application has a separate Unix user with permission only to access files within its home directory. And access to things stored outside of that, such as photos, is mediated through APIs that use the privacy settings exposed to the user. (Access to SMS isn't even allowed at all on iOS.) If someone had found a vulnerability that went that deep into iOS or Android/Linux, that would be a weird way to squander the short period where it would remain unknown, as it assuredly would be caught.
On the latest versions of Android its the same (as far as I know, I have small experience developing for Android few years ago). Each app can have access only to files that belongs to the app. You have to actively asks user permission to check information outside of the app folder, and Google still blocks most of the apps that are trying to do it. And its absolutely impossible to check other apps folder (even user can't do it without root).
If someone had found a vulnerability that went that deep into iOS or Android/Linux, that would be a weird way to squander the short period where it would remain unknown, as it assuredly would be caught.
Agree, its... improbable at least. TikTok (with 1B of downloads) or Temu (with 100M) and using 0-day vulnerability? For what? To better know customers/users?
Please continue. TikTok is bad as Instagram, Facebook, YouTube, or worse? Bad because its not based in US or because...? Bad for people that use it or bad as product, or have bad intentions or..?
Please continue. TikTok is bad as Instagram, Facebook, YouTube, or worse?
Bad because its not based in US or because...?
Bad for people that use it or bad as product, or have bad intentions or..?
While many things they mentioned in the report are suspicious, I'm not a fan of how overly-sensationalized the report is. The risk matrix they use is completely non-standard. They claim that Temu...
While many things they mentioned in the report are suspicious, I'm not a fan of how overly-sensationalized the report is.
Comparison of Security Issues appearing in TEMU and competitive landscape apps. *
Note TEMU shows all 18 threats Red, TikTok ( 10 Green ) and SHEIN ( 9 Green ) are among the least dangerous.
The risk matrix they use is completely non-standard. They claim that Temu is more dangerous than any other app they compare it to, but conveniently don't include anything that Temu doesn't do.
Many of the concerns raised (location data, MAC address, detecting root) are table stakes for apps these days. While obviously not good, the article implies that this is Never Before Seen behavior. In the risk matrix, one of the line items is "Putting MAC address into a JSON to send the information to server." I'd hazard a guess that most of the other apps listed as collecting MAC addresses are still sending them off to a server, but are maybe using protobuf or XML to send it back. It's classic user fingerprinting.
TEMU seemingly reads the user’s system logs.
This is concerning behavior. I'm surprised Android allows this access. All they prove is that the log string is present though, not that the app actually obtains the logs.
TEMU calls getWindow().getDecorView().getRootView(), to make screenshots and it stores those results in a file.
Again, does Android allow apps to screenshot other apps? If so, concerning and should be fixed at the Android level. If not, there are many ways to record user sessions without literally screenshotting your own app. Here's one such product: https://www.fullstory.com/
The rigged spinner always performs the same little script. It always stops on “One More Chance”, then even if you tried to browse away, it stops on the bright orange wedge with the biggest discount…every time.
This is a classic dark pattern, and should not be allowed.
Their discussion of network security is... weird. There are tools available that allow you to inspect traffic from a phone, even if it's TLS traffic. It seems like they chose not to do that and instead just speculate.
Weakening network transit security is an odd choice for Temu, but to me suggests more incompetence than malicious intent. They're already sending the traffic wherever they want: there's no need to decrease the level of encryption in transit for them to siphon data off of your phone. If anything, this actually makes it easier to inspect what Temu is sending off of your device.
I don't think Temu is doing anything good here, for what it's worth. It does seem to go beyond your standard free app data mining, and the privilege escalation issues noted are highly concerning. A lot of the access it takes advantage of shouldn't be allowed by Android without serious user involvement (like following a process to enable privileged intents for a particular app).
I don't think the report is particularly good at conveying this, and reads more like a passionate hit piece than serious reporting.
Well put, I appreciate the thoughtful response. I should've been more clear that I thought the original was good at contextualizing the news post rather than a quality cyber security report.
Well put, I appreciate the thoughtful response. I should've been more clear that I thought the original was good at contextualizing the news post rather than a quality cyber security report.
