undefined | Better HN

0 pointsklik992y ago0 comments

> That is literally not true.

Ok, I was exaggerating. Rather - It is either the dominant or one of the major strategies for VC funded SV companies at early stages. Aggressively lose money acquiring users. Even happens outside VC. The wired article linked in this article includes many good reasons why it's losing money: https://www.wired.com/story/temu-is-losing-millions-of-dolla...

Look, temu sounds scummy as hell - sounds like they can't compete in the Chinese market and trying to make a hail mary in the US market by being incredibly aggressive and using manipulative techniques.

> overall I find the evidence they've laid out to be highly compelling.

Have you ever worked on smartphone apps? There is nothing out of the ordinary, you can see that in the matrix of "security issues" - all other major apps use those things. The only thing that could be confusing is using the jit but temu includes games so it's probably a scripting language in those games. The jit isn't a security threat in itself - maybe an insecure language could run exploits, but there is not evidence of that happening. It can't create whole new programs with whole new permissions like this article implies.

> What evidence would you demand to concur that this is dangerous / spyware / a risk?

Anything out of the ordinary, other than a bunch of stuff that's normal plus big scary china. Specifically an example of it escalating access privileges would be a smoking gun.

Now - the fact that big companies have massive databases with names and addresses of people is a real issue. This is not unique to Temu or Chinese companies, and doesn't make Temu a spyware app.

0 comments

Jedd2y ago

I haven't worked on smartphone apps.

But I'm looking at the matrix in TFA and the highlighted section for permissions -'lines 1, 4, 10, 15' - which are unique to this app, and wondering why an app that does what TEMU purports to do, needs all those.

Your claim 'all other major apps use those things' feels inaccurate, then, if that matrix is on the money - as those perms are exclusively used by them, albeit when compared only to the competitive apps they reference.

Sure, perhaps, as you say, a scripting language for games explains one of them. And a 'this unique permission is no big deal' may wave away another.

Anyway, that was just the first, but didn't feel like their major, point in making their argument.

klik99OP2y ago

Yeah I feel that matrix is misleading in a non-obvious way - it's selecting specific things that this app does all of (IE, mixing benign features in with things that are actual yellow flags, not including other yellow/red flags that the app doesn't do because you want it to look like Temu does ALL THE BAD THINGS), and selecting comparisons that paint it in a bad light (Temu has games embedded and the other apps don't, so comparing against popular game apps would show a different story - specifically on the permissions and inclusion of the JIT features) and then using red/green colors to make it seem scary, when none of these are smoking gun red flags.

Now that being said, I do think there is value in a bunch of yellow flags existing that hey maybe we should look into this more and I do think this is true about Temu - esp since another app has been taken down recently due to malware - though didn't take down Temu at the same time so presumably (strong but not 100% assumption) didn't find malware in it (look at that krebs on security article).

Temu seems really scummy, they use really morally bankrupt techniques borrowed from the worst in the games industry, and they are a good example of a larger problem of data collection, so I'm not defending them. But it's so easy to take these things that everyone is doing, add fear of china and then call it spyware, coming from an investment analyst company just sounds like a hit peace. It lowers the bar on real spyware, like Pegasus and Predator, that is actually being used by corrupt nation states to literally listen into conversations. Sure you can say that China can target locations of dissidents by requesting data from Temu, but they can do that without Temu. Even Private Investigators (read unlicensed non-state actors) in US have access to gray market cell phone data to target individuals, and hackers routinely breach sensitive data from companies that don't disclose leaks. There is a lot of real issues, and to take all that real concern and point it to TikTok and Temu isn't helping.

Jedd2y ago

Yeah, okay, all fair points. I was sensitive to that matrix - despite not being au fait with all the nuances of the permission model in Android - likely being architected to look sinister by possibly cherry-picking the perms to highlight.

I've read enough explanations from developers I trust when responding to 'Why does your app need X...?' to know there are reasonable explanations in many cases.

OTOH, from someone familiar with generic OS permission models, a number of those are alarming enough to make me extremely wary of the app, especially in light of the parent corp's dubious business model.

I hadn't consciously registered the red / green colour choice, but definitely get your point there. I don't believe I'd gone straight to a 'china = bad' correlation, but also I'm sure my opinion is subtly influenced by the political and cultural implications (deltas in legal recourse, oversight, etc).

j / k navigate · click thread line to collapse

0 pointsklik992y ago0 comments

> That is literally not true.

> overall I find the evidence they've laid out to be highly compelling.

> What evidence would you demand to concur that this is dangerous / spyware / a risk?

Anything out of the ordinary, other than a bunch of stuff that's normal plus big scary china. Specifically an example of it escalating access privileges would be a smoking gun.

Now - the fact that big companies have massive databases with names and addresses of people is a real issue. This is not unique to Temu or Chinese companies, and doesn't make Temu a spyware app.

0 comments

Jedd2y ago

I haven't worked on smartphone apps.

Sure, perhaps, as you say, a scripting language for games explains one of them. And a 'this unique permission is no big deal' may wave away another.

Anyway, that was just the first, but didn't feel like their major, point in making their argument.

klik99OP2y ago

Jedd2y ago

I've read enough explanations from developers I trust when responding to 'Why does your app need X...?' to know there are reasonable explanations in many cases.

j / k navigate · click thread line to collapse