This New Beauty App Has An Ugly Secret

If you have this app, you just told China your wifi password.

Beauty matters in China. In 2014, Chinese doctors performed over 7 million cosmetic procedures — most of them for people under the age of 35.

Aksam Gazetesi/Twitter

Beauty matters, but beauty is also expensive. That’s why so many Chinese people turn to Meitu, the company behind over a dozen photo editing and beautification apps. Meitu launched in 2008 and quickly became the country’s preferred method of enhancing photos: 446 million people in China use the company’s apps. In June, half the photos that people in China put on social media had been filtered using Meitu beauty apps.

Meitu is free to download in GooglePlay and the app store. It’s much cheaper than plastic surgery and the results are almost as good. Users can slim their faces, improve the quality of their skin, magnify their eyes and lengthen their legs — all with the swipe of a finger.

Meitu released its app in the West only recently, but the it’s caught on quickly. Users are responding especially well to the hand-drawn feature, which allows selfie enthusiasts to turn their best pictures into anime-like drawings, with massive eyes, porcelain skin and lunar facial tattoos.

Using the app to edit pictures of Donald Trump is becoming a popular pastime for Meitu users.

Meitu’s website claims that the app has been installed on over 1 billion different devices. That’s concerning, because the app requires an unusually high number of permissions from users who download it.

It’s normal for photo-editing apps to request access to your phone’s camera and camera roll. But Meitu goes further than that: it requests permission for the phone’s GPS, cell carrier info, Wi-Fi connection information, SIM card data, jailbreak status and more. Governments can use this information to track the phone — and by extension — you.

The app’s code is even more concerning. Lifehacker reports that after assessing the code, security researchers discovered that the app collects information — including the phone’s International Mobile Equipment Identity number (IMEI). Governments can theoretically use this unique, 15-digit serial number can be used to check a phone’s country of origin, manufacturer or model number.

Is that bad?

Back in August, the Chinese government imposed more restrictive rules on app developers, aimed at improving data security. It’s possible that Chinese law requires Meitu to collect some of the information that it collects from users.

In its privacy policy, Meitu promises not to disclose user information to a third party without your consent. But experts believe they might be doing it anyway. IOS security researcher and forensics expert, Jonathan Zdziarski, tells WIRED:

“The thing is the number of different analytics and ad tracking packages they’ve loaded into the app. I counted at least half a dozen different packages in there. You don’t generally need that many unless you’re selling data.”

Zdziarski says he “didn’t see anything overtly evil” while examining Meitu, but users should still be mindful when downloading free apps. Even if Meitu doesn’t sell personal information to third parties, other free apps might. Users can protect themselves by controlling, restricting or revoking permissions given to apps, or by avoiding suspicious apps altogether.

Remember: beauty is only skin deep and privacy settings may be more important than we initially suspected.