Experts: Meitu Selfie App Records Way Too Much Info About You

Its explanation for why it needs so much information about your phone doesn't add up, experts say

Jan 20, 2017 at 2:59 PM ET

Chinese app Meitu, which has risen suddenly to popularity in the U.S. this week, collects far more information about you than is necessary, security experts say.

Meitu is a simple app, which augments users’ selfies look like, I guess, anime characters — in the name of beauty, you can use it to shade and shape your face, as well as to give it a more of an anime look. But it’s big business in China, where it went public in December, and it’s now worth more than $4 billion.

As it becomes popular among users in the U.S., however, often as a novelty, security researchers have noticed that it demands a significant information from users’ phones — far more than should be necessary.

The iOS version of the app sends a host of user information to the company’s servers in China, including phone model, operating system, your location, and which phone provider you use. While unnecessary for the Meitu’s function, that doesn’t make it particularly unique — a host of less popular apps also ask for far more information and permissions in your phones than necessary.

The Android version, however, asks for far more, including IMEI, your phone’s unique identifying marker; ICCID, which uniquely identifies a SIM card; your location; and whether your device has been jailbroken.

If such information was provided to a malicious user, like a criminal or government hacker, it would be an important step towards cloning your phone — a process by which all information on a device would be copied to another device, security researcher Greg Linares told Vocativ.

“Obtaining an IMEI number — which should very, very rarely change on a device — is a great way to link user to a device. Since they are taking the ICCID data, which is carrier data, that can help lead towards the path of cloning,” he said.

“This app is already collecting this information, and the company should really have no marketing need for it.”

In a long statement sent to Vocativ, Meitu insisted that its “sole purpose for collecting the data is to optimize app performance, its effects and features and to better understand our consumer engagement with in-app advertisements.” It included a step-by-step list of why Meitu claims to require each permission — often, it said, they’re to ensure Meitu’s advertisement network functions properly and is able to circumvent firewalls — but its explanations didn’t satisfy researchers’ concerns.

“I don’t have a lot of confidence in their reasoning based on this document,” researcher Jonathan Zdziarski told Vocativ. “The reasoning makes little sense. You don’t need to track all of that information to bypass a firewall, and you don’t use a bunch of ad trackers to bypass a firewall either. It’s almost nonsensical.”

That’s not to say that Meitu has nefarious plans for user data. However, the researchers say, to ask for so much personal information is both relatively common in some apps and has the potential for endangering users’ security if that information is hacked or stolen.

“I think everyone probably suspects now that Meitu is crapware, and if they choose to run it that’s their business,” Zdziarski said.