Is the online shopping app TEMU dangerous for iOS?

iOS / iPadOS devices cannot be infected** with Viruses / Malware / Spyware unless you have intentionally downloaded spurious software or unauthorized apps directly from the internet and installed them on your device or/and have Jailbroken. 

**The primary reason for this is Sandboxing. All third-party apps are “sandboxed”, so they are restricted from accessing files stored by other apps or from making changes to the device. Sandboxing is designed to prevent apps from gathering or modifying information stored by other apps.

Security of runtime process in iOS and iPadOS - Apple Support

The sandbox on an iPhone is a security feature that creates a restricted environment for each app to run in isolation from other apps and the operating system. It is a core component of iOS's security architecture and plays a crucial role in making iPhones more secure.

In layman's terms:

The sandbox works by enforcing strict controls and limitations on app behavior, ensuring that each app has access only to the resources it needs to function properly. Here are some key aspects of the sandbox that contribute to iPhone security:

1. Isolation: Each app on an iPhone operates within its own sandboxed environment, which means it has no direct access to the files, processes, or memory of other apps. This isolation prevents apps from interfering with one another, protecting user data and maintaining system stability.
2. Restricted Resource Access: The sandbox restricts an app's access to sensitive resources such as contacts, photos, location data, and system settings. Apps must explicitly request user permission to access these resources, and users have control over granting or denying access. This helps prevent unauthorized data access and ensures user privacy.
3. Limited File System Access: Apps can only access their own containerized storage area and specific system-provided directories. They cannot modify files outside of their designated areas or interfere with the operating system files. This prevents apps from tampering with critical system components.
4. Code Execution Controls: The sandbox enforces restrictions on code execution, preventing apps from running arbitrary code or injecting malicious code into other apps or the system. It helps ensure that apps only execute approved code from their own sandboxed environment.
5. App Review Process: Before an app is allowed on the App Store, it goes through a rigorous review process conducted by Apple. This review examines the app's functionality, security, and adherence to guidelines. It helps detect and remove malicious or poorly designed apps, minimizing the risk to users.

The combination of these sandboxing mechanisms helps create a secure environment on iPhones, protecting user data, maintaining system integrity, and preventing unauthorized access or interference between apps.

I have used Temu with my iPhone 13Pro which I keep regularly updated for nearly a year since the ad from the last Super Bowl. I don't use their payment and instead use wallet. I don't give accurate info other than my address for any data such as birthdate which I don't think they asked for.

There are stuff that are not great buys regardless of how cheap. So if you are willing to throw away, you are good.

I returned some shoes and got my money back within 10 days via credit purchase (option they give you versus credit which further protects you). Came in pretty quickly.

Buy things you don't need fast from them. Takes 1-3 weeks depending on whether it's stocked in the US. They do not ship with fancy nice boxes and this needs to improve a bit. I'd rather they stuff a box than send me a giant ball bag (looks tacky). My purchases which are largely jewelry, clothes, Hair accessories, orthofoot pad soles (these are so expensive in the US), Lenovo EarPods (ok) have been functional. Also bought wired charges with multiple endpoints for the car so my friends with androids can plugin $1.25 vs $8 on amazon. Low quality items are more the homeware stuff so have stopped buying those. She of the clothes are good and some not so good. I like that they will help lower the costs on Amazon and know this that some amazon sellers get from Temu or Alibaba and just resell to you. I would like to know the truth about the spyware; given the sandboxing that Apple does, it seems I'm likely protected. I've had my CC# stolen 4 trips to Florida at restaurants and hotels vs Temu. Best buys with Temu: fashion jewelry--same stuff sold at the retail stores. Choose thicker jewelry and look at materials. The bulk jewelry seemed higher quality. They are for me throwaways so at $1 to $5 versus paying $10-50 when it's on sale at the stores. I bought beautiful evening fashion jewelry earings/necklace for $5 that I have paid retail for 50. yes it's that crazy cheap. Been watching for valid info on the spyware or is this amazon lobbyists? Must wonder.

The app itself is not ‘malware’. The company’s business practices are questionable at best, though.

Personally, I wouldn’t have anything to do with them.

