Immagine

Temu app cybersecurity concerns: anomalies identified by experts

The app of the famous e-commerce platform Temu would present some technical anomalies related to cybersecurity, according to recent analyzes conducted by the Swiss National Cybersecurity Testing Institute NTC (Nationales Testinstitut für Cybersicherheit). n particular, Temu allows the dynamic loading of codewhich could potentially turn the app into a sort of backdoor (in Italian “back door” or “back door”). Furthermore, the app uses additional layers of encryption thatwhile protecting user data, could mask the unauthorized transmission of information. While no malicious activity has been demonstrated to date, these characteristics raise important questions, especially for those using the app in government or corporate contexts.

The critical issues of the Temu app reported by experts

Temu is operated by the Chinese company PDD Holdings Inc.and has become famous for eliminating intermediaries in the sales process, offering products at very low and ultra-competitive prices. Its success is undisputed: according to a recent report byAGCOM (Communications Regulatory Authority), matters 12.1 million monthly unique users in Italy alone and is starting to overtake consolidated platforms in terms of number of active users. However, the growing popularity of the app has not prevented the spotlight from shining on some of its technical features, defined as “unusual” by the NTC report. This institute, based in Zug, is known for its neutrality and cybersecurity testing of critical applications and infrastructures.

The NTC analysis highlighted two main aspects. The first concerns il Dynamic loading of code in proprietary runtime environment. This means that the app can change its behavior without requiring an official update via the App Store, and therefore without users being aware of the changes made. This mechanism, while useful for quickly adapting features or fixing technical issues, could theoretically be exploited to introduce non-transparent features.

Another point concerns theuse of multiple layers of encryption. While extra layers of protection may seem like a benefit to user privacy, the NTC report warns that these could be used to hide unauthorized data transmissions. THE’exfiltration of sensitive data it is one of the most feared risks in the context of mobile applications, as it could compromise both the privacy of ordinary users and the security of those who work in critical areas, such as politicians or managers of large companies that use the application.

In addition to this, there is also a geopolitical issue to take into account. The official note from the NTC reads:

The app is operated by China’s PDD Holdings Inc. ed is subject to Chinese lawwhich is considered inadequate in terms of data protection from a European point of view. Businesses and authorities should take this into account when using the app.

Temu: what precautions to take if using Temu

It is important to note that these characteristics do not necessarily or automatically indicate malicious activity. In fact, compared to many similar apps, Temu requires fewer permissions and its overall behavior aligns with industry standards. In the press release issued by the NTC, in fact, we read:

The analysis also finds that there is otherwise no other clearly critical security risk or evidence of unauthorized surveillance activity in the Temu app. The app’s permissions and behavior largely conform to e-commerce application standards. Compared to other similar applications, Temu requires fewer and less problematic permissions.

In other words, therefore, at the moment we must avoid falling into easy alarmism by thinking that the Temu app is absolute evil. At the same time, however, the presence of the two technical peculiarities highlighted by the NTC security experts combined with the fact that the app is managed by a Chinese company which may not share the European vision regarding the protection of users’ personal data, justifies prudent use of Temu. The Institute suggests, in fact, to grant Temu only the permissions that are strictly necessary and to consider, if possible, theusing Temu via a browserin order to «reduce the attack surface».