This post was written by Catherine Lai and originally published by Hong Kong Free Press on Jan. 22, 2017. The version below is published under a partnership agreement.
An overnight hit around the world, the Chinese photo-editing app Meitu has prompted privacy fears after realizations about the unusual range of permissions it requires for installation.
The free mobile app, popular in China for years, was launched in 2008, but recently took off in the West after people started using it to share photographs transformed into anime-like images. The company went public in Hong Kong in December.
Cybersecurity expert Leo Weese told Hong Kong Free Press that users should be careful about what security permissions are granted when installing apps:
On iOS and on newer Android versions you can manually choose what is allowed and what not, because the app is – by default – asking for a lot more than it should.
According to the app’s page on the Google Play store, it can access users’ location, phone number, call information, carrier information, Wi-Fi connections, information about what other apps are running, change audio settings, and more.
Expert Jonathan Zdziarski also found that the iOS version checks whether the device is jailbroken, meaning it can detect whether a user has bypassed software restrictions imposed by Apple’s system.
Welp, Meitu definitely has a number of different checks to see if your iPhone is jailbroken… pic.twitter.com/XSbKqDKgqX
— Jonathan Zdziarski (@JZdziarski) January 19, 2017
It’s reasonable to assume that the app would want access to your camera and want access to your storage, but it’s not reasonable why it would want to make phone calls or change your audio settings or why it would want to access the storage of other apps or even know what cellphone carrier you use.
Another point of concern is that the app may be transmitting devices’ IMEI — the unique number that identifies individual devices — to servers in China, according to self-proclaimed security pessimist “Four Octets.” A Whois search for the server addresses posted by Four Octets found that one was allocated to Hangzhou Alibaba Advertising Co., and the other two allocated to Forest Eternal Communication Tech, a data services company in Beijing.
Just to let you guys know that photo app that makes you look an anime is sending you IMIE to several servers in China. https://t.co/dQdroq5qhA
— FourOctets (@FourOctets) January 19, 2017
A Meitu spokesperson told Hong Kong Free Press that the app collects information about users’ phones instead of users’ personal information, saying the company collects IMEI to “optimize the user experience” — for example, to know what size the phone’s screen is, the spokesperson said. She added that the app collects information about user location in order to show them the appropriate ads, and collects IP addresses in case competitors hack into the app. She stressed:
We don’t sell the information to anyone else.
A press release further stressed:
Meitu DOES NOT share any user information with the Chinese government. User data is sent ONLY to Meitu.
Matthew Garrett, a security developer at Linux, wrote that most apps require the device’s IMEI, he wrote on his blog:
It’s certainly something to be concerned about, but Meitu isn’t especially rare here – there are big-name apps that do exactly the same thing… Let’s turn this into a conversation about user privacy online rather than blaming one specific example.
Weese also said users should not be overly concerned that the app is being used by the Chinese government to crack users’ phones. The information-gathering is a common business practice, he said:
I think it’s just a very shady business practice to try to gather as much data as you can without asking for permission, without asking for consent, and this has become a lot more common business practice, especially in places like China.