Most of these criticisms of TEMU are legitimate, but I think there's some inaccuracies in the risk being represented here.
It has "unrestricted access"? It's reading users texts without their permission? This is a bold claim, and I can't find any evidence to back this up. This also doesn't seem to be what "Grizzly Reports" claims either. This would mean TEMU burned at least one zero-day (unless only targeting unpatched devices) and is comfortable widely distributing that exploit to anyone with the TEMU app. It's somewhat surprising that TEMU can execute code that isn't part of the distributed app, but that doesn't entail that it can bypass sandboxing. The only thing this would accomplish would be to skirt app store protections, which have often found to be lacking anyway. This will either be quickly confirmed or dis-confirmed by security researchers (unless it was only specific users receiving malicious payloads, which doesn't match the mass data collection alleged.)
From grizzlyreports.com:
It doesn't follow that they can do "anything they want". They can only do what the TEMU app had permissions to do in the first place. If I develop an app that you install on your device, I can almost certainly find ways to execute off-board code. This recompilation stuff can be sketchy, sure, but it'd be hard to prevent an app from finding endless ways to change its execution based on data received post-compilation. Either way, the app will only run exactly with the permissions it was granted when installed; it cannot bypass permissions sandboxing without relying on exploits, exploits that likely need to be unknown to Google and Apple to be affective and hidden.
I'm actually not sure I believe Grizzly's claims. They're not a security company. They're a market/business research company- one that might actually match Temu's description of being a "short seller" - though I can't confirm that. I will say Grizzly's site seems sketchy itself. It matches what I'd expect from a short seller. No attention to detail. Generic squarespace-ass looking website template. A business positioning (investing research) that seems to make it advantageous for them to sensationalize everything to benefit themselves.
Any GrizzlyReports page you go to has a FULL PAGE disclaimer (huge red flag IMO) you have to agree to before even seeing the website- a disclaimer that explains that they're simply a "gatherer" of information that is publicly available elsewhere and aggregate this information together as "research" of companies to help investors make investing decisions. Their site does not have the pedigree of design, detail, and otherwise you'd expect from actual security researchers.
Is there an actual security-researcher report on these supposed (and very suspicious/incredible) claims?
Temu might be doing the shitty surveillance BS that nearly every other tech company (US or not) is doing these days with their apps, I'm not convinced they're doing anything significantly more nefarious than the industry norms, though. Doesn't make it right, but doesn't mean I'm going to avoid using their app if I also use Facebook, for instance.
I'm actually quite surprised ArsTechnica hasn't done more digging on Grizzly and those making the claims themselves. They also might be worth of an investigation by journalists to ensure they're not swindling the journalists into some short-selling game. It's even less surprising, given Tiktok/DJI scrutiny and given much of the US public's very propagandized US-goverment-approved lens they view China through. China isn't sinless for sure, but it does make a convenient target.
Yeah, their "extensive forensic investigation" makes a LOT of claims and accusations, but without providing much actual evidence to back them up, AFAICT. A few snippits of decompiled code (which don't seem to be all that damning), and putting the APK through an automated malware checking tool is not exactly what I would call "Smoking Gun" proof that Temu is malware. And reading through it all, it comes across as increbily amateurish, sensationalized, and slightly unhinged, TBH. It reads more like a conspiracy theory rant or hit piece, rather than a proper forensic security analysis report.
And yeah, their site seems super sketchy too. The biggest red flag to me is their About section though, which makes a bunch of claims about their employees' expertise, the services they offer, and their client base, but has very little information about the company itself, its history, any previous actual clients, or their employees.
Uh huh. Sure. Why do I get the distinct impression the only actual employee of this company is the only name mentioned on the site, Siegfried G. Eggert?
(Surprise surprise. LinkedIn for Grizzly Research LLC = 1 associated member. Can you guess who?)
I'm not a fan of Temu, but their claim that this is misinformation coming from a short-seller seems to be an accurate assessment.
I rememer reading very similar in tone (panic and a lot of sensational but not strictly correct assumptions) article about TikTok..