Wow that was so helpful. I was trying to find info about Temu and came across this post. I feel much safer about using the App Store overall now understanding how sandboxing works. Thanks so much!

Apple removed Temu from the App Store because it is malware with legal cases pending regarding this.

People that had downloaded it before Apple removed it do indeed have malware on their iOS devices.

Your statement is invalid for malware apps that have slipped through Apple's App Store curation of dangerous apps.

[Edited by Moderator]

This is fundamentally a political discussion, not a technical discussion. That there are just two apps in focus here? Politics. If data privacy or security were a central consideration to the political discussion, we'd be discussing a wide variety of other apps and services, and the myriad entities collecting and reselling that data.

Examples? Add-on first-few-hops virtual private network (VPN) providers are perfectly positioned to collect metadata, and one of the better known macOS apps was caught and eventually fined for collecting and selling personally-identified metadata. Had they disclosed that in the fine print, they likely would have avoided the fine. Google collects location data, and four times-and-locations data points are usually enough to uniquely identify a person. ("By analyzing 15 months of cell phone mobility data from 1.5 million people, researchers have found that only four spatio-temporal points (an individual's approximate whereabouts at the approximate time when they're using their cell phone) are all that's needed to uniquely identify 95% of the individuals.")

About that generated code?

First, AFAIK, runtime.exec is a Java call. Java isn't available on iOS and iPadOS. Java performance is built on generating and executing code.

More than a few apps generate code. Web browsers, for instance. That feature is utterly mundane. Java and particularly Java performance is built on having that capability as mentioned, as is Dalvik and more recently Android Run-Time on Android. This compilation is what happens underneath any Just In Time (JIT) support in any language or platform, and underneath similar features. More than a few graphic programs generate code on the fly, allowing the app to tailor itself to the particular graphics—Apple has the Metal Jax JIT, for instance, and there are other examples.

Now as for what any particular app doing with that generated code? Short of reverse engineering it, I don't know. Can this be used to obfuscate code? Sure. But on iOS and iPadOS, that generated code is still subject to the usual privacy blocks on iOS and iPadOS within the hardened runtime, same as the rest of the platform. This when the generated code operating absent what amounts to a jailbreak, or absent a flaw in the underlying platform security. But if the user has granted access to the data as is far more common, then that generated code can do whatever the developer wanted with the data, same as the non-generated code can do with that data. Why bother with an exploit when you can ask nicely and get access to some or all of the user's data?

Here are some basics on generating and then executing code within an app running on an Apple device:

Porting just-in-time compilers to Apple silicon | Apple Developer Documentation

If you want to know about Apple Metal and code compilation (you probably don't), Jax has a JIT.

The older OpenCL compute library application programming interface can compile code, too.

As for website articles and web postings and text messages and the rest—those involving what are or can be political topics—Brandolini's Law should absolutely be considered. Some skepticism about what gets posted on the 'net is always appropriate.

TL;DR: If you don't want the Temu app on your device, remove it. If you don't want an app accessing your data, any app, either don't allow that access, or read the app's privacy guide first and do or don't install the app based on that. And if you are concerned about privacy, you'll want to consider widening your concern from two apps to, well, many of the apps and services available, and discussing that concern with your legislative reps.

You do understand "local American businesses" are buying from China (possible even from Temu themselves) and reselling to you, right? You just pay more to have them be the one between? These items are *never* made by "local American businesses" so you are just wasting every extra penny you spend. So good you are "perfectly ok" with wasting your $$$. Most of us prefer to save

No, Temu cannot “hack” your device, in the sense that it cannot download a virus on your device. However, I do recommend that you delete it because Temu is intentionally hiding functions that absorb user data and are used as spyware, and we don’t know what they do with that data. They could sell that data to hackers, but truth be told we have no clue what they do with it. Also, the company that owns Temu (PDD inc.) made another app called Pinduoduo that did install malware and spyware on people’s phones and that malware was hidden. Pinduoduo is now banned and Temu might be being banned as well. I recommend you delete the app, because they have a lot of your data and you never know how they are going to use it.

