Bugs on Temu

Is Temu as bad as it sounds?

Recently, the Internet has been abuzz with scary headlines about Temu. For example, look at these media headlines about Temu:

Look at these words on these headlines:

  • warning
  • alarm bells

Some IT news articles use such words to describe Temu:

  • spyware
  • malware
  • fraudulent

An emotive technical report

The most strident condemnation of Temu comes from an investment research company called “Grizzly Research”. A technical report about the Temu app from Grizzly Research LLC shows this disclaimer:

As this disclaimer says, this technical report contains “opinions” and should NOT be considered “statements of fact”. Throughout this technical report, there are emotive words like:

  • screw, screwing
  • plunder
  • recklessly
  • exceptional threatening
  • hack your phone
  • cleverly
  • dying
  • scam

The number of emotive words on a supposedly technical report does not give me the confidence that it will be an objective report.

Date of the technical report

I notice another thing interesting. The scary headlines about Temu appeared recently in the past few days. But Grizzly Research’s technical report was published 7 months ago. So, in the technology industry, this is considered an old report.

Why are these scary headlines referencing an old report today?

Who is Grizzly Research?

This page on Grizzly Research LLC’s website shows that this company is an investment research company. Their expertise is in investment analysis. They do not have deep technical expertise in cybersecurity and reverse engineering.

The conflation of different issues

The major problem I have with all these scary headlines and Grizzly Research reports is that they conflate multiple issues together with emotive words, which results in fear, uncertainty and doubt (FUD). This muddles up many people’s thinking and introduces unnecessary worry and angst.

The report covers a wide area, from cybersecurity, privacy, cyber-safety, ethics, trade practices, user experience design, legal compliance, ethics, national security concerns, and so on. Some of the issues are NOT relevant to the end user, while others can be mitigated.

In other words, that report is a complete mess.

Untangling the mess

Here is my attempt at sorting out the mess in this report.

Differences between Android and iOS/iPadOS

The technical report from Grizzly Research focuses mainly on Temu’s Android app. There is hardly any analysis of Temu’s iOS/iPadOS app. The reason is that the nature of Android allows apps to be much more easily reverse-engineered.

Also, iOS/iPadOS is a much more restrictive operating system, which means apps have a lot LESS freedom to access the operating system. The Android operating system allows for apps to do highly risky things that have no equivalent in iOS/iPadOS. The implication is that a lot of the ‘scary’ things that the Android app does will not be possible on the iPhone and iPad.

This difference can be lost to the casual reader in the news media. When the news articles report on the scary things that the Temu app is doing, it mainly applies to the app on the Android platform only. iOS/iPadOS, with its much more secure design, neutralises a lot of security risks that are mentioned in the report.

So, do we blame Google for allowing such dangerous access to their Android operating system?

Differences within Android

Even within Android, there can be differences in the level of cybersecurity. The Android platform is highly fragmented. There are so many Android devices running different versions of Android from different manufacturers and brands. Each one of them is different, with different security vulnerabilities.

Some of the scary things that the Temu app reportedly does in the report CANNOT be done in all versions of Android. That is because Google has been progressively improving the security of Android over the years. Those running older versions of Android will be more vulnerable.

For example, the report accuses Temu of spying on the user by taking screenshots of other apps on the device. This may be possible for the earlier versions of Android, but starting from Android 13 and 14, apps doing that require permission from the user.

Does the app hack your phone?

Grizzly Research’s report opined that the app can “hack your phone from the moment you install the app.” First, you need to be clear on what it means by “hack”.

Does the app exploit cybersecurity holes in the operating system to usurp control of your device from the operating system? If this happens, I consider your device to be compromised (‘hacked’). Once your device is ‘hacked’, it cannot be trusted and all bets are off when it comes to security because it is under the full control of the hackers.

Reading through the technical report, there is no indication or evidence that this is happening. If it happens, you can be sure that Google and Apple will ban the Temu app from their respective app store.

