A Chinese app which allegedly makes selfies look more attractive—or more like an anime character, at any rate—has a dark secret: it demands permissions for far more personal data than it needs, including users' IMEIs, phone numbers, and GPS coordinates.

Meitu, an app which has been out for years on both iOS and Android in China, has shot to fame outside the country in the last few weeks, due to the "beauty" filters it can apply to people's selfies. Among other functions, it can sharpen people's jaws, put a sparkle in their eyes, and smooth out and lighten their skin.

The result? Meitu-filtered pictures are suddenly everywhere. The backlash, however, has been just as swift.

Almost as soon as infosec bods became aware of it, they found numerous serious privacy flaws and avenues for potential leaks of personal data. One eagle-eyed researcher found the Android version of the app asked users for dozens of intrusive permissions, and sends the data to multiple servers in China—including a user's calendar, contacts, SMS messages, external storage, and IMEI number.

Take a look at the entire list of permissions from the the Meitu app. pic.twitter.com/AkSw2Z50T7 — FourOctets (@FourOctets) January 19, 2017

The permissions are also out there as well pic.twitter.com/d3GuAVfM7t — FourOctets (@FourOctets) January 19, 2017

The Android version of the app is agreed to be the more insecure, as the OS allows it to seek significantly more permissions, but according to digital forensics expert Jonathan Zdziarski, the app secretly checks to see if a user's iPhone is jailbroken—presumably to see if it can use that information to gather additional data.

On its website, the company boasts 1.1 billion installs, as well as 456 million active monthly users around the world. What it doesn't do, however, is give any indication at all about what it does with all the data it collects. Most observers believe the data is being harvested to sell to advertisers. As Zdziarski added on Twitter, "if you like being the target of marketing and big data, by all means run Meitu. I’m sure whoever’s buying their data will thank you."

"Why would anybody want these IDs?" asked Matthew Garrett of CoreOS. "The simple answer is that app authors mostly make money by selling advertising, and advertisers like to know who's seeing their advertisements. The more app views they can tie to a single individual, the more they can track that user's response to different kinds of adverts and the more targeted (and, they hope, more profitable) the advertising towards that user.

"Using the same ID between multiple apps makes this easier, and so using a device-level ID rather than an app-level one is preferred. The IMEI is the most stable ID on Android devices, persisting even across factory resets."

However, developer Brianna Wu disagreed, and seems to believe the data is being collected for more sinister reasons than invasive advertising. She claimed Meitu was "predatory," adding: "It's not just a consumer issue, but a national security issue."

Whatever their views on the purpose of Meitu's data collection, however, everyone seems to be in agreement about one thing: think very carefully about your personal security before downloading and using the app.

Update

A Meitu spokesperson claimed to CNET that, because the company is headquartered in China, it was necessary to include the data collection code in the app to circumvent the country's blockage of tracking services from the likes of Apple and Google's app stores. It said:

To get around this, Meitu employs a combination of third-party and in-house data tracking systems to make sure the user data tracked is consistent. Furthermore, the data collected is sent securely, using multilayer encryption to servers equipped with advanced firewall, IDS and IPS protection to block external attacks.

Listing image by Sebastian Anthony