Skip to main content

Meitu has a tracking problem, not a spying problem

Meitu has a tracking problem, not a spying problem


The app’s weird behaviors are more common than you think

Share this story

Is the hot new camera app hiding something? That was the question bubbling up this week, as a Chinese photo-editing app called Meitu began to catch on with stateside users. It was a natural hit, trading in gauzy filters as recognizable as they are shareable. But while out-of-nowhere naivete was part of the app’s appeal, it didn’t sit well with everyone, particularly once they started analyzing the code itself. Meitu was full of unusual code, potentially exposing sensitive information to strange third-party servers in China. Could the fun filters be an identity-theft service in disguise? 

The concerns boil down to a number of specific activities, spotted among a mess of borrowed and overlapping code. The app attempts to pull a number of identifiers for a phone, including IMEI and MAC address, and even though no ads are shown within the app itself, it ties in with a number of third-party analytics systems that could be used for ad targeting. Even more ominous, the app asks for very specific location data, attempting to pull GPS coordinates if the right permissions are granted, and pull it from the EXIF data of a photograph if not. And since Meitu’s parent company is Chinese, all the successfully collected data is headed to servers in China. Laid out in one place, it was enough to make anyone think twice about installing the app.

But while some of the code is alarming, Meitu’s data collection isn’t quite as invasive — or as unusual — as it seems. To start with, much of the identification is blocked up front on iOS, as detailed in one report by security researcher Will Strafach. That includes some of the most eyebrow-raising collection efforts in the app, including IMEI numbers and MAC addresses. The IMEI numbers are still collected in the Android version, which is legitimately bad news, as they could be used to spoof phones and hijack accounts. But it’s also not quite as unusual as it seems, particularly among Chinese apps, which frequently use the IMEI and other identifiers as part of larger anti-spam systems.

Meitu isn’t as invasive or as unusual as it seems

There’s a similar back-and-forth over a snippet of code that seemed to allow the app to run code from a private framework, a practice currently banned by the App Store for security reasons. But as Strafach found, the underlying code is part of a larger suite of iOS tools lifted from a Facebook developer toolkit, and there’s no indication hidden frameworks are being used more broadly by the app.

The more alarming fact is how widespread many of these practices are, even as they can present serious privacy threats for users. In the age of smart filters and geotagging, it’s not at all unusual for an app like Instagram or Snapchat to want to know where users are. Meitu is more aggressive, pulling that information from the metadata of your pictures, but it’s only a difference of degree. Meitu raised flags by sharing identity data with half a dozen different third-party networks in China, but it’s only a few degrees beyond the tracking systems you’d find on lots of small-fry apps, to say nothing of the open web. Given the close ties with analytics systems, it’s likely a lot of Meitu’s collected data is ultimately used to target ads — but that’s how most of the internet works, for better or worse. Perhaps it’s worse because the company is Chinese, and doesn’t have Google’s reputation. But how much worse?

The end result is something of a mixed bag. Meitu’s problems are real, but they aren’t evidence of a fiendish plot to spoof phones and steal identities. It’s reasonable to be concerned about them, and worth observing how valuable iOS’s anti-IMEI collection systems are in a situation like this. But if you’re shaken by Meitu’s ad-tracking efforts, you should realize that it isn’t an outlier. Take a look at the other apps on your phone: there’s a good chance that at least one of them is pulling the same tricks, and attracting far less attention for it.

Today’s Storystream

Feed refreshed Sep 24 Not just you

External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.

Andrew WebsterSep 24
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.

Welcome to the new Verge

Revolutionizing the media with blog posts

Nilay PatelSep 13
The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.

Andrew WebsterSep 24
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.

A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix
Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.

External Link
If you’re using crash detection on the iPhone 14, invest in a really good phone mount.

Motorcycle owner Douglas Sonders has a cautionary tale in Jalopnik today about the iPhone 14’s new crash detection feature. He was riding his LiveWire One motorcycle down the West Side Highway at about 60 mph when he hit a bump, causing his iPhone 14 Pro Max to fly off its handlebar mount. Soon after, his girlfriend and parents received text messages that he had been in a horrible accident, causing several hours of panic. The phone even called the police, all because it fell off the handlebars. All thanks to crash detection.

Riding a motorcycle is very dangerous, and the last thing anyone needs is to think their loved one was in a horrible crash when they weren’t. This is obviously an edge case, but it makes me wonder what other sort of false positives we see as more phones adopt this technology.

External Link
Ford is running out of its own Blue Oval badges.

Running out of semiconductors is one thing, but running out of your own iconic nameplates is just downright brutal. The Wall Street Journal reports badge and nameplate shortages are impacting the automaker's popular F-series pickup lineup, delaying deliveries and causing general chaos.

Some executives are even proposing a 3D printing workaround, but they didn’t feel like the substitutes would clear the bar. All in all, it's been a dreadful summer of supply chain setbacks for Ford, leading the company to reorganize its org chart to bring some sort of relief.