Security researcher Greg Linares questioned the app’s permissions, many of which you wouldn’t think would be needed to beautify one’s face, including GPS location, modify/delete contents of USB storage, call information, and Wi-Fi connections.
The iOS version even contains some sketchy code that could determine if your phone is jailbroken and attempts to gather data about your mobile carrier. This could potentially allow it to identify your device using its MAC address.
Equally concerning is the claim that Meitu is capable of gathering the IMEI number from your smartphone, which Linares says is the “starting point for someone to clone your phone and intercept your calls and sms.”
A follower of Linares says he downloaded the app on a lab device and saw its unique identification number travel across the network to China.
Asking for seemingly superfluous permissions isn’t unique to Meitu; it’s practically ubiquitous thanks to how much companies now value data. The extent of Meitu’s inquiries go beyond most other apps, but its country of origin and popularity may have led to some added scrutiny.
Meitu released a statement to TechCrunch hoping to ease the concerns of U.S. users:
“We have noticed the reports and it’s such a nice problem to have with our App being noticed by the media, celebrities, and consumers,” a Meitu spokesperson told TechCrunch in an email. “I’d like to assure you that we work closely with Apple and Google on every product release and we follow privacy policies rigorously. I tend to think our engineers are smart enough and don’t have to use stolen codes.”
It released a separate statement to CNET claiming it’s not selling any of your data to anyone. The company said that sketchy code in its iOS version was included because China, where the company is headquartered, blocks Google Play Store and Apple App Store tracking services.
“To get around this, Meitu employs a combination of third-party and in-house data tracking systems to make sure the user data tracked is consistent,” a Meitu spokesperson told CNET. “Furthermore, the data collected is sent securely, using multilayer encryption to servers equipped with advanced firewall, IDS and IPS protection to block external attacks.”
The company has said nothing of scaling back its permissions. In the end, it is up to the user to decide if they are OK giving away personal information about themselves for an app that probably doesn’t require it.
Hopefully the attention Meitu has received will bring awareness to those easy-to-skip permission screens, and make people first consider if an app is more important than their personal information.