Meitu’s photo-effects app tracks users without disclosing enough

Meitu isn’t new. The app, from a company of the same name, has been anime-izing people’s faces in China for several years. It just went viral in the U.S. for no apparent reason, explaining all the super-cute (“kawaii”) sparkly and smooth images of people in your social media feeds.

This, in turn, quickly led to scrutiny of how it handles data. Security researchers are always poking at popular apps, especially from China, as developers there often create apps for jailbroken iPhones, but have been the victim of a malware-infested version of Xcode.

This general interest was heightened on the Android side, as the app requests a swath of permissions to access personal data. Apple limits some of this access by design—apps can’t even ask for, say, a list of all Wi-Fi connections or a phone’s unique IMEI number—and requires an app to ask for specific access to Contacts, the camera, and other data and capabilities.

When researchers went poking in the iOS version, they quickly found a host of red flags: multiple analytics packages, which is software used to track usage and users; requests for data that Apple forbids, some of the code for which was taken directly from a popular iOS programming guide, which prominently notes it shouldn’t be used in production software; and attempts to extract a unique phone identity, which is sketchy based on Apple’s rules.

iOS forensics expert Jonathan Zdziarski tweeted his examination of the code, and concluded that it was likely no worse than any other free app that relied on user tracking to aggregate information and sell the results. I attempted to find Meitu’s privacy disclosure online, but its English-language sites are incomplete, and some App Store links go to Chinese-language pages.

However, in a statement sent to Macworld, Meitu said that it doesn’t sell any user data. It says it uses everything it gathers to improve the app experience, and derives all its money from in-app advertising. A spokesperson said it is also developing virtual makeup preview filters with retailers and beauty makers, which it would charge for. In China, it’s also engaged in mobile commerce, which hasn’t yet come to most of its other markets.

We asked Apple for comment about whether the app conforms to the App Store’s guidelines, and will update this story if we receive a reply.

Don’t get cute about your data

There’s a loose Internet saying that when you don’t pay for a product, you are the product. That’s true with many free apps and services that rely on selling you to marketers by providing them with personal information you provide or analyzing your behavior and passing that on.

Meitu’s statement says “Meitu does not sell user data in any form,” but there’s a bit of a loophole there: selling user data doesn’t mean they’re not selling access to users.

Because the app includes advertising, in order to be effective and gain the highest ad rates, Meitu has to collect information about you to serve the appropriate ads or have partners serve them. The easiest way to target a user who doesn’t have to register for a service is to try to associate their behavior in the app with behavior that ad-technology networks have extracted from general Web browsing.

In its statement, the company lists a number of ways they try to track people individually for geographic ad detection and uniquely identifying a user. Apple restricts access to all specific device identifiers, such as the IMEI noted above, which is unique for each cellular phone, and the MAC (Media Access Control) address, set uniquely for every Wi-Fi, Bluetooth, and other networking interface.

Meitu seems to have hit three separate problems with coding and disclosure it can improve dramatically on in order to get over this privacy flap:

• Improve its Web-based privacy disclosure in the languages in which the app appears. A potential or actual user should be able to find such a policy via the App Store link to a company’s support pages. A spokesperson said Meitu was so new to the English-language market that it’s behind on localizing details. The firm didn’t expect this explosive initial usage, apparently.

• Provide a full accounting of how they use information, including what data is shared with ad networks. Even though they don’t sell user data by their account, that doesn’t exclude no-cost sharing of identifying information that lets ad networks track Meitu app users’ behavior on the Web and in other apps. If they’re using unique tracking numbers between the app and other ad networks, that should be explained and an opt-out policy should be available—or you should stop using the app.

• Clean up the app. From Zdziarski and others’ analysis, including this detailed breakdown by Will Strafach, it seems that Meitu left a lot of unused, test, and ineffective code in place, which triggered researchers’ alarms. The code appears worse “at rest” unless you can test how and whether it’s actually activated and used.

The app checks extensively for jailbreaking not, as with many Chinese-originated apps, to perform different operations on a jailbroken phone (verboten in the App Store in any case), but—according to Meitu—in order to prevent ads from being served on jailbroken phones. Hacked phones can have software installed designed to rack up ad views, earning money for sites illegitimately or burning advertisers’ money as a competitive strategy on ad views that are never seen by a human being.

The moral of this story isn’t that Meitu is engaged in an unprecedented exfiltration of our personal information. Rather, that a very popular app came into a different market without the preparation needed for an audience and researchers currently more attuned to privacy disclosure and violations.

This is good news, even if the original wave of reporting now seems to have overstated the case, based on people’s further examination of the code. It would still be prudent to wait for Meitu to clean up its privacy disclosures and the app, but I’m glad that a concern about privacy rose so quickly to the top for a popular app.