Inappropriate permissions

There are accusations that the app asks for inappropriate permissions. For example, there are accusations of the app asking to access the device’s camera, geographical location of the device and access to the user’s external memory card storage (applicable to Android only), which some opined to be unnecessary for the app to do what it needs to do.

In response to that, Temu argued that the permissions it asks for are appropriate. Here is their explanation of why they ask for certain permissions.

If you are worried that Temu has too many permissions to access the private information stored in your device, you can always rescind the permission (or better still, not grant it in the first place). This is true for both the Android and iOS/iPadOS operating systems.

You, the end user, can limit what personal information the app can access on your device through the operating system’s permission settings.

Granted, many users will be fatigued into granting access to every permission Temu asks for. There are also reports of Temu employing dark patterns to trick their users into granting permissions. But ultimately, this is where users should exercise personal responsibility.

Red flag on Temu: connection with Pingduoduo

This is the most serious concern I have for Temu.

Temu’s parent company, PDD Holdings, also operates the Pingduoduo app. That app was suspended by Google from its Google Play Store for containing malicious code that attacks the Android operating system. This is where you can accurately say that the app ‘hacks’ your device.

According to CNN,

Suspicions about malware in Pinduoduo’s app were first raised in late February in a report by a Chinese cybersecurity firm called Dark Navy. Even though the analysis didn’t directly name the shopping giant, the report spread quickly among other researchers, who did name the company. Some of the analysts followed up with their own reports confirming the original findings.

Soon after, on March 5, Pinduoduo issued a new update of its app, version 6.50.0, which removed the exploits, according to two experts who CNN spoke to.

Two days after the update, Pinduoduo disbanded the team of engineers and product managers who had developed the exploits, according to the Pinduoduo source.

The next day, team members found themselves locked out of Pinduoduo’s bespoke workplace communication app, Knock, and lost access to files on the company’s internal network. Engineers also found their access to big data, data sheets and the log system revoked, the source said.

Most of the team were transferred to work at Temu. They were assigned to different departments at the subsidiary, with some working on marketing or developing push notifications, according to the source.

Notice what I highlighted above. Since Pingduouo and Temu apps share the same software developers, it is expected that both apps will share and reuse the same pieces of code. As a result, there may be remnants of ‘inactivated’ malicious code in Pingduoduo that are brought over to the Temu app.

Also, note that PDD Holdings was caught in China developing a malicious app that hacked Android devices. After they were caught, they quietly removed the malicious code. In the same article, CNN reported that China’s privacy regulator was criticised by their cybersecurity community for its oversight failure in catching PDD Holdings’s shenanigans.

You can say that Temu’s parent company, PDD Holdings, is ethically challenged. This is the most serious red flag for me.

Connection with China

There is a fear that all personal information collected by Temu will be available to the Chinese Communist Party because Temu operates under the jurisdiction of China. Some claim that this will result in undermining national security.

Is this claim exaggerated and overstated?

Lame and technically incorrect accusations

In Grizzly Resarch’s report, its condemnation of Temu is based on speculations about what it can plausibly do, but not what it does in reality. It also has what I consider lame accusations. Some of the accusations are technically nonsensical.

For example, there is a discussion thread mentioning:

  • The mention of “dynamic compilation” in their report may not even be technically correct.
  • According to the report, Temu checks for ‘root’ permission on the Android device. This is a common behaviour among other apps. Temu is not the only one doing that. If an Android device is ‘rooted’, it means that all security restrictions have been broken and it is completely defenceless. In that case, ANY app can do a tremendous amount of damage to the user in terms of cybersecurity and privacy. But this report singles out Temu on what it can do to a rooted Android device.
  • Temu asks for permission to access the external memory storage of the device. Again, this is a common behaviour among apps. Temu is not the only one doing that.

Bad cybersecurity practice

There are things the Temu app does that can be considered insecure. The report picked out some insecure things that the app does in the iOS/iPadOS app.

