Meitu

Meitu is a popular app that transforms your selfie into an adorable anime character. You've probably already downloaded it. In exchange for the simple pleasure of giving you an absurd makeover, though, it demands sprawling access to your personal data and numerous features of your smartphone, seemingly collecting a bloat of information about you in the process. Wannabe nymphs and sprites everywhere: be warned.

It's normal for apps to need access to a variety of data and functions on a smartphone so they can run properly and deliver their service. But responsible apps ask for the fewest number of "permissions" possible so they don't have access to anything they don't absolutely need. It's natural, for instance, for Meitu to accesses your camera. But it also has access to users' GPS location, cell carrier information, Wi-Fi connection data, SIM card information, jailbreak status, and personal identifiers that could be used to track you and your device across the web.

"Many apps collect data, however usually they are well-known company names which we have already trusted our data with," says Greg Linares, a security researcher at the threat management firm Vectra Networks. Meitu, based in China, is "a foreign company, and they are collecting some very odd data that shouldn't be looked at necessarily for the application functioning."

Experts say that the reason for the manifold permissions, seemingly unrelated to its core purpose, are numerous pre-built analytics and ad-tracking packages that weigh Meitu down. "Meitu has a strong partnership with Google Play—including being a part of their prestigious Sand Hill program," Google's boutique booster program for companies with viral potential, says a Meitu spokesperson, who also indicated that a more detailed response may be coming. (We'll update if and when it does.) "[Google]'s provided a lot input and insight to help improve the app experience for different markets around the world." A preliminary analysis of the Meitu iOS app by Will Strafach, co-founder of the app security firm Verify.ly, found that it collects a variety of personal data, but nothing far outside the norm.

Meitu's not alone in loading up on hidden adware, of course, and it's always important to pay attention to the permissions any app requests. Even well-known apps like Pokemon Go can run into problems if people discover that the programs can access too much. But without technical know-how there isn't always a way to know the extent of an app's reach. And with a popular app like Meitu it can be impossible to determine a developer's true motives, though the company's privacy policy seems to limit exposure to third parties.

"I could spend days analyzing this code," says iOS security researcher and forensics expert Jonathan Zdziarski, who gave the Meitu app a once-over. "It’s mostly par for the course junk. I didn’t see anything overtly evil, but that doesn’t mean there’s not something more serious in there. The thing [that's noteworthy] is the number of different analytics and ad tracking packages they’ve loaded into the app. I counted at least half a dozen different packages in there. You don’t generally need that many unless you’re selling data."

Meitu makes a number of apps and features for different geographic markets, so some of the overreach may have to do with attempting to create interoperability between all of its services. You probably aren't alarmed that Apple, for example, demands fairly free rein so its services can talk to each other. But free apps merit skepticism. After all, they're generating revenue somehow. If you can't figure out the business model, the app could well be collecting and selling some of your personal information to advertising services looking to dole out more and more effective ads.

To protect yourself, Android users should check the list of requested permissions before downloading an app, and can use the operating system's granular permissions options to control what each app can actually access. Users can also change their minds and revoke permissions they once approved. (Older versions of Android have a bit less flexibility, so update if you can.) In iOS it's harder to see in the App Store what permissions an app will require, but iOS also offers detailed controls in Settings, and actively prompts users the first time an app attempts to access something, like the microphone, to request opt-in permission.

It's no fun letting a meme pass you up because you're worried about privacy, but it's even worse to have your personal data taken for who knows what without you realizing it. Meitu may not be an outlier in the world of adware-bundled apps, but its popularity provides a useful teachable moment. Like a fantastical anime makeover, free apps often look snazzier on the surface than what's hiding underneath.

*

This post has been updated to include analysis from Will Strafach.*

Update January 20, 2017 4:15 p.m.: The company says that it does collect data like unique identifiers (MAC address/IMEI number), GPS location, cell carrier, jailbreak status, and LAN IP. It added in a statement that, "Meitu’s sole purpose for collecting the data is to optimize app performance, its effects and features and to better understand our consumer engagement with in-app advertisements. Meitu does not sell user data in any form. As Meitu is headquartered in China, many of the services provided by app stores for tracking are blocked. To get around this, Meitu employs a combination of third-party and in-house data tracking systems to make sure the user data tracked is consistent. Furthermore, the data collected is sent securely."