CP is a name from the perspective of the consumer, CSAM is a name from the perspective of the victim. Since we want to take the side of the victim, we use the term relevant to the victim.
Battlestar Galactica might start as sci-fi but ends up as science fantasy. At some point a character comes back from the dead, becomes an angel, and much of the original mysticism becomes literal.
Ok, so they refused, but provided an alternative to the app. Makes sense!
Ok, so it's not that they can refuse to provide a device, it's that if you voluntarily agree to use your personal device, then they have to provide compensation (for the data, etc.). Your original comment said they can refuse to provide a device, hence my confusion.
https://developer.android.com/identity/sign-in/biometric-auth#display-login-prompt
The app gets either the onAuthenticationSucceeded
or onAuthenticationFailed
callback. It doesn't get the fingerprint.
Edit: I think we are misunderstanding each other, I'm saying that apps never see the fingerprint. The OS does, depending on the device.
That's what I think, which is why I'm asking icedterminal where did they get the info that the employer can refuse to provide a phone, it doesn't seem right to me.
I mean that I don't know what part of my comment is "not true". I welcome corrections, I just don't see what is being corrected here.
You said "No matter what app it is" which is the point of my confusion. So you actually meant "apps that use data", that's fair enough, thank you for the clarification.
your employer is still required to provide you with the tools necessary to complete your job
Yeah, that's what I thought, that the employer is required to provide a work phone if they require the usage of an app. But you are saying they can refuse as long as they reimburse data, which doesn't even help if the app doesn't use data. How is that "refusal of a legal obligation" working?
they are legally obligated to provide you with a work phone. If they refuse
This is the part that I'm not getting. So are they legally obligated or are they allowed to refuse like you say. It can't be both ways.
Yeah, so the app never sees it. What are you disagreeing with?
Reimbursement for a mobile plan? If I need to use a special authenticator app to login to my work computer, and the app is fully offline (and I only need to use it at the office where I have Wi-fi anyway, if I needed it, but I don't), then what does a mobile plan have to do with anything? I could use it on a phone without a SIM card, or a tablet that can't have one.
Yeah, but there is no separation between being able to do day to day administrative actions like installing software, and being able to do destructive actions no one should need to do unless in exceptional circumstances.
Yeah, I feel like Linux needs the equivalent of Administrator accounts on Windows. Root is the equivalent of the System account on Windows, something even power users might never encounter, because it's a level of power you shouldn't ever need.
We need users to have permission to install software and do other administrative tasks, without having permission to do very destructive actions like uninstalling core system packages. Aunt Flo should be able to install Mahjong from her distros package manager GUI, without needing dangerous root access.
Which is his fault, but also this would never happen on Windows. The power and lack of hand-holding of Linux is a great advantage for power users, but with great power comes great responsibility, and many people don't need the responsibility.
I don't think it tore, all the lines are straight. Looks like it was just made of separate sheets that weren't connected, so nothing had to tear, the ones above the hole just fell in.
The reported found the app using permissions that are not covered by the manifest.
It didn't found them using them, it's an important distinction. It found code referring to permissions that are not covered by the Manifest file. If that code was ran, the app would crash, because Android won't let an app request and use a permission not in the Manifest file. The Manifest file is not an informational overview, it's the mechanism through which apps can declare permissions that they want Android to allow them to request. If it's not in the Manifest, then it's not possible to use. It's not unusual to have a bunch of libraries in an app that have functionality you don't use, and so don't declare the required permissions in the Manifest, because you don't use them.
It also found the app being capable to execute arbitrary code send by temu.
Yeah, which is shady, but again, there is nothing to indicate that code can go around any security and do any of the sensational things the article claims.
The Grizzly reports shows how the app tricks you into granting permissions that it shouldn't need, very shady stuff. But it also shows they don't have a magical way of going around the permissions. The user has to actually grant them.
The analysis shows it's spyware, which I don't question. But it's spyware in the bounds of Android security, doesn't hack anything, doesn't have access to anything it shouldn't, and uses normal Android permissions that you have to grant for it to have access to the data.
For example the article mentions it's making screenshots, but doesn't mention that it's only screenshots of itself. It can never see your other apps or access any of your data outside of it that you didn't give it permission to access.
Don't get me wrong, it's very bad and seems to siphon off any data it can get it's hands on. But it doesn't bypass any security, and many claims in the article are sensational and don't appear in the Grizzly report.
Yes, the phone does, but that data is protected in the hardware and never sent to the software, the hardware basically just sends ok / not ok. It's not impossible to hack in theory, nothing is, but it would be a very major security exploit in itself that would deserve a bunch of articles on it's own. And would likely be device specific vulnerability, not something an app just does wherever installed.
Yeah, it is. It's such an extraordinary claim.
One requiring extraordinary evidence that wasn't provided.
"It's doing amazing hacks to access everything and it's so good at it it's undetectable!" Right, how convenient.
I'm sure Temu collects all information you put into the app and your behaviour in it, but this guy is making some very bold claims about things that just aren't possible unless Temu is packing some serious 0-days.
For example he says the app is collecting your fingerprint data. How would that even happen? Apps don't have access to fingerprint data, because the operating system just reports to the app "a valid fingerprint was scanned" or "an unknown fingerprint was scanned", and the actual fingerprint never goes anywhere. Is Temu doing an undetected root/jailbreak, then installing custom drivers for the fingerprint sensor to change how it works?
And this is just one claim. It's just full of bullshit. To do everything listed there it would have to do multiple major exploits that are on state-actor level and wouldn't be wasted on such trivial purpose. Because now that's it's "revealed", Google and Apple would patch them immediately.
But there is nothing to patch, because most of the claims here are just bullshit, with no technical proof whatsoever.