There is no shortage of apps, software, operating systems, or hardware devices that engage in insecure practices. Even Microsoft has been lambasted for their insecure practices and design.

But insecure practice is not the same as deliberate malicious actions. This report seems to conflate the two together.

Code obfuscation

Grizzly Research accuses Temu of obfuscating their code in their app. Code obfuscation is done to thwart attempts at reverse engineering. One can speculate on the motives for doing so. The motive can be malignant (e.g. to obscure malicious code), or legitimate (e.g. to protect trade secrets).

But here is the subtle point you have to understand. Is Temu practising the dark arts of obfuscating their code? Or are they accused of having the intention to obfuscate based on their unusual software engineering practice?

The report said,

The app package (com.einnovation.temu 1.80.4) decompiles into 21,727 JAVA files in a complex tree of 4,322 folders. 1,940 of these folders and 8,681 of the JAVA files are packed for distribution with machine-generated names to thwart analysis. These folders and files are only accessible with an arbitrary name of random assigned letters assigned by the decompiler. 

There can be other explanations for what was observed. For example, Temu could be using a higher-level software engineering software that generates Java code as the intermediate step before producing the final output.

In any case, code obfuscation does not prevent reverse engineering. It only slows it down.

A mess of other things

As you read through the report, it becomes less and less of a technical report as it conflates a host of other issues that include ethics, user experience practice (i.e. engaging in “dark patterns”), legal compliance, consumer law, US postal service, civil breaches, competitive landscape, financials, accounting practices and so on.

Summary

The parent company of Temu, PDD Holdings, does not have a good reputation, given what it had in its Pingduoduo app.

But I would also read the report from Grizzly Research with a grain of salt too. I cannot fully trust their report.

Next, is the Temu app a cybersecurity and privacy risk? I would say that this risk is far higher in the Android platform than in the iOS/iPadOS platform. In Apple’s iOS/iPadOS platform, given the paranoid security design of Apple, it is much harder for Temu to spy on you. If you are paranoid, iOS/iPadOS allows you to check which servers the Temu app is communicating with!

If you need to use Temu in Android, the risk is much lower for devices running the latest versions of Android (currently, it is version 14) from reputable manufacturers (e.g. Google, Samsung). So, if you have older Android devices from obscure manufacturers, your risk is much greater.

As the end-user, you have to be mindful of the permissions you grant to the Temu app to limit the amount of information it can collect about you. Temu may engage in dark patterns to nag you into inadvertently giving permission.

You also need to be mindful of the manipulative techniques used by Temu to make you spend time on the app, spend more and recruit others. That is how Temu became such a hit in the US.

At the very least, Temu has an issue with ethics. And they are far more aggressive in trying to collect information about you. But at this point, it is an exaggeration to call the Temu app malware.


DON'T GET HACKED!

1 Comment

  1. “Is this claim exaggerated and overstated?” By law all companies that operate in China Mainland need to be able to give the Chinese security services access to all of their stored information, even encrypted ones whenever they have a need. That is why Apple for examples separates their user base for the iCloud into International users and Chinese users. Users based and registered in China, will have their data stored on Servers in-country with the Public Security Bureau and the Ministry of State Security having access to the encryption keys. How often do the security services take advantage of this ? Hard to say. In the case of Chinese apps like WeChat etc. they definitely access it quite regularly and can cut through the encryption without a lot of hassle. They also don’t need a “warrant” for any of this. Would Temu moonlight for them ? Not by design I assume, but if need be, there is little Temu could do to prevent that from happening. So far it seems that Temu ( and PDD ) operate just with a hyper aggressive model of data harvesting for economical purpose, a practice that is very common in China and that even the government there started to crack down on. Many new cyber security laws focus on the protection of customer data privacy ( though security bodies are completely exempt from any of this ).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from iSecurityGuru

Subscribe now to keep reading and get access to the full archive.

Continue reading