Meitu, a Chinese selfie editing app, has amassed billions in downloads since launching in 2008; it’s been trendy in Asia for several years, and just recently began gaining popularity in the United States. The anime-style photo-editing tool, which is available through the Apple and Android app stores, features airbrushed, fairylike depictions of people.
But there’s a serious privacy and security issue with the app, according to mobile security researchers who performed tests running the application, primarily on Android phones. The code instructs users’ phones to send a large amount of data back to China, and possibly around the world.
That information that could potentially be used to spy on users and their communications.
Some of the application’s permissions, presented before users download the app, include access to the calendar, camera, geolocation data, contacts, screen resolution, photos, the contents of the phone’s USB storage, and other data.
The application also appears to be collecting the unique ID, the IMEI number, of users’ phones, according to Greg Linares, a security researcher who examined the application. The IMEI is a 15-digit long serial number that can pinpoint the phone’s country of origin and individual model.
Linares says the information being collected would allow someone “to pair a phone with an individual and then, with the right equipment, you can clone the phone and intercept calls, SMS.”
Cloning phones, which is illegal in most countries, is a relatively easy and inexpensive way to enable spying, according to Linares.
“The information is nice to have, good to sell to other individuals or organizations who would readily have the tools, means, and interest of cloning devices,” he wrote. “I doubt the company behind the app is doing it themselves…[but] there is the potential for individuals intercepting stolen information in transit as well.”
Meitu published a statement on Friday in response to concerns about the application’s privacy and security, saying that the company takes “personal data very seriously” and only collects information to improve performance of the app. Meitu “does not sell user data in any form,” the statement says.
However, if hackers got ahold of this data, it would provide them a lot of detailed information on millions of people who have downloaded the app, according to Linares. “Imagine pairing this data with other compromised data,” he said, noting the massive theft of security clearance information from the Office of Personnel and Management announced in 2015—a breach often tied to China.
However, iOS forensic researcher Jonathan Zdiarski says there’s probably nothing special or malicious about Meitu. He decompiled the source code of the iOS app and primarily found tracking capabilities he assumes are used to build up ad revenue. “If someone walked up to me and asked me about Meitu, I’d tell them it’s just a piece of crapware with a bunch of ad trackers,” he wrote.
China’s Cyberspace Administration also recently issued new rules requiring apps to collect data to authenticate users by tying them to verified phone numbers or other information.
Nick, an independent security researcher who goes by “FourOctets” on Twitter, performed a forensic analysis on an Android phone in his lab to confirm the findings. His tests captured the traffic as it left the device on its way to China.
The Intercept ran an additional report that revealed “information leakage” from the network: the app sent strings of numbers, including what appeared to be an IMEI number, to many different IP addresses in China.
Jay Bennett, another independent security researcher interviewed by The Intercept, decompiled the application’s source code entirely and shared it, confirming that Meitu gets the IMEI number and information like your time zone, MAC address, screen resolution, and information about your SIM Card for “business analytics.”
While the code might seem like a purposeful security flaw designed to covertly gather personal information without users being aware, Bennett and other researchers caution against calling it a backdoor, because Meitu does ask for permission to access at least some of the data. Users might not understand or read what they are approving, however.
“Meitu’s permissions are seriously long, and if unsuspecting users are allowing these permissions, Meitu can get this information,” Bennett wrote in a message to The Intercept.
Android apps are notorious for having long laundry lists of permissions, which people rarely read let alone understand. Apple’s operating system has tighter restrictions and doesn’t allow apps to request such a large amount of information without a clear purpose for its use.
However, the iPhone app behaves strangely, too. Zdiarski, the iOS forensics researcher, ran a forensics test on an iPhone and tracked Meitu’s code. According to his work, which he documented in a series of tweets, the code “checks” whether or not the phone is jail broken, and allows the developer to “use undocumented APIs”—insecurities that allow it to gather information about the phone it wouldn’t be allowed to otherwise. It retrieves information about your cellphone provider, and appears “to build a unique device ID profile,” he says.
The worst thing Zdiarski says he found is code that could track someone’s location using the photo’s geolocation tags, if certain permissions are granted. “This app has a lot of ways to track you,” he said.
However, he said he believed the application was more of a poorly coded “cute” app with a ton of ad trackers built in, designed to generate revenue—something he sees a lot.
Matt Green, a cryptographer at Johns Hopkins University, agreed that the data being gathered by Meitu was concerning, but not necessarily malicious. “Regardless,” he said, “the lesson here is: if you want to have secrets, don’t download random Chinese android apps.”