Meitu, a popular Chinese app, which has recently gone viral among users in the US, reportedly has serious security and privacy issues. The app has been popular for several years in Asia and recently gained ground on social media in the US. The app's anime-style photo editing tool appears to have become a major hit with users. It also contains a code, which reportedly instructs users' phones to send a substantial amount of data back to China and possibly across the globe.
Meitu, which is available for download on both Android and Apple, comes with attractive photo-editing features that allow users to give their pictures an airbrushed makeover. The app, however, demands access to users' data and various features on people's smartphones, seemingly collating a sizeable amount of data on its users, according to a report by Wired.
Although it is common for apps to request access to users' data on smartphones, most apps are generally designed to ask for the least number of "permissions".
Meitu collecting user data that could be used to clone phones
However, Meitu goes beyond its contemporaries, demanding information to access users' GPS location data, Wi-Fi connection data, cell carrier information, jailbreak status, SIM card information, as well as personal identifiable information (PII), which could potentially be used to track users and their devices across the web.
According to security researcher Greg Linares of Vectra Networks, the app also appears to be collecting the IMEI numbers of devices, which could potentially be used "to pair a phone with an individual and then, with the right equipment, you can clone the phone and intercept calls, SMS," the Intercept reported.
"Many apps collect data, however usually they are well-known company names which we have already trusted our data with," said Linares. China-based Meitu, however, is "a foreign company, and they are collecting some very odd data that shouldn't be looked at necessarily for the application functioning."
Does Meitu come with a backdoor?
According to security researchers, Meitu's source code revealed that the app collects users information such as time zones, MAC address, screen resolution and more for "business analytics". Researchers have cautioned against deeming the app's code as a backdoor, given that Meitu does seek user permissions. However, it is likely that users may be signing away their private data, without fully reading and/or understanding the app's demands.
"Meitu's permissions are seriously long, and if unsuspecting users are allowing these permissions, Meitu can get this information," independent security researcher Jay Bennett said.
According to iOS forensic researcher Jonathan Zdiarski, who tracked the Meitu app on an iPhone, the app checks if a device is jailbroken and allows developers to "use undocumented APIs".
"This app has a lot of ways to track you," he said, adding that a code in the app allows it to track users' location via a photo's geolocation tag.
Zdiarski said, "It's mostly par for the course junk. I didn't see anything overtly evil, but that doesn't mean there's not something more serious in there. The thing [that's noteworthy] is the number of different analytics and ad tracking packages they've loaded into the app. I counted at least half a dozen different packages in there. You don't generally need that many unless you're selling data."
Meitu recently released a statement in response to privacy concerns raised about the app. The firm said it takes users' "personal data very seriously." The firm said it only collects information to enhance the app's performance, adding that Meitu "does not sell user data in any form".
"Meitu has a strong partnership with Google Play — including being a part of their prestigious Sand Hill program," a Meitu spokesperson said adding that, "[Google]'s provided a lot input and insight to help improve the app experience for different markets around the world."