[klik99]

> TEMU is estimated ( Link ) to be losing $30 per order. Its ad spending and shipping costs (1-2 weeks from China, expedited to U.S. delivery) are astronomical. One is left wondering how this business could ever be profitable.

This has literally been every startup in SV for the last 15 years - aggressively lose money aquiring users when new and then when you've killed the competition, start making money. The only thing is I don't see any external funding, so maybe they're doing it with hidden funding or a stockpile from PDD?

This feels like a lot of weak sauce, from the weird combo of clickbait title with CYA "We Believe", throwing a bunch of weak evidence all at once, overwhelming you into accepting the premise. If you have "smoking gun" evidence like they claim, then you wouldn't need to hedge your statement with "We believe". And this is a investment research company, not a security company. I'd sooner believe a pillow salesman ranting about the deep state than this.

~Edit~ Counterpoint: looks like their other main product Pinduoduo was removed from Google Play due to malware, so it could actually be true. https://krebsonsecurity.com/2023/03/google-suspends-chinese-...

But I stand by my previous statement that literally nothing in this article is actual evidence, so if does turn out to be true it's a coincidence.

[Jedd]

> This has literally been every startup in SV for the last 15 years

That is literally not true.

> But I stand by my previous statement that literally nothing in this article is actual evidence

I read the article. Some hand-wavey bits, yes, and some (probably) legal-cautious phrasing that you highlighted (eg the 'we believe' qualifier), but overall I find the evidence they've laid out to be highly compelling.

What evidence would you demand to concur that this is dangerous / spyware / a risk?

[klik99]

> That is literally not true.

Ok, I was exaggerating. Rather - It is either the dominant or one of the major strategies for VC funded SV companies at early stages. Aggressively lose money acquiring users. Even happens outside VC. The wired article linked in this article includes many good reasons why it's losing money: https://www.wired.com/story/temu-is-losing-millions-of-dolla...

Look, temu sounds scummy as hell - sounds like they can't compete in the Chinese market and trying to make a hail mary in the US market by being incredibly aggressive and using manipulative techniques.

> overall I find the evidence they've laid out to be highly compelling.

Have you ever worked on smartphone apps? There is nothing out of the ordinary, you can see that in the matrix of "security issues" - all other major apps use those things. The only thing that could be confusing is using the jit but temu includes games so it's probably a scripting language in those games. The jit isn't a security threat in itself - maybe an insecure language could run exploits, but there is not evidence of that happening. It can't create whole new programs with whole new permissions like this article implies.

> What evidence would you demand to concur that this is dangerous / spyware / a risk?

Anything out of the ordinary, other than a bunch of stuff that's normal plus big scary china. Specifically an example of it escalating access privileges would be a smoking gun.

Now - the fact that big companies have massive databases with names and addresses of people is a real issue. This is not unique to Temu or Chinese companies, and doesn't make Temu a spyware app.

[Jedd]

I haven't worked on smartphone apps.

But I'm looking at the matrix in TFA and the highlighted section for permissions -'lines 1, 4, 10, 15' - which are unique to this app, and wondering why an app that does what TEMU purports to do, needs all those.

Your claim 'all other major apps use those things' feels inaccurate, then, if that matrix is on the money - as those perms are exclusively used by them, albeit when compared only to the competitive apps they reference.

Sure, perhaps, as you say, a scripting language for games explains one of them. And a 'this unique permission is no big deal' may wave away another.

Anyway, that was just the first, but didn't feel like their major, point in making their argument.

[klik99]

Yeah I feel that matrix is misleading in a non-obvious way - it's selecting specific things that this app does all of (IE, mixing benign features in with things that are actual yellow flags, not including other yellow/red flags that the app doesn't do because you want it to look like Temu does ALL THE BAD THINGS), and selecting comparisons that paint it in a bad light (Temu has games embedded and the other apps don't, so comparing against popular game apps would show a different story - specifically on the permissions and inclusion of the JIT features) and then using red/green colors to make it seem scary, when none of these are smoking gun red flags.

Now that being said, I do think there is value in a bunch of yellow flags existing that hey maybe we should look into this more and I do think this is true about Temu - esp since another app has been taken down recently due to malware - though didn't take down Temu at the same time so presumably (strong but not 100% assumption) didn't find malware in it (look at that krebs on security article).

Temu seems really scummy, they use really morally bankrupt techniques borrowed from the worst in the games industry, and they are a good example of a larger problem of data collection, so I'm not defending them. But it's so easy to take these things that everyone is doing, add fear of china and then call it spyware, coming from an investment analyst company just sounds like a hit peace. It lowers the bar on real spyware, like Pegasus and Predator, that is actually being used by corrupt nation states to literally listen into conversations. Sure you can say that China can target locations of dissidents by requesting data from Temu, but they can do that without Temu. Even Private Investigators (read unlicensed non-state actors) in US have access to gray market cell phone data to target individuals, and hackers routinely breach sensitive data from companies that don't disclose leaks. There is a lot of real issues, and to take all that real concern and point it to TikTok and Temu isn't helping.

[Jedd]

Yeah, okay, all fair points. I was sensitive to that matrix - despite not being au fait with all the nuances of the permission model in Android - likely being architected to look sinister by possibly cherry-picking the perms to highlight.

I've read enough explanations from developers I trust when responding to 'Why does your app need X...?' to know there are reasonable explanations in many cases.

OTOH, from someone familiar with generic OS permission models, a number of those are alarming enough to make me extremely wary of the app, especially in light of the parent corp's dubious business model.

I hadn't consciously registered the red / green colour choice, but definitely get your point there. I don't believe I'd gone straight to a 'china = bad' correlation, but also I'm sure my opinion is subtly influenced by the political and cultural implications (deltas in legal recourse, oversight, etc).

[bedhead]

Welcome to the world of anonymous short seller hit pieces. These people are scum and they’re not even good at what they do. 99% of the time just make up a bunch of sensationalist bullshit. They are the new bottom feeders of the securities world, today’s version of boiler room folks.

[pxue]

This is chinese government subsidizing youth unemployment.

My 60yo mother gets messaged every day on wechat from young Chinese ppl asking her to buy stuff on temu, they're all unemployed otherwise.

[animitronix]

How is this garbage reply the first one I'm seeing?