There has been a sudden craze for freaky-looking photos created using the Chinese app Meitu. The images the app creates are either cutesy or horrific, depending on your point of view, but it’s what’s going on in the background that has people concerned.
While Meitu has been popular in China for several years –amassing a huge following — it has only just caught on over here. What many users are unaware of is that while they are busy applying virtual makeup to their face in the app, data such as a phone’s IMEI, Mac address, users’ precise location and much more is being gathered and shared. The advice? Ditch the app if you’re concerned about your privacy.
Meitu is available for both iOS and Android, and it invites users to “welcome the New Year by transcending dimensions with your flawless beauty!” The Android version of the app is creating particular cause for concern, asking for no fewer than 23 permissions. With all of this data being transmitted back to an unknown, untrusted remote Chinese server, many users and security experts are concerned.
Android Police notes that in addition to monitoring precise user location, analysis of the Android APK reveals that Meitu also gathers “the device’s model, resolution, Android OS version, MAC address, IMEI, and more”. While some permissions — such as the need to access the camera and photos — are understandable, others make less sense; quite why call information is needed by a photo app is anyone’s guess.
On Twitter, infosec expert Greg Linares pointed out the permissions:
Let me get this straight…
All of you just installed a photo app from China that requires these permissions? Let me know how it works out. pic.twitter.com/wGDUYbRdSA
— Greg Linares (@Laughing_Mantis) January 19, 2017
For some reason the iOS version of the app also checks to see if the device is jailbroken, and while Meitu is not alone is asking for excessive permission, the sheer number asked for here, coupled with links to China is enough for most people to ditch the app.
Meitu itself denies that anything suspicious is going on, insisting that the data is gathered merely to get around analytics blocks in place in China. Apps sold through Google Play and the App Store can usually track usage stats, but this is not the case in China. A Meitua spokesperson explains:
To get around this, Meitu employs a combination of third-party and in-house data tracking systems to make sure the user data tracked is consistent. Furthermore, the data collected is sent securely, using multilayer encryption to servers equipped with advanced firewall, IDS and IPS protection to block external attacks.
The company also explains that additional permissions are needed on Android to allow push notifications to work.
The choice, ultimately, is yours as to whether you want to trust the app or not.