Free selfie app Meitu has recently skyrocketed in popularity here in the US (despite being available in China for years); however, according to infosec researcher Greg Linares and several others, Meitu may be snapping up a lot more than cutesy beauty shots.
Let me get this straight…
All of you just installed a photo app from China that requires these permissions? Let me know how it works out. pic.twitter.com/wGDUYbRdSA
— Greg Linares (@Laughing_Mantis) January 19, 2017
Apparently, Meitu—available for free in Google Play & Apple’s App Store—requires far more permissions of a user’s phones than should really be necessary for a selfie app to function. Camera & camera roll access aside, Linares points out in this thread that the Android version of Meitu is capturing and reporting carrier & call info, unique device identifier numbers, and precise locations on users as well.
iPhone users are spared of sharing their device IDs via Apple restrictions, but are still providing Meitu devs with carrier information and whether their phone is jailbroken or not, according to a report on TechCrunch.
Free apps requiring excess permissions from users is nothing new—and is, in fact, one means by which many of these apps earn revenue, by aggregating user behavior & selling this data to advertisers and analytics firms. However, in the case of selfie app Meitu (and countless, unnamed others), its highly unlikely that most users realized just how much they were giving up in exchange for a free utility; and, without knowing explicitly what companies plan to do with this data, who’s to say it won’t be used for nefarious purposes?
In response to TechCrunch‘s report on the security issues surrounding Meitu, a spokesperson for the app said the company works “closely with Apple and Google on every product release…we follow privacy policies rigorously”. The company did not answer questions regarding the type of data it collects, or what it does with the info.