Meitu Isn't Malicious, But It Is Snooping On Your Data

Image: Gizmodo

There's a new selfie app in town. It's called Meitu, and it's all about turning your profile photos into over-the-top anime cels.

On the surface, Meitu is all about smoothing your skin and making your hair look silky, brightening the dark circles under your eyes and making you look a little less haggard. But that's a facade for the app's real purpose, which is to collect your data to sell to advertisers.

Meitu is, suddenly, big business. The skin smoothing, eye brightening selfie app has been around for years, but has become incredibly popular outside of its native Chinese market in the past few days. The app and the company that developed it years ago in relative obscurity was set for a $3.3 billion IPO in December of last year, the biggest tech company debut onto the Hong Kong stock exchange since Alibaba in 2014. It eventually floated at a valuation of $6.08 billion, raising $832 million in the first day of offering.

Meitu — the app that was previously called Meitu XiuXiu or MeituPic — applies skin smoothing, makeup and visual effects to photos, including an over-the-top beautification feature that has quickly become the bane of politicians everywhere. According to the app, Meitu's 'drawing selfies' — the very heavily made-over photos, complete with cartoonish filters and reworked backgrounds and visual effects like flowers and tear drops — have been activated over 118 million times by the app's users.

But Meitu does more than snap photos and distort them: it snoops further into your phone.

Meitu asks its users initially for access to their phone's camera and photo roll, but in subsequent launches on Android also requests the ability to make and receive phone calls, check the phone's network status and unique IMEI identity, and to initially check and subsequently monitor user location through GPS. (You can see the full list of Android requests by hitting up 'view details' under Permissions on the app's Play Store listing.)

On the latest version of Apple's iOS, you can check app permissions by heading into Settings, then selecting an app to view the permissions it has asked to access. You can also duck into Privacy in settings, and see permissions organised by type and enable or disable each permission — like access to photos or contacts — for each app that has previously requested them. Apple explicitly tells developers to explain why and when they require any permissions, especially for personal data and especially when it's not clearly obvious to the end user. "It's natural," Apple says, "to be suspicious of a request for personal information, especially if there’s no obvious need for it."

On Android, apps that are built for Android 6.0 Marshmallow — released in October 2015 — and above will only start asking for permission to use certain functions of your phone. Meitu, though, will run on any Android 4.0 device onwards; that means it doesn't have to explicitly ask the first time it tries to access your contacts, your camera, or any other potentially sensitive or personal data living on your phone or in your camera roll on older devices. This is a Problem. On Android 7.0 Nougat, the OS will only grant permissions after checking with the user first, but older Android and iOS devices are at potential risk.

This is before the nightmare happens. Image: Gizmodo
This is after. Image: Gizmodo

The fact that Meitu is asking for arcane-sounding permissions shouldn't instantly turn you off using it. But that's not all it snoops through your phone for. Infosec researcher Jonathan Zdziarski's teardown of the iOS version of the app shows it's effectively just a vehicle for a variety of ad-tracking and analytics packages, collecting a range of user data — identified with per-user info like your phone's IMEI or unique MAC address, depending on the platform — and sending it back to Meitu's servers. From there it's anyone's guess what Meitu is doing with it, but the simplest assumption is that it's being on-sold to advertisers, who add it to their own user profiles through data-matching to more effectively target ads.

What Meitu is doing isn't especially nefarious, Zdziarski says. It's no different to the hundreds of other ad-filled, permission-boosting, information-hijacking apps that fill the Google Play Store and, to a lesser extent, Apple's own more closely guarded App Store. But that doesn't mean it's acceptable. Apps that ask for too many permissions can just be an oversight by the developer or a poorly coded piece of software, but it's a bad practice that should be avoided if possible.

There was a minor moral panic about Pokemon Go requesting permissions when it was launched in July of last year — the augmented reality app asked users for access to their phones' camera and GPS functions. Both are integral to the game actually functioning properly, though, and disabling them for privacy reasons doesn't really make sense: you may as well just uninstall the app.

Uber found itself in similar hot water recently after an app update that saw it effectively track riders in the background for five minutes after they completed a ride. The ridesharing company's justification was that it wanted to monitor user behaviour to improve the way rides are delivered — to see, for example, whether a large proportion of users crossed the road after completing a journey. You should always be sceptical and suspicious of apps asking for permissions, but in some cases — like a transport app asking for GPS access — it makes sense.

For others, like Meitu, it doesn't. No camera app needs to investigate your phone's IMEI, or change your phone's audio settings or snoop on your location. Definitely no legitimate app needs to check whether your phone is jailbroken or rooted and then use that as a vector to gather more information that can be offloaded and sold off.

For Meitu, on the balance of what we've seen so far, we'd be extremely cautious about installing the app in the first place — no matter whether you want it on Android or iOS. Both are problematic, but for different reasons. Put the two together as a glimpse into the company's goal in making money off its users, and we've seen enough to recommend you stay away and look for an alternative.

Trending Stories Right Now