Popular Chinese photo-editing app Meitu has prompted privacy fears after it was found to be asking for more phone access permissions than seems reasonable for a photo app.
The free smartphone app has been widely used in China for years. It was launched in 2008, but suddenly took off in the west after social media users started posting photos transformed into anime-like images using the platform. The company went public in Hong Kong in December.
Cybersecurity expert Leo Weese told HKFP that users should be careful about what security permissions are granted when installing apps: “On iOS and on newer Android versions you can manually choose what is allowed and what not, because the app is – by default – asking for a lot more than it should.”
According to the app’s page on the Google Play store, it can access users’ location, phone number, call information, carrier information, wifi connections, information about what other apps are running, and change audio settings, among others.
Expert Jonathan Zdziarski also found that the iOS version checks whether the device is jailbroken, meaning it can detect whether a user has bypassed software restrictions imposed by Apple’s system.
Welp, Meitu definitely has a number of different checks to see if your iPhone is jailbroken… pic.twitter.com/XSbKqDKgqX
— Jonathan Zdziarski (@JZdziarski) January 19, 2017
“It’s reasonable to assume that the app would want access to your camera and want access to your storage, but it’s not reasonable why it would want to make phone calls or change your audio settings or why it would want to access the storage of other apps or even know what cellphone carrier you use,” Weese said.
Another point of concern is that the app may be sending the IMEI – a unique number to identify individual devices – to servers in China, according to self-proclaimed security pessimist FourOctets. A Whois search for the server addresses posted by Four Octets found that one was allocated to Hangzhou Alibaba Advertising Co., and the other two allocated to Forest Eternal Communication Tech, a data services company in Beijing.
Just to let you guys know that photo app that makes you look an anime is sending you IMIE to several servers in China. https://t.co/dQdroq5qhA
— FourOctets (@FourOctets) January 19, 2017
Data ‘not shared’
A Meitu spokesperson told HKFP that the app collects information about users’ phones instead of users’ personal information. It collects IMEI to optimise user experience – for example, to know what size the phone’s screen is, the spokesperson said. She said that it collects information about user location in order to show them the appropriate ads, and collects IP addresses in case competitors hack into the app.
“We don’t sell the information to anyone else,” she said.
“Meitu DOES NOT share any user information with the Chinese government. User data is sent ONLY to Meitu,” the company said in a press release. However, the spokesperson did not respond to questions about what consumer data the company is required to provide to the government by law.
Matthew Garrett, a security developer at Linux, wrote that most apps require the device’s IMEI.
“It’s certainly something to be concerned about, but Meitu isn’t especially rare here – there are big-name apps that do exactly the same thing… Let’s turn this into a conversation about user privacy online rather than blaming one specific example,” he wrote on his blog.
Weese also said users should not be overly concerned that the app is being used by the Chinese government to crack users’ phones. The information-gathering is a common business practice, he said.
“I think it’s just a very shady business practice to try to gather as much data as you can without asking for permission, without asking for consent, and this has become a lot more common business practice, especially in places like China.”