Have you heard about Meitu, the photo retouching mobile app that turns people into more cutesy or beautiful versions of themselves? Chances are that even if you don’t know the app’s name, you’ve already seen examples of the final product posted on a social network of your choice.
The app has been a favorite of Chinese users for a while, but is only now taking the rest of world by storm.
And, naturally, something that gains such huge popularity in such a short time will get some attention from security researchers – especially if it can be downloaded for free.
The Android version of Meitu asks for too many permissions
These are the permission the Android version of the app asks of users:
Here is some more information about those (as noted by a “security pessimist” that goes by “FourOctets” on Twitter):
Don’t you think these permissions are simply too much for an app whose main purpose is to retouch and edit selfies and allow them to be posted online?
Meitu on iOS is not so inquisitive
As far as I could tell, the iOS version asks for a much smaller number of permissions (e.g. access to camera and photos), which are obviously needed for the app to function as it should.
Some security pros decided to take a look at the code and behaviour of the iOS app, and revealed that the Chinese company behind it is harvesting some info about the devices it’s running on, but nothing out of the ordinary.
Researcher Will Strafach did a brief assessment of it, and found that “the information collected by this app would appear to be on-par with analytics information collected within most iOS apps which are currently live in the App Store.”
iOS security expert Jonathan Zdziarski also took a peek, and came to the same conclusion.
He did find that the app checks whether the iPhone on which it runs has been jailbroken, but other than that, the “only thing I can ding Meitu for is using so many ad trackers; it’s ones like Google AdMob ‘Reward Based Video Ad Network’ that are evil,” he noted on Twitter.
“Meitu isn’t doing anything that thousands of other greedy developers aren’t doing in selling you out. The tracking companies need exposure.”If you like being the target of marketing and big data, by all means run Meitu. I’m sure whoever’s buying their data will thank you,” he added.
All this should not come as a shock to users, but many are not even aware of the fact that many apps use ad trackers or, if they are, are not worried about it.
Unfortunately, this has become normal and accepted, and I don’t see it changing any time soon.