The Chinese selfie touch-up app Meitu has been running rampant across the Internet recently, and for good reason: the mobile app allows users to turn their faces into adorable, anime-esque models of pure beauty. The selfie style is called PikaPika, and it's inspired by the purikura photo sticker booths so commonly adored in Japanese culture and Japanophile communities.
It's been around for quite some time on Chinese social media, so when the app hit US shores, it made waves. Particularly with Kotaku's Mike Fahey, who was able to successfully Meitu-ify numerous video game heroes, turning some of gaming's most rugged protagonists into fluffy models. Of particular note is Geralt of Rivia, who goes from a tough Witcher to a bishounen work of art.
But there's a darker side behind Meitu, one that should give users sign for pause.
According to Infosec activist Greg Linares, Meitu asks for an enormous amount of permissions that are extremely inappropriate for a basic photo-beautifying app. As Linares points out in his tweet, the app can:
- Capture precise location
- Identity, read, modify, or delete USB storage files
- View Wi-Fi connections
- Read phone status and identity
- Change system display settings
- Hold full network access
- Change audio settings
- Run itself at startup
- Reorder running apps
- Control vibration
- Prevent the device from sleeping
Google Play also warns that updates "may automatically add additional capabilities within each group [of permission capabilities]," which means further phone access could be gained by simply installing the app from an earlier standpoint. Yikes!
That's not all Meitu does, however. Linares warns that Meitu might be capturing International Mobile Equipment Identity numbers, or IMEIs. IMEIs are unique IDs that allow nefarious folks the ability to begin figuring out how to "clone your phone and intercept your calls and sms."
Linares later points out that one's IMEI isn't the only information tidbit necessary to clone a phone. Phone hacking is more complicated than that. But the very fact that it "sends back your IMEI without any permissions granted" is concerning enough, because it gives a potential hacker the opportunity to use an IMEI as a starting point to clone a phone.
Granted, permissions can be turned off for an app like Meitu, but the IMEI grab isn't a voluntary choice. It's automatic, and not discussed in the storefront as a risk users may experience while using the app. Meaning the app itself still compromises one's identity regardless by not being an honest about the app's abilities at hand. That's a major problem if a third-party is able to successfully grab the IMEI as well.
According to Meitu, Inc.'s official website, Meitu hosts a variety of selfie-based apps that allow users to touch up their appearance using their smartphone. On paper, the idea is brilliant: especially for the app showcased in Kotaku's post, which reveals how selfie-altering software can turn anything into a drastically adorable version of itself. The problem arises with the lack of transparency with Meitu, Inc.'s actions. And when an identity-compromising product like Meitu becomes a viral sensation, that means thousands upon thousands of Internet users may openly make themselves vulnerable to identity theft.
Granted, there are some valid counter-points brought about in response to the claim. For one, the IMEI grab may be a governmental issue. Chinese law demands that app providers authenticate their users' identities and activity logs for sixty days, because Chinese law demands apps maintain systems "for monitoring content on their platforms in order to detect information that is considered illegal under Chinese laws."
As one Twitter user points out, China requires users to register their phone with their name, but since many do not, the government often logs activity instead. Hence the enormous number of IPs being contacted by the app. More information is also required to understand how the app functions and what the intentions are behind the data being sent, the permissions at play in the Google Play page, and how different mobile operating systems may be affected by the app.
Meitu, PikaPika, and the purikura photo booth phenomenon are all interesting parts of Geekdom that can give back to the gaming community. But it's important to use and share apps responsibly, lest someone become an identity theft victim in the process. Hopefully, the intentions behind Meitu's permissions and IMEI sharing will become apparent over the next couple days.
How do you feel about the supposed Meitu security concerns? Share your thoughts in the comments below.