Advertisements
And then, just before I went to bed, it appeared that some of the sheen on Meitu was dulling. There were mutters and murmurs that perhaps the app wasn’t all that it seemed, rising to a crescendo of potential-ID-theft-induced panic. Rather than being concerned about its Pantomime Dame proclivities, we should focus on the permissions that it was requesting from phones and, as a consequence, the data it was harvesting. While Meitu would require access to your phone’s camera, did it really need to know such specific information? Depending on whether you were using the Android or the iOS version of the app, it seemed that Meitu might be scavenging information on your location, your carrier, your wi-fi connection, your calls, other apps you might be running, your device’s IMEI number, or if it were jailbroken. Given that Meitu is a Chinese-owned app, just what did it want with these data? This morning the slightly panicked tweets and alarmist admonitions have toned down, but there remains a sense of unease surrounding Meitu. Just how intrusive is it? Are we right to be concerned that it is accessing more of your phone than it is entitled? I’ve summarised the general sentiments.
Android
By general reckoning, Meitu’s Android app is far more invasive than the iOS version. In particular, it relays your phone’s IMEI number (a unique identifier) to Meitu. That’s in addition to GPS data, and call, carrier, and wi-fi information. While it has been pointed out that it might well be Chinese legal requirement for Meitu to collect this sort of information, it is raising concerns for Greg Linares (info sec expert) and ‘security pessimist’ @FourOctets.
— FourOctets (@FourOctets) January 19, 2017 And, as @FourOctet’s points out, this isn’t restricted to Meitu.
iOS
The consensus on the iOS version of Meitu is that it isn’t nearly as insidious as the Android offering. Both Will Strafach 9info sec specialist) and Jonathan Zdziarski (forensic scientist) are of the opinion that the data Meitu on iOS is collecting are generally comparable to those gathered by many other apps available in the App Store, even if it does want to know if your phone is jailbroken.
— Jonathan Zdziarski (@JZdziarski) January 19, 2017 And For Zdziarski, the issue here isn’t about Meitu specifically. It’s about paid ad trackers in general: ‘They’re overly invasive and in thousands and thousands of apps people use.’ It comes back to the adage that if you’re not paying for a product with your money, you’re paying for it with your data. The developers have to make it pay somehow.
To conclude
Meitu might have created a storm last night, but it isn’t isolated in its practices. As plenty of commentators have pointed out, data harvesting is normal. It’s how people make their money. Whether or not you want to download or continue using Meitu comes down to how comfortable you are releasing that much of your information to a company without knowing how it will be used. Meitu doesn’t blow back my hair; I’ve not downloaded it and I don’t intend to. But at least you can make a slightly more considered choice now, and apply it to other apps you download.
