dev_null

dev_null , 5 hours ago to technology in Shopping app Temu is “dangerous malware,” spying on your texts, lawsuit claims

The reported found the app using permissions that are not covered by the manifest.

It didn’t found them using them, it’s an important distinction. It found code referring to permissions that are not covered by the Manifest file. If that code was ran, the app would crash, because Android won’t let an app request and use a permission not in the Manifest file. The Manifest file is not an informational overview, it’s the mechanism through which apps can declare permissions that they want Android to allow them to request. If it’s not in the Manifest, then it’s not possible to use. It’s not unusual to have a bunch of libraries in an app that have functionality you don’t use, and so don’t declare the required permissions in the Manifest, because you don’t use them.

It also found the app being capable to execute arbitrary code send by temu.

Yeah, which is shady, but again, there is nothing to indicate that code can go around any security and do any of the sensational things the article claims.

The Grizzly reports shows how the app tricks you into granting permissions that it shouldn’t need, very shady stuff. But it also shows they don’t have a magical way of going around the permissions. The user has to actually grant them.

dev_null , 15 hours ago to technology in Shopping app Temu is “dangerous malware,” spying on your texts, lawsuit claims

The analysis shows it’s spyware, which I don’t question. But it’s spyware in the bounds of Android security, doesn’t hack anything, doesn’t have access to anything it shouldn’t, and uses normal Android permissions that you have to grant for it to have access to the data.

For example the article mentions it’s making screenshots, but doesn’t mention that it’s only screenshots of itself. It can never see your other apps or access any of your data outside of it that you didn’t give it permission to access.

Don’t get me wrong, it’s very bad and seems to siphon off any data it can get it’s hands on. But it doesn’t bypass any security, and many claims in the article are sensational and don’t appear in the Grizzly report.

dev_null , 15 hours ago to technology in Shopping app Temu is “dangerous malware,” spying on your texts, lawsuit claims

Yes, the phone does, but that data is protected in the hardware and never sent to the software, the hardware basically just sends ok / not ok. It’s not impossible to hack in theory, nothing is, but it would be a very major security exploit in itself that would deserve a bunch of articles on it’s own. And would likely be device specific vulnerability, not something an app just does wherever installed.

dev_null , 20 hours ago to technology in Shopping app Temu is “dangerous malware,” spying on your texts, lawsuit claims

Yeah, it is. It’s such an extraordinary claim.

One requiring extraordinary evidence that wasn’t provided.

“It’s doing amazing hacks to access everything and it’s so good at it it’s undetectable!” Right, how convenient.

dev_null , 20 hours ago to technology in Shopping app Temu is “dangerous malware,” spying on your texts, lawsuit claims

I’m sure Temu collects all information you put into the app and your behaviour in it, but this guy is making some very bold claims about things that just aren’t possible unless Temu is packing some serious 0-days.

For example he says the app is collecting your fingerprint data. How would that even happen? Apps don’t have access to fingerprint data, because the operating system just reports to the app “a valid fingerprint was scanned” or “an unknown fingerprint was scanned”, and the actual fingerprint never goes anywhere. Is Temu doing an undetected root/jailbreak, then installing custom drivers for the fingerprint sensor to change how it works?

And this is just one claim. It’s just full of bullshit. To do everything listed there it would have to do multiple major exploits that are on state-actor level and wouldn’t be wasted on such trivial purpose. Because now that’s it’s “revealed”, Google and Apple would patch them immediately.

But there is nothing to patch, because most of the claims here are just bullshit, with no technical proof whatsoever.

dev_null , 20 hours ago to piracy in Meta admits using pirated books to train AI, but won't pay for it

Sure, then it’s Meta that’s lying. Saying the AI is lying is helping these corporations convince people that these models have any intent or agency in what they generate.

dev_null , 21 hours ago to piracy in Meta admits using pirated books to train AI, but won't pay for it

Internal documents on how the AI was trained were obviously not part of the training data, why would they be. So it doesn’t know how it was trained, and as this tech always does, it just hallucinates an English sounding answer. It’s not “lying”, it’s just glorified autocomplete. Saying things like “it’s lying” is overselling what it is. As much as any other thing that doesn’t work is not malicious, it just sucks.

dev_null , 23 hours ago to technology in China is attempting to mirror the entire GitHub over to their own servers, users report

Most GitHub repos don’t have a license, meaning you are not licensed to do anything with them. Rehosting them would be the same as rehosting an image you don’t have a license for.

dev_null , 23 hours ago to technology in China is attempting to mirror the entire GitHub over to their own servers, users report

Most projects on GitHub don’t have a license, which means it’s not allowed.

dev_null , 1 day ago to linuxmemes in That is an act of cruelty towards the poor pokémon

Yeah, and when you do, it’s because you don’t like things about the original, and here people are saying what they don’t like.

Nobody disagrees that you can choose something else, but that’s not a reason to be uncritical.

dev_null , 1 day ago to lemmyshitpost in I will not be taking questions.

Yeah, the illustration shows nothing, we don’t know which side is which anyway.

dev_null , 2 days ago to mildlyinteresting in YouTube’s “new subscriber” email hasn’t changed substantially in 10+ years

What was even the purpose of that button? Surely if you get spam, you don’t report that to the spammer, you use the mechanism provided by your email service.

dev_null , 2 days ago to nostupidquestions in Ticketmaster breach, beaches in general

You asked about beaches, so are you interested in how they form geologically, which ones are good for surfing, or just looking for a sunbathing destination?

The person you replied to was joking based on your typo.

dev_null , 3 days ago to asklemmy in What industry secret are you aware of that most people aren't?

I see, so you mean manually getting the password out of the manager instead of domain based autofill.

dev_null , 3 days ago to asklemmy in What industry secret are you aware of that most people aren't?

What do you mean a password manager that checks the domain? Isn’t the auto fill based on the domain? I can’t imagine how a password manager could fill a password without checking the domain, it wouldn’t know which password to fill after all. Do any actually exist?