Meitu, a Chinese selfie editing app, has amassed billions in downloads since launching in 2008; it’s been trendy in Asia for several years, and just recently began gaining popularity in the United States. The anime-style photo-editing tool, which is available through the Apple and Android app stores, features airbrushed, fairylike depictions of people.
But there’s a serious privacy and security issue with the app, according to mobile security researchers who performed tests running the application, primarily on Android phones. The code instructs users’ phones to send a large amount of data back to China, and possibly around the world.
That information that could potentially be used to spy on users and their communications.
Some of the application’s permissions, presented before users download the app, include access to the calendar, camera, geolocation data, contacts, screen resolution, photos, the contents of the phone’s USB storage, and other data.
The application also appears to be collecting the unique ID, the IMEI number, of users’ phones, according to Greg Linares, a security researcher who examined the application. The IMEI is a 15-digit long serial number that can pinpoint the phone’s country of origin and individual model.
Linares says the information being collected would allow someone “to pair a phone with an individual and then, with the right equipment, you can clone the phone and intercept calls, SMS.”
Cloning phones, which is illegal in most countries, is a relatively easy and inexpensive way to enable spying, according to Linares.
“The information is nice to have, good to sell to other individuals or organizations who would readily have the tools, means, and interest of cloning devices,” he wrote. “I doubt the company behind the app is doing it themselves…[but] there is the potential for individuals intercepting stolen information in transit as well.”
Meitu published a statement on Friday in response to concerns about the application’s privacy and security, saying that the company takes “personal data very seriously” and only collects information to improve performance of the app. Meitu “does not sell user data in any form,” the statement says.
However, if hackers got ahold of this data, it would provide them a lot of detailed information on millions of people who have downloaded the app, according to Linares. “Imagine pairing this data with other compromised data,” he said, noting the massive theft of security clearance information from the Office of Personnel and Management announced in 2015—a breach often tied to China.
However, iOS forensic researcher Jonathan Zdiarski says there’s probably nothing special or malicious about Meitu. He decompiled the source code of the iOS app and primarily found tracking capabilities he assumes are used to build up ad revenue. “If someone walked up to me and asked me about Meitu, I’d tell them it’s just a piece of crapware with a bunch of ad trackers,” he wrote.
China’s Cyberspace Administration also recently issued new rules requiring apps to collect data to authenticate users by tying them to verified phone numbers or other information.
Nick, an independent security researcher who goes by “FourOctets” on Twitter, performed a forensic analysis on an Android phone in his lab to confirm the findings. His tests captured the traffic as it left the device on its way to China.
The Intercept ran an additional report that revealed “information leakage” from the network: the app sent strings of numbers, including what appeared to be an IMEI number, to many different IP addresses in China.
Jay Bennett, another independent security researcher interviewed by The Intercept, decompiled the application’s source code entirely and shared it, confirming that Meitu gets the IMEI number and information like your time zone, MAC address, screen resolution, and information about your SIM Card for “business analytics.”
While the code might seem like a purposeful security flaw designed to covertly gather personal information without users being aware, Bennett and other researchers caution against calling it a backdoor, because Meitu does ask for permission to access at least some of the data. Users might not understand or read what they are approving, however.
“Meitu’s permissions are seriously long, and if unsuspecting users are allowing these permissions, Meitu can get this information,” Bennett wrote in a message to The Intercept.
The application now has a privacy policy published on its website that mentions IMEI data—information not previously included on the app store, according to @FourOctets. It’s unclear when the page was updated or published. But other applications created by the same company, like MakeupPlus, collect the same type of information as Meitu—but those privacy policies have not been updated, according to @FourOctets. Some of the company’s applications don’t have terms of service at all.
Android apps are notorious for having long laundry lists of permissions, which people rarely read let alone understand. Apple’s operating system has tighter restrictions and doesn’t allow apps to request such a large amount of information without a clear purpose for its use.
However, the iPhone app behaves strangely, too. Zdiarski, the iOS forensics researcher, ran a forensics test on an iPhone and tracked Meitu’s code. According to his work, which he documented in a series of tweets, the code “checks” whether or not the phone is jail broken, and allows the developer to “use undocumented APIs”—insecurities that allow it to gather information about the phone it wouldn’t be allowed to otherwise. It retrieves information about your cellphone provider, and appears “to build a unique device ID profile,” he says.
The worst thing Zdiarski says he found is code that could track someone’s location using the photo’s geolocation tags, if certain permissions are granted. “This app has a lot of ways to track you,” he said.
However, he said he believed the application was more of a poorly coded “cute” app with a ton of ad trackers built in, designed to generate revenue—something he sees a lot.
Matt Green, a cryptographer at Johns Hopkins University, agreed that the data being gathered by Meitu was concerning, but not necessarily malicious. “Regardless,” he said, “the lesson here is: if you want to have secrets, don’t download random Chinese android apps.”
I think what you’re telling us is:
• get a compiler for your phone’s OS and a decompiler
• learn to read obj C or java
• attempt to decompile your phone apps and see what’s in em.
Last I recall or messed w/ this shit you could decompile some java code but I dont believe you could obj C — prob way behind the times w/ this.
How do any of us know if our phone apps are fucking us?
