Here's why we're not downloading Meitu, the red-hot anime photo app (update)

Why does a cute photo app need all these permissions?

Sean Hollister Senior Editor / Reviews
When his parents denied him a Super NES, he got mad. When they traded a prize Sega Genesis for a 2400 baud modem, he got even. Years of Internet shareware, eBay'd possessions and video game testing jobs after that, he joined Engadget. He helped found The Verge, and later served as Gizmodo's reviews editor. When he's not madly testing laptops, apps, virtual reality experiences, and whatever new gadget will supposedly change the world, he likes to kick back with some games, a good Nerf blaster, and a bottle of Tejava.
Sean Hollister
3 min read
Watch this: Meitu blazing up the app store charts, but the code makes us nervous

Meitu is a viral sensation. Who wouldn't want to instantly give themselves or their favorite politicians and celebs a Japanese-anime inspired makeover, and share the hilarious results with the world? That's why the face-recognizing photo app is currently rocking the charts.

But before you zip on over to the App Store or Google Play to grab your free copy, there's something you should probably know: Meitu is asking for an awful lot of your data in exchange for the lolz -- and the app also seems to contain some rather suspicious code.


Why does a photo app need to make phone calls?

Screenshot by Alfred Ng/CNET

You know how each new app you download asks for permission to access certain parts of your phone? You might reasonably expect Meitu, a photo app, to use your camera (so it can take pictures), your phone's storage (so it can edit pictures stored on your phone) and some internet access as well.

But Meitu doesn't stop there. Oh no: It wants your location and your phone number, to automatically run itself at startup, and more.

Enlarge Image
Screenshot by Sean Hollister/CNET

Why does a photo-editing app need to make phone calls? Why would it change your audio settings or mess with other apps running on your phone?

And that's just the Android version: Jonathan Zdziarski, a security researcher who often digs into apps like this, has discovered some very strange lines of code in the iOS app as well.

According to Zdziarski, the iPhone version of the app is quietly checking to see whether your phone is jailbroken (because that's not creepy), which cellular carrier you're using, and is even potentially able to uniquely identify your device using the hardware MAC address of your phone.

Why would it need all that? He speculates that the company is selling your information to companies who'll target you with advertising.

It's not remotely unusual for apps to sell data to advertisers, but an app that could be constantly, quietly collecting that data (using code that violates Apple's rules, according to Zdziarski) even after you reboot your phone, or put in in sleep mode... let's just say it raises some privacy concerns.

There's still an awful lot we don't know, including whether Meitu is actually collecting or selling this data. Apple and Google didn't immediately respond to requests for comment.

But until we know for sure, we're a little bit nervous about downloading Meitu on our own phones. Perhaps you should be, too.

Update, 3 p.m. PT: FourOctets, a self-described "security pessimist" on Twitter, claims the app is already sending your phone's unique identifier (the IMEI) to multiple servers in China.

According to the company's privacy policy, Meitu claims it will only use your data for the following five purposes:

(I) To improve product functionality and upgrade user experience, thereby offering better services for the user;

(II) For identity verification, security control and customer services, so as to ensure the normal use and security of Meitu;

(III) To enable Meitu to better understand the interests of the user to help Meitu to respond to user's individual demands;

(IV) Meitu may use the user's personal information to prevent, find and investigate the practices of fraud, endangering of security, illegal actions or other conduct violating the agreement, policy or rules between the user and Meitu or its associated parties, so as to protect the legitimate rights and interests of Meitu or its associated parties;

(V) To enable the user to participate in the surveys of Meitu's relevant products and services.

However, the company says it can also give away your information to comply with the law. One of FourOctet's followers speculates that Meitu might be collecting this info to comply with a new Chinese law that requires app makers to uniquely identify their users and stop them from uploading banned content. (China has been cracking down on app stores recently.)

Update, January 20 at 1:30 a.m PT:Meitu told CNET in a statement that the data collection code was included because the company is headquartered in China, where tracking services provided by app stores such as the Apple App Store and Google Play are blocked.

For the special iOS tracking it does, Meitu claims carrier information is requested for geo-based features as well as ad placements, while jailbreak detection is included due to the company using an SDK (software development kit) from China-based WeChat for sharing content.

Technically Literate: Original works of short fiction with unique perspectives on tech, exclusively on CNET.

Nintendo Switch hands-on preview: Nintendo's new games console wants to be your only one, bridging handheld and TV.