Meitu is a selfie app that has very quickly gone viral. Almost everyone has come across the grossly exaggerated anime filter that the app applies, if only as passing on social media. However, this seemingly harmless toy has become the poster child for a slew of apps that secretly collect data for the developers to sell.
Several security researchers have taken to social media to highlight the fact that Meitu requests access to far more parts of the phone than any selfie app should. A quick check shows that the app requests permission to access the phone’s dialer, address book, GPS, IMEI information, and, in the case of iOS, checks whether the device is jailbroken.
Those that have dug into the code shows that this isn’t exactly a malicious use of the the programming APIs; it’s not exactly spying on people. Instead, it collects information about the device type, mobile operator, serial number of the SIM, and exact GPS coordinates.
Interestingly, the methods used are somewhat sloppy. The iOS version doesn’t quite perform its tasks as expected, as the there are two API calls that don’t work due to the network path specified not existing. iOS also prevents the app from accessing the device IMEI and MAC address.
The problem here isn’t that Meitu is trying to collect user information, but rather that this is nothing out of the ordinary for these kinds of apps. There are literally hundreds of thousands of apps that behave like this, all for the sake of collecting user data to sell. Why else would someone release a free app with no advertising or in-app purchases.
Jonathan Zdziarski, one of the first to notice problems with Meitu, stressed that this behaviour is not out of the ordinary for these information gathering apps. If people really want to be concerned, take a look at the kind of information Facebook collects through its app.
If you think Meitu is too invasive, boy have I got some news for you about apps.
— Jonathan Zdziarski (@JZdziarski) January 19, 2017
Apple generally tries to avoid this sort of behaviour by preventing apps from accessing some of this information; as is evident by Meitu being locked out of the device IMEI number and MAC address. Although, it still allows apps to gather location and contact data if they can come up with a good reason for it.
Android, on the other hand, has introduced stricter privacy controls; where the app will have to ask for permissions on at a time when it wants them. Ideally, this forces the user to have a close look at what the app wants. In practice, people are probably tapping on the confirm button faster than they can read the notice.
For now, there is little worry about becoming the victim of identity theft by using Meitu. In fact, the worst that can happen is that your data gets sold as part of a bundle to some marketing agency.
This highlights an increasing concern with the information age. Data is quickly becoming an expensive commodity, and some companies will do anything they can to get their hands on more of it. For the sake of privacy, don’t make it any easier for them by installing these apps. No matter how viral they get. After all, there is a reason that Meitu is valued at $2 billion (about RM9 billion) despite only releasing free selfie apps.
[Source: Will Strafach, Cyber Merchants of Death]