For me it looks like USA big corps (Meta, Amazon) are in process of blocking competitors. Or its a false conspiracy?
Unfortunately, people are easily susceptible to hand-waving and FUD. I'm equally skeptical about this as well as various claims made about TikTok. It's always bold claims of things that iOS or Android have security controls for, and breaking out of OS-level app sandboxes would be a huge deal, or vague and undefined "data" (waves hands mysteriously) being collected that is somehow different from the usage metrics domestic companies collect.
I'm more familiar with iOS, but the way it works is every application has a separate Unix user with permission only to access files within its home directory. And access to things stored outside of that, such as photos, is mediated through APIs that use the privacy settings exposed to the user. (Access to SMS isn't even allowed at all on iOS.) If someone had found a vulnerability that went that deep into iOS or Android/Linux, that would be a weird way to squander the short period where it would remain unknown, as it assuredly would be caught.
Occam's razor: super advanced security exploits that are undetectable and cannot be documented convincingly...or big corporations leveraging xenophobia for protectionism when their products underperform the popular foreign one? I know I can find a lot more examples of the latter.
On the latest versions of Android its the same (as far as I know, I have small experience developing for Android few years ago). Each app can have access only to files that belongs to the app. You have to actively asks user permission to check information outside of the app folder, and Google still blocks most of the apps that are trying to do it. And its absolutely impossible to check other apps folder (even user can't do it without root).
Agree, its... improbable at least. TikTok (with 1B of downloads) or Temu (with 100M) and using 0-day vulnerability? For what? To better know customers/users?
Or TikTok is just as bad.
Please continue. TikTok is bad as Instagram, Facebook, YouTube, or worse?
Bad because its not based in US or because...?
Bad for people that use it or bad as product, or have bad intentions or..?
Sorry, no.
Understandable, have a nice day.
The report is a good read if you're into this sort of thing.
https://grizzlyreports.com/we-believe-pdd-is-a-dying-fraudulent-company-and-its-shopping-app-temu-is-cleverly-hidden-spyware-that-poses-an-urgent-security-threat-to-u-s-national-interests/
While many things they mentioned in the report are suspicious, I'm not a fan of how overly-sensationalized the report is.
The risk matrix they use is completely non-standard. They claim that Temu is more dangerous than any other app they compare it to, but conveniently don't include anything that Temu doesn't do.
Many of the concerns raised (location data, MAC address, detecting root) are table stakes for apps these days. While obviously not good, the article implies that this is Never Before Seen behavior. In the risk matrix, one of the line items is "Putting MAC address into a JSON to send the information to server." I'd hazard a guess that most of the other apps listed as collecting MAC addresses are still sending them off to a server, but are maybe using protobuf or XML to send it back. It's classic user fingerprinting.
This is concerning behavior. I'm surprised Android allows this access. All they prove is that the log string is present though, not that the app actually obtains the logs.
Again, does Android allow apps to screenshot other apps? If so, concerning and should be fixed at the Android level. If not, there are many ways to record user sessions without literally screenshotting your own app. Here's one such product: https://www.fullstory.com/
This is a classic dark pattern, and should not be allowed.
Their discussion of network security is... weird. There are tools available that allow you to inspect traffic from a phone, even if it's TLS traffic. It seems like they chose not to do that and instead just speculate.
Weakening network transit security is an odd choice for Temu, but to me suggests more incompetence than malicious intent. They're already sending the traffic wherever they want: there's no need to decrease the level of encryption in transit for them to siphon data off of your phone. If anything, this actually makes it easier to inspect what Temu is sending off of your device.
I don't think Temu is doing anything good here, for what it's worth. It does seem to go beyond your standard free app data mining, and the privilege escalation issues noted are highly concerning. A lot of the access it takes advantage of shouldn't be allowed by Android without serious user involvement (like following a process to enable privileged intents for a particular app).
I don't think the report is particularly good at conveying this, and reads more like a passionate hit piece than serious reporting.
Well put, I appreciate the thoughtful response. I should've been more clear that I thought the original was good at contextualizing the news post rather than a quality cyber security report.