Yesterday afternoon I noticed that my Twitter and Instagram feeds were humming with curiously styled selfies that slimmed faces, lightened skin, and applied a veneer of gloss and sheen that supposedly turned the selfees into animé-like characters. The transformations were courtesy of a Chinese app called Meitu that had suddenly become the height of fashion. I thought Meitu did a fantastic job of producing the archetypal Widow Twankey, so while I wasn’t desperate to have a go myself, I could understand why people were enamoured with it and enjoying a giggle.
And then, just before I went to bed, it appeared that some of the sheen on Meitu was dulling. There were mutters and murmurs that perhaps the app wasn’t all that it seemed, rising to a crescendo of potential-ID-theft-induced panic. Rather than being concerned about its Pantomime Dame proclivities, we should focus on the permissions that it was requesting from phones and, as a consequence, the data it was harvesting. While Meitu would require access to your phone’s camera, did it really need to know such specific information?
Depending on whether you were using the Android or the iOS version of the app, it seemed that Meitu might be scavenging information on your location, your carrier, your wi-fi connection, your calls, other apps you might be running, your device’s IMEI number, or if it were jailbroken. Given that Meitu is a Chinese-owned app, just what did it want with these data?
This morning the slightly panicked tweets and alarmist admonitions have toned down, but there remains a sense of unease surrounding Meitu. Just how intrusive is it? Are we right to be concerned that it is accessing more of your phone than it is entitled? I’ve summarised the general sentiments.
By general reckoning, Meitu’s Android app is far more invasive than the iOS version. In particular, it relays your phone’s IMEI number (a unique identifier) to Meitu. That’s in addition to GPS data, and call, carrier, and wi-fi information. While it has been pointed out that it might well be Chinese legal requirement for Meitu to collect this sort of information, it is raising concerns for Greg Linares (info sec expert) and ‘security pessimist’ @FourOctets.
Let me get this straight…
All of you just installed a photo app from China that requires these permissions? Let me know how it works out. pic.twitter.com/wGDUYbRdSA
— Greg Linares (@Laughing_Mantis) January 19, 2017
Take a look at the entire list of permissions from the the Meitu app. pic.twitter.com/AkSw2Z50T7
— FourOctets (@FourOctets) January 19, 2017
And, as @FourOctet’s points out, this isn’t restricted to Meitu.
The consensus on the iOS version of Meitu is that it isn’t nearly as insidious as the Android offering. Both Will Strafach 9info sec specialist) and Jonathan Zdziarski (forensic scientist) are of the opinion that the data Meitu on iOS is collecting are generally comparable to those gathered by many other apps available in the App Store, even if it does want to know if your phone is jailbroken.
Like I said in several prior tweets, Meitu is just par for the course crapware with ad tracking. Just. Like. Thousands. Of. Other. Apps.
— Jonathan Zdziarski (@JZdziarski) January 19, 2017
For Zdziarski, the issue here isn’t about Meitu specifically. It’s about paid ad trackers in general: ‘They’re overly invasive and in thousands and thousands of apps people use.’ It comes back to the adage that if you’re not paying for a product with your money, you’re paying for it with your data. The developers have to make it pay somehow.
Meitu might have created a storm last night, but it isn’t isolated in its practices. As plenty of commentators have pointed out, data harvesting is normal. It’s how people make their money. Whether or not you want to download or continue using Meitu comes down to how comfortable you are releasing that much of your information to a company without knowing how it will be used. Meitu doesn’t blow back my hair; I’ve not downloaded it and I don’t intend to. But at least you can make a slightly more considered choice now, and apply it to other apps you download.