The Meitu selfie horrorshow app going viral through Western audiences is a privacy nightmare, researchers say.
The app harvests information about the devices on which it runs, includes invasive advertising tracking features and is just badly coded. But worst of all, the free app appears to be phoning some to share personal data with its makers.
Meitu, a Chinese production, includes in its code up to three checks to determine if an iPhone handset is jailbroken, according to respected forensics man Jonathan Zdziarski, a function to grab mobile provider information, and various analytics capabilities.
Zdziarski says the app also appears to build a unique device profile based in part on a handset’s MAC address.
“Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it,” Zdziarski says.
Unique phone IMEI numbers are shipped to dozens of Chinese servers, malware researcher FourOctets found.
Location information is captured when activated on handsets, and may even be pulled from exif data in existing photos.
There is no evidence the application is outright malicious, but rather is an example of how app developers can and are pushing boundaries of legitimacy in the quest to quietly harvest loads of user data to pay for the provision of free products and services.
Technical users wanting to install Meitu should weigh up its value against its collection and dissemination of their identifiable information to unknown sources.
More general non-technical users are in perilous land and may try denying Meitu permission requests other than access to the device camera should they want to install the app, although this is by no means a sure means to protect device data.
Security and privacy boffins are largely avoiding the application and calling out its collection capabilities, but millions of regular users are downloading and highly rating the app.
Others have probed the app, tallying a huge number of permissions the app seeks including:
- Device and app history;
- Accurate location;
- Phone status;
- USB, photos, and files storage read and write;
- Wifi connections;
- Device ID & call information;
- Full network access
- Run at startup,
- And prevent device from sleeping.
In a test on a Vulture South spare phone, the application was still able to function sufficiently well to capture this writer’s nightmare-fuel selfie with storage and camera permissions accepted and phone permissions denied. No other prompts were thrown on the Android 7 Nougat device.