Meitu has a tracking problem, not a spying problem

Is the hot new camera app hiding something? That was the question bubbling up this week, as a Chinese photo-editing app called Meitu began to catch on with stateside users. It was a natural hit, trading in gauzy filters as recognizable as they are shareable. But while out-of-nowhere naivete was part of the app’s appeal, it didn’t sit well with everyone, particularly once they started analyzing the code itself. Meitu was full of unusual code, potentially exposing sensitive information to strange third-party servers in China. Could the fun filters be an identity-theft service in disguise?

The concerns boil down to a number of specific activities, spotted among a mess of borrowed and overlapping code. The app attempts to pull a number of identifiers for a phone, including IMEI and MAC address, and even though no ads are shown within the app itself, it ties in with a number of third-party analytics systems that could be used for ad targeting. Even more ominous, the app asks for very specific location data, attempting to pull GPS coordinates if the right permissions are granted, and pull it from the EXIF data of a photograph if not. And since Meitu’s parent company is Chinese, all the successfully collected data is headed to servers in China. Laid out in one place, it was enough to make anyone think twice about installing the app.

But while some of the code is alarming, Meitu’s data collection isn’t quite as invasive — or as unusual — as it seems. To start with, much of the identification is blocked up front on iOS, as detailed in one report by security researcher Will Strafach. That includes some of the most eyebrow-raising collection efforts in the app, including IMEI numbers and MAC addresses. The IMEI numbers are still collected in the Android version, which is legitimately bad news, as they could be used to spoof phones and hijack accounts. But it’s also not quite as unusual as it seems, particularly among Chinese apps, which frequently use the IMEI and other identifiers as part of larger anti-spam systems.

There’s a similar back-and-forth over a snippet of code that seemed to allow the app to run code from a private framework, a practice currently banned by the App Store for security reasons. But as Strafach found, the underlying code is part of a larger suite of iOS tools lifted from a Facebook developer toolkit, and there’s no indication hidden frameworks are being used more broadly by the app.

The more alarming fact is how widespread many of these practices are, even as they can present serious privacy threats for users. In the age of smart filters and geotagging, it’s not at all unusual for an app like Instagram or Snapchat to want to know where users are. Meitu is more aggressive, pulling that information from the metadata of your pictures, but it’s only a difference of degree. Meitu raised flags by sharing identity data with half a dozen different third-party networks in China, but it’s only a few degrees beyond the tracking systems you’d find on lots of small-fry apps, to say nothing of the open web. Given the close ties with analytics systems, it’s likely a lot of Meitu’s collected data is ultimately used to target ads — but that’s how most of the internet works, for better or worse. Perhaps it’s worse because the company is Chinese, and doesn’t have Google’s reputation. But how much worse?

The end result is something of a mixed bag. Meitu’s problems are real, but they aren’t evidence of a fiendish plot to spoof phones and steal identities. It’s reasonable to be concerned about them, and worth observing how valuable iOS’s anti-IMEI collection systems are in a situation like this. But if you’re shaken by Meitu’s ad-tracking efforts, you should realize that it isn’t an outlier. Take a look at the other apps on your phone: there’s a good chance that at least one of them is pulling the same tricks, and attracting far less attention for it.