• hummingbird@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    4 months ago

    That is not entirely correct. The reported found the app using permissions that are not covered by the manifest. It also found the app being capable to execute arbitrary code send by temu. So it cannot be clearly answered if the app can utilize these permissions or not. Obviously they would not ship such an exploit with the app directly.

    • dev_null@lemmy.ml
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      4 months ago

      The reported found the app using permissions that are not covered by the manifest.

      It didn’t found them using them, it’s an important distinction. It found code referring to permissions that are not covered by the Manifest file. If that code was ran, the app would crash, because Android won’t let an app request and use a permission not in the Manifest file. The Manifest file is not an informational overview, it’s the mechanism through which apps can declare permissions that they want Android to allow them to request. If it’s not in the Manifest, then it’s not possible to use. It’s not unusual to have a bunch of libraries in an app that have functionality you don’t use, and so don’t declare the required permissions in the Manifest, because you don’t use them.

      It also found the app being capable to execute arbitrary code send by temu.

      Yeah, which is shady, but again, there is nothing to indicate that code can go around any security and do any of the sensational things the article claims.

      The Grizzly reports shows how the app tricks you into granting permissions that it shouldn’t need, very shady stuff. But it also shows they don’t have a magical way of going around the permissions. The user has to actually grant them.