[Jedd]

I haven't worked on smartphone apps.

But I'm looking at the matrix in TFA and the highlighted section for permissions -'lines 1, 4, 10, 15' - which are unique to this app, and wondering why an app that does what TEMU purports to do, needs all those.

Your claim 'all other major apps use those things' feels inaccurate, then, if that matrix is on the money - as those perms are exclusively used by them, albeit when compared only to the competitive apps they reference.

Sure, perhaps, as you say, a scripting language for games explains one of them. And a 'this unique permission is no big deal' may wave away another.

Anyway, that was just the first, but didn't feel like their major, point in making their argument.

[klik99]

Yeah I feel that matrix is misleading in a non-obvious way - it's selecting specific things that this app does all of (IE, mixing benign features in with things that are actual yellow flags, not including other yellow/red flags that the app doesn't do because you want it to look like Temu does ALL THE BAD THINGS), and selecting comparisons that paint it in a bad light (Temu has games embedded and the other apps don't, so comparing against popular game apps would show a different story - specifically on the permissions and inclusion of the JIT features) and then using red/green colors to make it seem scary, when none of these are smoking gun red flags.

Now that being said, I do think there is value in a bunch of yellow flags existing that hey maybe we should look into this more and I do think this is true about Temu - esp since another app has been taken down recently due to malware - though didn't take down Temu at the same time so presumably (strong but not 100% assumption) didn't find malware in it (look at that krebs on security article).

Temu seems really scummy, they use really morally bankrupt techniques borrowed from the worst in the games industry, and they are a good example of a larger problem of data collection, so I'm not defending them. But it's so easy to take these things that everyone is doing, add fear of china and then call it spyware, coming from an investment analyst company just sounds like a hit peace. It lowers the bar on real spyware, like Pegasus and Predator, that is actually being used by corrupt nation states to literally listen into conversations. Sure you can say that China can target locations of dissidents by requesting data from Temu, but they can do that without Temu. Even Private Investigators (read unlicensed non-state actors) in US have access to gray market cell phone data to target individuals, and hackers routinely breach sensitive data from companies that don't disclose leaks. There is a lot of real issues, and to take all that real concern and point it to TikTok and Temu isn't helping.

[Jedd]

Yeah, okay, all fair points. I was sensitive to that matrix - despite not being au fait with all the nuances of the permission model in Android - likely being architected to look sinister by possibly cherry-picking the perms to highlight.

I've read enough explanations from developers I trust when responding to 'Why does your app need X...?' to know there are reasonable explanations in many cases.

OTOH, from someone familiar with generic OS permission models, a number of those are alarming enough to make me extremely wary of the app, especially in light of the parent corp's dubious business model.

I hadn't consciously registered the red / green colour choice, but definitely get your point there. I don't believe I'd gone straight to a 'china = bad' correlation, but also I'm sure my opinion is subtly influenced by the political and cultural implications (deltas in legal recourse, oversight, etc).