Hacker News new | past | comments | ask | show | jobs | submit login

> 1) Dynamic compilation using runtime.exec()

"cmd package compile" doesn't compile source code at runtime. It forces ahead-of-time compilation of an application's existing bytecode, which is something which Android already does on an as-needed basis. I'm not sure why the Temu app would be running this command (performance, maybe?), but it isn't clearly dangerous either.

https://source.android.com/docs/core/runtime/jit-compiler

The rest of the analysis doesn't seem much better, e.g.

> 3) TEMU queries information related to files, and not just its own files, but wants information on all files on the user’s device by referencing “EXTERNAL_STORAGE”, superuser rights and log files.

The EXTERNAL_STORAGE permission is literally just external storage, like the name implies. It doesn't grant access to files in internal storage, like other applications' data or system logs.

> 5) “Root” access. TEMU checks if a device has “root” access.

Yes, this is fairly common. (And indeed, the table at the top of the report notes that most of the other shopping apps they analyzed did this.)

> 6) Encryption, decryption and shifting integer signals libraries are in prior versions of Pinduoduo and TEMU apps. The only purpose of this is obscuration of malicious intent.

I'm not even sure what they're trying to suggest by this. Are they actually assuming that any use of bit-shifting operators is malicious?

> 10) [...] The TEMU app even reads and stores the MAC address, which is a unique and global hardcoded network identifier of a device. This is a big No No in internet security. A Distributed Denial of Service (DDOS) attack and other unwanted security probes could conceivably be launched against a disclosed MAC address.

This is complete nonsense. MAC addresses don't work like that.

> 11) Looking over your shoulder while you use your smartphone. TEMU calls getWindow().getDecorView().getRootView(), to make screenshots

That only captures the appearance of the Temu application, not other applications on the system.




> which is a unique and global hardcoded network identifier of a device

This is true.

> A Distributed Denial of Service (DDOS) attack and other unwanted security probes could conceivably be launched against a disclosed MAC address.

This is extremely painful for me to read. I don't even know how to describe how this is wrong.


It isn't true. Android and iOS now use MAC address randomization by default, so your MAC address is almost assuredly random, dynamic, and not hardcoded. They typically even change between networks.

This is true of almost all PC network cards nowadays, and you should be able to turn this on easily.


On iOS there isn't even an API to get the MAC address (or any other persistent identifier for that matter).


When i loaded the website, a popup came up that everything there is just their opinion and nothing is to be taken as fact. Why take them seriously when they even say they have no facts supporting their allegations.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: