Meitu denies selling collected user data, blames China

The company behind the anime photo app describes the reasons behind the dodgy data collection code discovered by researchers.

Aloysius Low Senior Editor
Aloysius Low is a Senior Editor at CNET covering mobile and Asia. Based in Singapore, he loves playing Dota 2 when he can spare the time and is also the owner-minion of two adorable cats.
Aloysius Low
2 min read

Going viral can be a blessing for some apps, but it led anime-makeover app Meitu to more scrutiny than it may have wanted. Before long, security researchers were taking it to task for dodgy-looking data collecting code.

Upon download, the app asks for a suspicious amount of unneeded permissions, such as access to your location and phone number, as well as the ability to automatically run at startup. That's just for the Android version -- the iOS app also checks to see if your iPhone is jailbroken, as well as what carrier you're using.

It sounds scary, and it is, but Meitu is finally shedding some light on the issue. The good news? It says it's not selling your data to anyone, period. The reason the data collection code exists is a little more benign, the company says.

Meitu told CNET in a statement that the data collection code was included because the company is headquartered in China, where tracking services provided by app stores such as the Apple App Store and Google Play are blocked.

"To get around this, Meitu employs a combination of third-party and in-house data tracking systems to make sure the user data tracked is consistent," said a Meitu spokesperson.

"Furthermore, the data collected is sent securely, using multilayer encryption to servers equipped with advanced firewall, IDS and IPS protection to block external attacks."

The statement also clarified the various aspects of the app's data collection. For iOS devices, Meitu only asks for permissions permitted by the Apple developer guidelines and terms. Carrier information is requested for geo-based features as well as ad placements, while jailbreak detection is included due to the company using an SDK (software development kit) from China-based WeChat for sharing content. The SDK itself requires the check, according to Meitu.

The check also ensures that ads are tracked properly, as well as for protection against illegal API usage, said Meitu's spokesperson. MAC addresses and IMEI numbers are also combined into a unique ID for internal tracking purposes.

Screenshot by Sean Hollister/CNET

As for its Android permissions, Meitu's apps in China don't come with Google Play services, as it isn't available there, so push notifications don't work. To get around this, the company uses a third-party notification service called Getui that requires the app to run at start.

Meitu added it isn't possible to publish an international version that uses Google Play services, as access to the tracking services as well as push notifications won't work for them in China where it is based. So don't get your hopes up for a version with less dodgy data collection code.

Technically Literate: Original works of short fiction with unique perspectives on tech, exclusively on CNET.

Nintendo Switch hands-on preview: Nintendo's new games console wants to be your only one, bridging handheld and TV.