Meitu, the popular app that transforms your selfie into a stylized dream, is hiding a dark secret. It emerged this week that the app is harvesting user data, sending unique device identifiers to Chinese servers and pushing for user permissions to access other information.
It’s an issue security researchers fear could grow to become an accepted risk of free apps. Make a simple, desirable app, get everyone to download it, and ignore the potential consequences of entrusting device permissions in the hands of third parties.
“It’s becoming the new normal,” Greg Linares told TechCrunch in a story published Friday. “It’s because were at this point in society, people want to generate their likes and retweets. People download this app and put security in the backseat to make sure they have their social media presence.”
The iOS version collects notably less data than the Android version, with Apple’s stringent App Store rules limiting what developers can ask for. On the iOS side, the app checks for the user’s carrier, whether the device is jailbroken, and asks for the device’s unique identifier. The Android version asks for a far longer list of permissions, including location data, access to USB storage contents, full network access, and the ability to run at startup.
Meitu has been popular in China for a few years now, and its potential security risks have been previously documented even in English-speaking media. PCWorld noted in 2014 that iOS devices were at risk to a malware attack known as WireLurker. The attack would copy an app, infect it and load it back onto the device, with Meitu named as an app at risk from the attack.
Meitu claims that, as tracking services provided by Apple and Google are blocked by China, the app needed to come up with other ways to track the same information. “To get around this, Meitu employs a combination of third-party and in-house data tracking systems to make sure the user data tracked is consistent,” a spokesperson told CNet. “Furthermore, the data collected is sent securely, using multilayer encryption to servers equipped with advanced firewall, IDS and IPS protection to block external attacks.”
The long list of Android permissions, according to the spokesperson, is a problem with the third-party notification service that Meitu uses. The app can’t use Google Play’s services because of the aforementioned China restrictions, which means no Google-powered notifications. The alternative solution the app uses, Getui, asks for the extra permissions.
Perhaps Meitu is telling the truth, and the heavy data collection is just for internal tracking usage. But this is the risk with free smartphone apps: it’s all about trust, and it’s better to exercise caution by not handing the data over in the first place.
Is it worth having your information harvested just to look pretty on social media?