Viral selfie app Meitu causes privacy concerns over many permissions
Meitu has been around for quite a while in its home country, but only recently gained traction in the rest of the world after adding anime styles to its roster of selfie filters. This kicked of a viral trend of people turning themselves into anime characters on Facebook and Instagram, but it wasn’t too long before social media were flooded with photos of celebrities and politicians also given the Sailor Moon treatment.
Unfortunately, it seems like the hilarity of turning Donald Trump into a K-Pop star comes at an unfair price. Security-conscious people have been poking about Meitu’s internals, and have allegedly stumbled upon some sketchy lines of code. Furthermore, the Android version of the app asks for a silly amount of permissions that should worry even the most nonchalant of yes-men. Although every selfie app needs access to your camera and photo gallery, Meitu asks for pretty much every permission in the book – to check on running apps, your current location, read and modify the contents of your USB storage, see your device’s unique identification numbers (IMSIs), access call information, wifi connections, and more.
Summary: Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it.— Jonathan Zdziarski (@JZdziarski) January 19, 2017
Although Meitu is not the only permission-hungry free app out there, not by a long shot, the unique IMSI numbers it acquires can be used for tracking users across the web, security researchers claim. A lot of the data Meitu collects is being send to unknown third-parties, although the company claims all of it is used for identity protection, service upgrades, and the like. It is very much possible that Meitu is just selling its users’ data to ad companies for ad targeting – a practice that is very common for Chinese companies developing free mobile apps. Still, we would advise to at least glance through what permissions an app needs before installing it on your smartphone, and if it’s a bunch too many for what it is, you may want to consider giving it a pass.