News

Actions

Viral selfie app under fire for sneaky data collection

Posted at 9:33 PM, Jan 20, 2017
and last updated 2017-01-20 21:33:21-05

SAN FRANCISCO — You’ve probably seen them everywhere on social media: Selfies of your friends turned into cartoonish portraits.

Chinese app Meitu — which has gained popularity in the U.S. within the past two weeks — adds colorful, caricature-like features, such as bigger eyes, tear drops and accessories like feathers and flowers, to photos.

But now the app has now found itself in hot water. It’s collecting information about you for advertising purposes.

If you have an iPhone, the free app is tracking location and mobile carrier information, your IP address and generates a unique identifier to track you. It also quietly shares Android users’ IMEIs, the unique code that identifies individual devices, and sends that data back to servers in China.

Meitu asks for some of these permissions — but not all — at the time of download.

meitu-screen-shot-selfie-app

However, security researchers say this method isn’t much different than what many apps already do. The process is similar to how you’re currently tracked by ads around the web.

In this case, Meitu’s developers wrote a piece of code into the app, so advertisers could see who is using it and what they’re viewing.

“Most of the sketchy things being reported in Meitu are [of] the numerous ad trackers baked into the software, which can generate revenue for the software authors,” forensic expert Jonathan Zdziarski told CNNTech. “It’s a rather widespread problem among mobile apps and not just on any one platform.”

Although Meitu says it doesn’t sell user data, other apps that collect similar information might. It’s possible to change what type of data you give to apps through “App Permissions” in Settings on Android and in under “Privacy” on iOS.

“We’ve come to accept ad and analytics trackers in our mobile apps,” Zdziarski said. “Now, it’s turning into ‘crapware’ that delivers a dozen or more trackers in the form of something cute the user wants to use.”

Because Meitu is headquartered in China, many of the tracking and push services from marketplaces such as Apple App Store and Google Play are blocked. As a workaround, Meitu works with in-house experts and a third-party company to track and collect data securely, the company said. It eventually has plans to move its servers outside of China.

Ad trackers found in OS and Android apps can often create headaches for users behind the scenes. For example, they run in the background of smartphones and often drain batteries.

It’s also difficult to tell if an app has a tracker without looking at the code. Verify.ly is one service that highlights security issues, the code and how apps connect with other services. It intends to help people have a better understanding of how data is collected and used.