top | item 40813085

(no title)

loaph | 1 year ago

From Arkansas Attorney General Tim Griffin who filed the lawsuit:

> Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place.

Pretty scary/shocking if this is true

Also from the lawsuit:

>App store security scans don't flag Temu's risks, the complaint alleged, because Temu can "change its own code once it has been downloaded to a user’s phone"—which means it's essentially able to transform into malware once it is past the security checkpoint.

I really want to know if the above is actually possible? I would assume this would break code signing

discuss

philipkglass|1 year ago

It sounds implausible that the app can bypass OS-level restrictions. According to the Ars article this is the original source of the allegations:

https://grizzlyreports.com/we-believe-pdd-is-a-dying-fraudul...

Reading that report more closely, it appears that the app has many characteristics the analysts considered suspicious but there's no evidence that it can actually bypass OS-level restrictions. The report is from September 2023 so if there were actually Android bugs that allowed permissions bypass I would have expected more security reporting from Google or third parties by now.

duxup|1 year ago

I'm with you on that part. It's not clear to me exactly how this is happening that doesn't cause other issues.