Meitu: The photo app sensation proving to be a real privacy nightmare

23 Jan 2017

Person taking a selfie. Image: Kosim Shukurov/Shutterstock

Almost overnight, a photo filter app from China called Meitu become a phenomenon globally, but lurking beneath it is a myriad of privacy concerns that users need to know.

With a rapid rise to the top of app store charts globally, Meitu has been a very popular app in its native China, allowing users to edit their photos with filters that makes them look like anime characters.

But lurking beneath the surface of these filters and the code itself are a number of security issues, as Wired initially reported that the number of permissions asked to access various elements of your phone is very excessive.

The app is a true global hit, with Meitu’s numbers claiming it is now in 26 countries across the world with at least 1m users in each, but a total of 1.1bn installs on smartphones.

Asks for extensive phone info

Aside from needing obvious permissions like access to your phone’s camera, on Android, it also asks users for seemingly unnecessary information like your mobile carrier, GPS location and even your SIM card information.

It doesn’t even stop there, as the app openly asks a new installer to allow the developers access to the person’s personal identifiable information (PII), leaving them incredibly exposed to being tracked online.

What security researchers are worried about in particular is that the app’s origins and number of permissions required make its intentions sceptical, if not worrying, with regard to the amount of data being transferred to Meitu’s native China.

Meitu responds

Speaking to Wired, security researcher Greg Linares described the number of permissions required as very odd, adding that “many apps collect data, however, usually they are well-known company names, which we have already trusted our data with”.

The privacy concerns appear to be most apparent on Android, but iOS users are also being warned that while its permissions appear to be relatively standard for these type of apps, the number of analytics tracking tools in the code is still a major worry, according to iOS security expert Jonathan Zdziarski.

Meitu issued a statement following the accusations, saying: “Meitu’s sole purpose for collecting the data is to optimise app performance, its effects and features, and to better understand our consumer engagement with in-app advertisements.

“Meitu does not sell user data in any form. Data collected is sent securely, using multilayer encryption servers equipped with advanced firewall and IDS, IPS protection to block external attacks.”

Android users have been warned before about problems with downloading apps that ask for excessive permissions, most recently prior to the official launch of Pokémon Go in Ireland, when a number of people were downloading fake versions of the app on the Google Play Store.

At the time, these fake apps were asking users to agree to let them gain access to their messages, phone calls and record audio from the phone, prompting malware warnings.

Colm Gorey was a senior journalist with Silicon Republic