Hacker News new | ask | show | jobs
by dragontamer 1022 days ago
I'm not exactly an Android expert but... android.permission.INSTALL_PACKAGES, getRuntime.exec()... these basically are permissions for remote code execution, are they not?

I think this blogpost is hyperbolic in its discussion and that's a bit unhelpful. But this does look like a serious problem on my first glance. I'd like to see what a real Android-developer thinks about these permissions though.
4 comments
fuomag9 1022 days ago
How did they even get the android.permission.INSTALL_PACKAGES permission approved on the play store?

Google clearly states that:

To use this permission, your app’s core functionality must include:

Sending or receiving app packages, AND Enabling user-initiated installation of app packages. If your app does not meet the requirements for acceptable use below, you must remove it from your app's manifest in order to comply with Google Play policy. Suggestions for policy-compliant alternative implementations are also detailed below.

Which surely doesn’t seem the case for a shopping app?

link
dragontamer 1022 days ago
Hmmm.

> 2) We find the android.permission entries referenced in the proprietary parts of the decompiled source code, excluding occurrences in widely used and secure standard libraries by Android, Google, Facebook, PayPal and Klarna. Why would the proprietary source code reference these permissions, if it doesn’t have the option to use them in specific scenarios? Most importantly, many of these permissions in TEMU’s source code are not listed in their Android Manifest file, which is the standardized overview source for an app. For scrutinizing permission, the Android Manifest file is the first source to check permissions. Not mentioned in the Android manifest are the permission requests for CAMERA, RECORD_AUDIO, WRITE_EXTERNAL_STORAGE, INSTALL_PACKAGES, and ACCESS_FINE_LOCATION. It is not a coincidence that these permissions are the most intrusive ones when it comes to spying potential. For comparison, all the other apps listed in the cohort table enumerate all of these permissions in their Android Manifest, if they use them at all. The only exception is ACCESS_FINE_LOCATION by TikTok.

That's... not as strong of a link as I hoped this article would make.

So the code has references to INSTALL_PACKAGES. But doesn't seem to request it yet? Am I getting the argument from this post correctly?

link
ajross 1022 days ago
It doesn't get them via the play store, you can see the app permissions here (see "About this app ->", then under "Permissions" click "view details":

https://play.google.com/store/apps/details?id=com.einnovatio...

link
fuomag9 1022 days ago
I never said that it got them via the play store. If an application has that permission in the manifest it should get rejected by Google if they don’t conform to their use cases.

They’re free to publish the APK themselves if they want tho

link
ajross 1021 days ago
> I never said that it got them via the play store.

You literally asked "How did they even get the android.permission.INSTALL_PACKAGES permission approved on the play store?"

And I gave you a straightforward answer. I wasn't arguing with you, I was answering the question you posed.

link
jasonjayr 1022 days ago
These permissions are not listed at https://play.google.com/store/apps/details?id=com.einnovatio... -- (Click the arrow next to "about this app, then view details under permissions) As someone who is not an App developers, Should they be listed there??
link
oaktowner 1022 days ago
I did find the table comparing its permissions to others in the space...enlightening.

My kid bought something from Temu recently and it was ridiculously low-priced. I told him the quality must be terrible...and I was wrong. I was kind of shocked and wondered what the "catch" was.

Of course, I hadn't installed the app but wow, now I have the heebie-jeebies just thinking about it.

link
JohnTHaller 1022 days ago
It's likely cheap because it's made with forced labor: https://apnews.com/article/temu-shein-forced-labor-china-de7...
link
ars 1022 days ago
Temu doesn't make stuff, they sell stuff. They sell the exact same stuff you can get on aliexpress, Amazon, and WalMart.

If there's forced labor it's not specific to them, it's specific to China.

link
oaktowner 1022 days ago
Ugh.
link
tpmx 1022 days ago
You could send a postcard here with your thanks for the great deal:

    General Office of the Central Committee of the Chinese Communist Party
    West Building
    Zhongnanhai
    Beijing
    People's Republic of China
link
joneholland 1022 days ago
It’s likely they use runtime exec because they are doing in app sideloading of features so they don’t need to wait for App Store approval. TEMU feels kinda like a superapp like wechat.

I think TEMU is a super shady company but I don’t think the app is the vector to worry about.

link