The anime-themed photo makeover app Meitu recently went viral, with loads of people downloading it to transform their selfies using adorable filters. The spike in popularity quickly drew attention to the app’s questionable permissions and data practices, however, and users were soon advised to uninstall the app rather than risk compromising their personal data. Now the company behind the app, Meitu Inc., has issued a final statement on the matter, detailing how it uses the data and the reason behind its app permissions.
Concerns about the app are numerous, and include data like MAC addresses, IMEI, SIM ICCID, root status and more being collected and the information transferred to multiple unknown servers in China. Privacy advocates have loudly advised users to uninstall the app as a result of the data collection and the lack of transparency around it.
Meitu previously issued a statement via a spokesperson attempting to reassure users, and now it has issued a final statement, this one including details on how the company handles user data and the reasoning behind the permissions the app seeks.
The company says the Meitu Android app only asks for permissions “similar to those users will find with the most popular photo editing apps,” and that for its iOS app, it asks for permissions that are “within the Apple developer guidelines and terms.”
Beyond that, Meitu Inc. details the following:
Offsite Server: As Meitu is headquartered in China, many of the services provided by app stores for tracking are blocked. To get around this Meitu uses a combination of third-party and in-house data tracking systems, they’ve developed to make sure the tracked data is consistent. For example:
– MAC address/IMEI number: In some cases, Meitu cannot get both info at the same time and in some cases different devices even have the same IMEI number, so we combine these two details into one unique ID to track user devices
– LAN IP address is used to prevent business fraud
– SIM card country code is used for a rough location detection
– GPS and network location are used for detecting countries and regions for Geo-based operation and advertisement placement
– Phone carrier info is used as a standard tracking channel for analytics, just like the other third-party analytics tools (e.g., Flurry)
– RUN_AT_START: because the Google service (including GCM) is not available in mainland China, Meitu uses a third party push notification service called Getui (www.getui.com)
• Jail Breaking: This is a requirement from both WeChat SDK (our sharing module) and for advertising to check if a handset is jailbroken. Meitu implements this verification process due to the fact that jailbroken devices can manipulate and modify the app source code, thus resulting in commercial settlement errors. Meitu also requires such process to provide protection against malicious modification of the source code and illegal API usage.
• Offsite Servers: user data is sent ONLY to Meitu. The two reported domain names belong to the top domain name “meitustat.com,” which is owned by Meitu. This can be confirmed via “whois”
– rabbit.tg.meitu.com -> 184.108.40.206
– rabbit.meitustat.com -> 220.127.116.11
As far as third-party services go, the company says the Meitu app has a limited number of analytics and ad tracking modules, including one developed by Meitu itself, and two others, one from umeng and one from AppsFlyer. The company vows that no user data is sold.
Finally, the company says it takes multiple steps to keep user data safe, including using HTTPS, multi-layer encryption, ‘advanced firewalls,’ IPS protection, IDS, as well a full-time in-house security team to monitor everything.