Update: Meitu has responded to CNET, claiming that it’s not, in fact, selling user data to anyone. The app’s data collection code was included because Meitu is headquartered in China, where tracking services provided by the Google Play Store and Apple App Store are blocked.

A Meitu spokesperson said:

To get around this, Meitu employs a combination of third-party and in-house data tracking systems to make sure the user data tracked is consistent… Furthermore, the data collected is sent securely, using multilayer encryption to servers equipped with advanced firewall, IDS and IPS protection to block external attacks.

Meitu also commented on the number of app permissions Android users have to agree to when downloading the app. The spokesperson explained that since Meitu’s apps in China don’t come with Google Play services, push notifications don’t work. To sidestep this issue, it uses a third-party notification service called Getui that requires the app to run at start.

It also isn’t possible to publish an international version of the Meitu app that uses Google Play services, since access to the tracking services won’t work in China, where the company is based.

Basically, don’t hold out for a version of Meitu without this curious data collection code.

Original post: While it’s been available in China for nearly a decade, the Meitu photo editing app has recently become very popular here in the US. You might not be so thrilled about your anime-themed selfies after you hear this news, though. There’s evidence that Meitu is collecting a lot of user data and sending it to unknown third-parties.

Meitu is designed to turn your normal photos into more beautiful images with lots of effects, backgrounds, filters and more features to choose from. The big push to its popularity in the US occurred when the app recently added an anime filter. Now users are busy turning photos of themselves and others into people who would feel quite at home in Sailor Moon. The company behind Meitu claims the app has now been installed on over one million devices.

But is the app doing more than just making people super cute with its anime filter? Security-minded folks have been poking around Meitu’s code and discovered it has a lot of tracking code for things like device model, Android OS version, MAC address, and much more. If you download the Android version from the Google Play Store, it asks for more than 20 permissions before you install it. The app wants to manage your calls, to know your precise location, and even to run itself at startup. CNET contacted Meitu to ask about these security concerns, but so far the company has not responded.

To be clear, there’s no evidence so far that the data that Meitu collects is used for anything more nefarious than ad targeting. A lot of apps – especially free apps, and especially apps from China – rely on selling user data to ad companies as their main business model. Nevertheless, you should be aware of these practices before you pick up Meitu, or for the matter, any app that requests tons of permissions without a clear purpose.

Comments
Read comments