Apple removed Temu from the App Store because it is malware.

https://www.asiafinancial.com/us-lawsuit-says-temu-shopping-app-has-hidden-spyware-at#:~:text=Griffin's%20lawsuit%20notes%20that%20both,that%20%E2%80%9CTemu%20is%20cleverly%20hidden

Blatant fraud — Temu appears to be setup to facilitate spam, scam and fraudulent activity. When purchasing a product you have zero transparency and have a coin flip chance of actually receiving your product. Moreover. If you're purchase is possible not available you will be offered a credit locking you into the system. In my case, requested a refund and the app says no valid transaction

No clear way of getting your money back!

Stay clear of this app and Temu in general!

I am stunned that Apple is essentially sponsoring this kind of fraud on their own customers.

hands4 wrote:

Apple removed Temu from the App Store because it is malware.

False. Temu app remains available in the US app store.

The linked article reports on the filing of an Arkansas lawsuit.

Here is a different write-up on the lawsuit:

https://arstechnica.com/tech-policy/2024/06/shopping-app-temu-is-dangerous-malware-spying-on-your-texts-lawsuit-claims/

As for apps and services collecting user data, I can only hope that the Arkansas lawsuit helps produce better privacy regulations in the US, as data collection is ubiquitous. State regulators and AGs could all pursue that as a goal too, beyond the current focus on two apps among the myriad of apps and vendors that collect all sorts of data, not the least of which include Google and Meta.

Here are further quotes from the Grizzley report:

Our experts identified a stack of software functions that are completely inappropriate to and dangerous in this type of software. TEMU uses them all. [All of those listed below.]

1 Local compiling with "package compile" executed with getRuntime.exec()

2 Requesting information if app runs with root rights ("superuser")

3 Request process list with "getRunningAppProcesses)'

4 Requesting system logs from "/system/bin/logcat"

5 Accessing debugger status with "Debug.isDebuggerConnected()"

6 Reading and writing system files in "sys/devices/"

7 Accessing external storage with "ExternalStorage"

8 Making screenshots ("getRootView()', "peekDecorView)" in "getWindow()')

9 Requesting the MAC address

10 Putting MAC address into a JSON to send the information to server

11 Code obfuscation with most JAVA code: unnamed files, folders, functions

12 android.permission.CAMERA

13 android.permission.WRITE_EXTERNAL_STORAGE

14 android.permission.RECORD_AUDIO

15 android.permission.INSTALL_PACKAGES

16 android.permission.INTERNET

17 android.permission.WAKE_LOCK

18 Putting location information into JSON to send the information

The issues for which only TEMU is flagged red (Row 1, 4, 10, 15) are among the most dangerous — and are the most likely to be combined to make actual spyware.

1) Dynamic compilation using runtime.exec(). A cryptically named function in the source code calls for “package compile”, using runtime.exec(). This means a new program is created by the app itself.—Compiling is the process of creating a computer executable from a human-readable code. The executable created by this function is not visible to security scans before or during installation of the app, or even with elaborate penetration testing. Therefore, TEMU’s app could have passed all the tests for approval into Google’s Play Store, despite having an open door built in for an unbounded use of exploitative methods. The local compilation even allows the software to make use of other data on the device that itself could have been created dynamically and with information from TEMU’s servers.

“That’s bad. That’s really bad, because if they are locally compiling packages, then they can literally do anything they want at any time. It means that you can’t analyze because the system is truly dynamic.”

This feature alone is a “wild card” that looms over most specific risks of malware. It’s like debating who has the most keys to break into a building, when you hold the master key in your hand. Put another way, if all the rest of the objectionable code was removed, while this one backdoor went undetected due to its concealment, the app could become just as malignant, by changing its behavior, controlled by foreign servers, in almost all possible ways and reactive to all future developments of the app, the regulations and all other possible influences. For example, TEMU can potentially send source code, encrypted and masquerading as any unsuspicious piece of data, which is then compiled into an executable on the client’s phone.

BoobidyBoop wrote:

Umm… this is false information since the fact is that I have an iPhone 13 Pro Max and I am still able to install the Temu App (not that I care to) but as of Aug 1st, 2024 …I did so for a friend!

Yes, hands4 corrected their statement in their next post.

I’m perfectly okay spending my money on local American businesses. I won’t download the app because it takes up space and I will never use it.