This free app may give you the perfect selfie but there’s a much higher cost involved

A new photo app that has been popular in China is now making global waves. And not just for its ability to create the ‘perfect selfie’. Security experts believe the app, called Meitu, is collecting much more data than it reasonably needs and it could have dark consequences.

A perfect selfie

In today’s selfie-obsessed world we seem to need more and more ways to curate the ultimate portrait of ourselves. CamMe, FaceTune, and Perfect365, for instance, are SmartPhone apps that all help to enhance features, get rid of dark circles or straighten a slightly crooked yet charming nose.

But the app market has taken it even further. SnapChat has made millions of users around the world into fairy queens and puppy dogs with their animated filters. Meitu is the latest app that’s been getting quite a bit of press recently. It’s a photo editor that retouches your selfies by brightening skin and smoothing out imperfections. It also has an FX editor that adds pastel hues and elfin features. It was an absolute hit in China and now the rest of the world is catching on.

But the security voice of doom has cast a shadow over its success.

Meitu, while completely free, wants your data.

In addition to accessing your camera, it wants permission to collect your phone’s location and time zone, Wi-Fi details and local IP address. And it also wants your SIM card number, whether the phone is jailbroken and any IMEI/IMSIs numbers.

Security expert Greg Linares suggests these requirements go beyond the necessary for ordinary photo apps and could have darker implications:

Let me get this straight…
All of you just installed a photo app from China that requires these permissions? Let me know how it works out. pic.twitter.com/wGDUYbRdSA

— Greg Linares (Laughing Mantis) (@Laughing_Mantis) January 19, 2017

He told Wired magazine:

This information can be used to track the individual’s physical location, day-to-day behaviours, as well as starting the process of performing a cell clone.

In response to the concerns, Meitu said:

Meitu’s sole purpose for collecting the data is to optimise app performance, its effects and features and to better understand our consumer engagement with in-app advertisements.

Forensic scientist, Jonathan Zdziarski took to Twitter to comment on the app saying. He claimed that Meitu was a “throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it”. But some might argue that basically describes any free app from Google Play or the App Store.

That describes every free app ever.

— DaveP (@DavePee) January 20, 2017

Will Strafach from Sudo Security Group told TechCrunch that the information is partially sensitive but wasn’t uncommon:

People are not really aware how common this sort of thing is, I believe. Additionally, many are saying that the Android version is more invasive than the iOS version. I think it’s very good that a discussion has been started though, and I hope it will encourage infosec folks to crack open more apps and see what they do

Who else is ripping off your data?

WhatsApp’s new user agreement allowing it to share data with Facebook concerned many. Researchers also found a security issue, that could make communications vulnerable to interception.

MapMyRun, LoseIt and PeriodTracker are among 20 health apps that sold users’ data to third party advertising and analytics companies.

Pokemon Go, the augmented reality game and popular app, raised concerns regarding the amount of personal data it was collecting without users’ knowledge through a Google sign-in.

Angry Birds was another of the casual game variety that hoards personal information.

While companies seem to give their smart phone apps away for free, that’s not wholly accurate. They have to survive somehow. And optimising advertising by understanding consumer behaviour is how they justify collecting your data.

But it’s the transparency that’s missing. Consumers aren’t always aware what they are agreeing to or what nefarious consequences it could have. It’s relatively easy for companies to acquire, hold and pass on data. You have no idea what they’ll use it for, but they know an awful lot about you.

Get Involved!

– Read more articles about online privacy in The Canary.

Featured image via Instagram