A popular app called Meitu is being criticized because of its highly invasive permissions. The Chinese app allows people to apply ‘beauty’ filters on photos to make them look more like manga cartoon characters. However, people are advised not to download the app because it requires access to the device’s model, resolution, Android OS version, MAC address and IMEI number. In addition, the app asks for 23 permissions in total: data that it sends back to various untrusted servers in China.
The application, which is available for Android and iOS devices, has gone viral in the last few weeks because of its hilarious ability to alter people’s faces in photos. Among those abilities, it can change people’s eyes by adding sparkle, smooth out skin tone, and sharpen other facial features. While it might be great for quickly modifying a selfie, people are concerned that the app requires too many permissions.
Considering the simplicity of what the app does, the permissions are instantly suspect, and are causing many digital privacy advocates to wag their fingers. The IMEI allows firms to track people even when they factory delete their device, reinstall an app or get a new SIM and a new login. This is very valuable to advertisers because it is a device-level ID that can be used to figure out which adverts and apps have been successfully targeted at a specific individual.
It is not just the IMEI either. Meitu requires permission to go into contacts and look at people’s phone numbers. It also wants to know users’ locations using GPS. In addition, the Android version (which is the most invasive) also sends back information about people’s calendar, contacts, SMS messages, and the contents of external storage such as SD cards, to various servers located in China. On iOS, Meitu even checks to see if the iPhone is jailbroken: if it is, it accesses and retains even more valuable data.
This is no joke and means that Meitu amounts to a surveillance program disguised as a cute photo filter app. The amount of data being hoovered up from its users is hugely troublesome, and is yet another example of why people need to start carefully checking app permissions before they accept the app onto their devices. Sure, it is nice to download fun apps that are free. However, when they are free you also have to ask yourself the question: why? This question can usually be answered by looking in the permissions.
Apps often sell data on to third party advertisers. Those advertisers pay app makers good money for the data that they manage to snoop off users’ devices. In this case, the amount of data being taken is astonishing and is probably making the Chinese developer of Meitu a lot of revenue. As such, despite the fact that users don’t pay for the app out of their own pocket, someone does pay for the app – at a cost to those users’ privacy.
In total, the app has been downloaded a massive 1.1 billion times. On its website, the firm claims that it has 456 million active monthly users around the world. That is a huge volume of downloads and means that the firm has the unique IMEI numbers or MAC addresses of a staggering number of people.
It Is Your Decision
Jonathan Zdziarski, a digital privacy expert who has analyzed the permissions on the app, made the following comment on Twitter:
“If you like being the target of marketing and big data, by all means run Meitu. I’m sure whoever’s buying their data will thank you.”
Matthew Garrett of CoreOS agrees, and explains that a device-level ID, rather than an app level ID, is far more useful for advertisers, who can start to gather data about users across various app platforms. This gives advertisers a unique ability to know who is seeing which adverts – something that they highly value:
“Using the same ID between multiple apps makes this easier, and so using a device-level ID rather than an app-level one is preferred. The IMEI is the most stable ID on Android devices, persisting even across factory resets.”
Some people, however, think that the surveillance capabilities of Meitu could potentially be more sinister than Zdziarski and Garrett believe. An app developer called Brianna Wu who is a candidate for the US House of Representatives (2018) has gone on the record to say that she thinks the firm is acting in a ‘predatory’ manner. She believes that the app could be a risk to national security and says that if elected she would do the following:
“Worried about Apps like Meitu stealing your information? One of my first acts in congress will be to get an omnibus privacy bill passed.”
Meitu Claims Innocence
Meitu has come forward with an explanation for why it is so invasive. The truth, however, is that the explanation is a little lackluster. It claims that because the firm is based in China it is necessary to snoop on consumers, because tracking on the Google Play store and iTunes is blocked in the country:
“To get around this, Meitu employs a combination of third-party and in-house data tracking systems to make sure the user data tracked is consistent. Furthermore, the data collected is sent securely, using multilayer encryption to servers equipped with advanced firewall, IDS and IPS protection to block external attacks.”
In addition, it claims that the permissions are necessary to allow push notifications to work. However, arguably the firm could simply use regular tracking on servers located outside of China for the purpose of analytics. As such, it seems far more likely that the firm is actually making a profit by selling user data to third parties (why publish such a popular app if not?).
Think Before You Click
As is always the case when downloading apps, people are advised to check the permissions. If it is a torch or a photo editor app and it requires access to more than the photos or the phone’s light, then you probably shouldn’t download the app. Always keep an eye open for apps that ask for the IMEI number, MAC address, or Android ID, as these allow your device to be identified for tracking purposes.
One security analyst who goes by the name @hacks4pancakes had the following to say on Twitter:
Finally, it is worth bearing in mind that some apps do use the IMEI number to keep track of people who have used a free trial. The IMEI allows firms that offer a free trial to keep tabs on who has had one. Without it, the firms would be susceptible to repeated use of the free trial by scammers who simply factory reset and re-use it.
With that in mind, you are likely to be safe giving a firm that offers a free trial your IMEI, as that is probably how they are using it (though it is also possible that the firm could be selling the IMEI to a third party advertizer to cover the cost of the free trial).