If you don’t know what Meitu is — although you’ve probably already seen heaps of Anime-ified celebrities popping up in your social feeds over the last couple of days — it is an immensely popular Chinese selfie app that is now causing security concerns over the permissions it needs before you install it.
Meitu has been around for quite a while in its home country, but only recently gained traction in the rest of the world after adding anime styles to its roster of selfie filters. This kicked of a viral trend of people turning themselves into anime characters on Facebook and Instagram, but it wasn’t too long before social media were flooded with photos of celebrities and politicians also given the Sailor Moon treatment.
Unfortunately, it seems like the hilarity of turning Donald Trump into a K-Pop star comes at an unfair price. Security-conscious people have been poking about Meitu’s internals, and have allegedly stumbled upon some sketchy lines of code. Furthermore, the Android version of the app asks for a silly amount of permissions that should worry even the most nonchalant of yes-men. Although every selfie app needs access to your camera and photo gallery, Meitu asks for pretty much every permission in the book – to check on running apps, your current location, read and modify the contents of your USB storage, see your device’s unique identification numbers (IMSIs), access call information, wifi connections, and more.
This is what security researcher Jonathan Zdziarski had to say about Meitu
Although Meitu is not the only permission-hungry free app out there, not by a long shot, the unique IMSI numbers it acquires can be used for tracking users across the web, security researchers claim. A lot of the data Meitu collects is being send to unknown third-parties, although the company claims all of it is used for identity protection, service upgrades, and the like. It is very much possible that Meitu is just selling its users’ data to ad companies for ad targeting – a practice that is very common for Chinese companies developing free mobile apps. Still, we would advise to at least glance through what permissions an app needs before installing it on your smartphone, and if it’s a bunch too many for what it is, you may want to consider giving it a pass.
Update: Meitu has shed some light on the issue, denying that it is selling any of the data collected from its users. In a statement to CNET, the company confirmed that the data collection code was included with the app, simply because Meitu is based in China, where the government blocks tracking services provided by Apple's App Store and Google Play.
"To get around this, Meitu employs a combination of third-party and in-house data tracking systems to make sure the user data tracked is consistent. Furthermore, the data collected is sent securely, using multilayer encryption to servers equipped with advanced firewall, IDS and IPS protection to block external attacks," a Meitu spokesperson told CNET.