Think twice before grabbing popular photo app Meitu


Meitu, an app which allows users to gussy up their faces in an anime style, has quickly gone viral, but reports suggest that it represents a privacy threat.

The app allows users to beautify their faces, delivering larger irises, smoother skin and a host of other changes. But several reports found that the app (especially the Android version), like many, requires a notable privacy trade-off.

For starters, its Google Play Store listing reveals permissions such as location, running at startup, device and phone ID, and viewing WiFi connections. Not super crazy, but definitely concerning — especially the ability to access your device/phone IDs and run at startup.

An iOS security researcher who analysed the app told Wired that the code was “mostly par for the course junk” really.

“I didn’t see anything overtly evil, but that doesn’t mean there’s not something more serious in there. The thing is the number of different analytics and ad tracking packages they’ve loaded into the app. I counted at least half a dozen different packages in there. You don’t generally need that many unless you’re selling data,” Jonathan Zdziarski was quoted as saying.

The Meitu app is quickly becoming one of the more popular downloads around, but users will want to take heed anyway

Vectra Networks researcher Greg Linares told the publication that Meitu was “collecting some very odd data that shouldn’t be looked at necessarily for the application functioning”.

Meanwhile, security expert Matthew Garrett expanded on the Android app’s ability to send your IMEI number to Chinese servers.

“Why would anybody want these IDs? The simple answer is that app authors mostly make money by selling advertising, and advertisers like to know who’s seeing their advertisements. The more app views they can tie to a single individual, the more they can track that user’s response to different kinds of adverts and the more targeted (and, they hope, more profitable) the advertising towards that user,” Garrett wrote on his blog.

The security expert added that Meitu wasn’t alone in this practice.

“Meitu isn’t especially rare in this respect. Over 50% of the Android apps I have handy request your IMEI, although I haven’t tracked what they all do with it.”

Android users do have some recourse if they’ve got Android 6.0 Marshmallow and above. That version of Android introduced granular permission controls, allowing users to toggle individual permissions for apps.



Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Memeburn

Sign up to our newsletter to get the latest in digital insights.