Just remembered: there was an obsfucation API available for java back a while too…
some of the capabilities offered by symantec or code-warrrior disappeared at the end of the 20th century along with many of our freedoms –
with code warrior I was able to recompile Macpaint as a servlet – the company that bought the java compiler from symantec suddenly wanted 1000s of dollars for what was a really cheap program. welcome to the new world order
What do you mean
surproz surproz surproz
A cell phone or any other Internet dependent device is virtually useless without Apps.
Apps are not “downloadable” if the “accept” tab is not activated.
Why is there no push to restrict app producers from DEMANDING FULL ACCESS to almost every function in a device before the app can be downloaded?
If that’s how you want to be. LOL
I don’t “download apps”. I have a nice, lightweight and secure computer that is separate from my phone.
When I want to make a call, my phone isn’t useless – because it’s not burdened with malicious crap.
“the future of radio belongs to us”
indyradio.info (use mozilla or die)
ch0.us (insecure, for lame browsers)
My comment never showed up – what’s taking so long?
This kind of software, not only on smart-phones and alike but PC’s and all kind of devices has taken a turn for the worse from a users’ point-of-view.
Getting an App ( almost ) for free and paying, time and again, with private information is promoted as much as possible by the companies that collect and sell your private data as well as Intelligence-Services from a multitude of countries.
These people constantly are trying to change the perception of app-users how to deal with their own private information and get them to disregard and give-up their privacy.
The collective awareness about apps (software) intruding, heavily and perpetual, on peoples privacy should receive much more attention.
Jenna- typo@”worst thing Zdiarski say he found is”
And then: all of the Intercept writers fail to add a key point in these types of “it’s da godless Chinese” stories, namely that the Chinese know they are being tracked since forever, and that their phones are designed that exact way. It’s not a statement or an abuse by their definition– it’s business as usual.
So, for instance: “the code “checks” whether or not the phone is jail broken, and allows the developer to “use undocumented APIs””
It is just China doing what everyone in China knows China does, unlike this soft and sneaky Machiavellian totalitarianism that has been slipped in here.
Also-just like here, now- an IMEI on a jailbroke phone from a foreign land signifies the fact tat the person has foreign connections.
In China, you can buy burner phones, broke phones and hot ones only from street vendors, because all telecoms are wiretapped by default, and even the monthly plans are required to have an ID with them.
So the jail broke phone signals the obvious: someone isn’t following the one rule they have which is acceptance of chronic surveillance; and in lesser scenarios- unlike here in America, a phone that is stolen might actually get returned to it’s owner, because the cops there focus on actual crime far more than thought crime and criminal association via the inference of a Tweet.
And frankly, I am a lot less scared of Chinese spying than Israeli operations which also come with lots of head games and blackmail:
Shady Companies With Ties to Israel Wiretap the U.S. for the NSA
https://www.wired.com/2012/04/shady-companies-nsa/
Nokia has been released from their non-competition agreement and are producing a full range of cell phones this year.
The only caveat is recent acts of the Finnish Government. They have surrendered their former independence and may sell-out their most famous company.
The statement “…the company takes personal data very seriously and only collects information to improve the performance of the app” is basically what every company states that is eventually subject to most of their data being hacked.
The type statement: ” Meitu does not sell user data in any form,” should have a properly qualified statement adding “…until they feel like changing that policy or are involved in a merger or sale of their company, and then all that data is, in fact, part of the sale to whatever entity making the purchase for whatever purpose.
“the lesson here is: if you want to have secrets, don’t download random Chinese android apps.” … if you want to have secrets, don’t download ANY random apps period, why single out Chinese apps? Another China-bias opinion.
hmm interesting article, I guess no one should use gmail anymore following the same logic, because the moment you send the email, the content is ingested, parsed, profiled and saved in google servers, doesn’t that sound more scary?
“Just a piece of crapware” … as if it’s OK to be spied on by Companies since Companies that sell data to any other Company with the money can’t possibly have bad intent! To think of the level of capitalist faith and devotion these people have! The funny part is, to part with such things for free is contrary to principles of Capitalism, and so their every act of devotion only reinforces the absolute contempt their Gods rightly feel for them.
Technology is defined as a method by which the wealthy and powerful can use their resources to exert greater advantage and control over the poor. As we put the Golden Age behind us, we should try to remember that the fall of civilization came because it was the best possible option, no matter how absurd that will seem. The best possible option, that is, aside from a philosophical realization that our people were unable to achieve.
It depends. ? How healthy are your liver and kidneys? ? :p
Why should Chinese spying be any worse than US-based spying?
Massage-
I think the answer is certain narratives of racist, religious, and ethnic ‘supremacy.’ See my link above for shady companies in Israel spying on all Americans, all the time.
so anonymous person who wont be named said China is going to get everything, but real interviewed experts on the topic say that it is pretty much par for the course as far as apps go. Did this author notice how well Trump did with his HATE and FEAR propaganda and decided to try it too?
Of course all of this same information is sent to Google, and many, many applications are doing the same. Perhaps a survey and comparison of popular applications is in order… you might be surprised. For example, see the location tracking that the Uber app does, after your destination is reached. Now, I think this is bad news all around, and with the death of Cyanogen (which included a wonderful “permission firewall”, allowing users to restrict permissons to applications that would otherwise get them), awful security update support from Android vendors (Samsung, looking at you!), proprietary drivers, and carrier bloatware installed by default things are looking rather dismal. Indeed, the Free Software Foundation has listed a libre mobile operating system as one of the top priorities for free software developers.