Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Popular beauty app Meitu checks if iPhone is jailbroken, sends carrier data back to Chinese developer

Last updated

One of the App Store's top downloads — an app for creating Anime-style self portraits — is a potential privacy risk to its users, as researchers have discovered the app sends details about carrier, and whether the iPhone has been jailbroken, back to the developer.

Meitu, from Chinese developer Xiamen Meitu Technology, is a "beautification" app that applies filters to self-portraits, with it recently used to create anime-style makeovers of photographs. The sudden popularity of the trend has propelled the app up the App Store rankings, reaching 13th place in the free apps chart as of Friday morning.

Security researchers have examined the iOS app and found some unusual elements, with Jonathan Zdziarski discovering it performs a number of checks to work out if the iPhone is jailbroken. The app also collects information about the cellular service used by the iPhone, and creates a unique device identifier based on part of its MAC address.

The collected data, sent back to the developer, is speculated to be sold to marketing agencies to target advertising to the user.

The iOS version of the app is not alone in having questionable security practices, as the Android version in the Google Play store apparently has its own privacy issues. A a considerable number of permissions are requested at installation, including access to the device's GPS, phone, audio settings, and the ability to run the app at the phone's startup.

Meitu says it collects user data through questionable methods because traditional tracking services are blocked in its native country of China.

Zdziarski's investigation into the code used for the iOS app uncovered the use of "forbidden App Store code" to dynamically load frameworks and use undocumented APIs. Another section uses code pulled directly from Erica Sadun's iPhoen Developer's Cookbook, which Zdziarski claims is not permitted in the App Store.

"Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it," suggests Zdziarski. "If you like being the target of marketing and big data, by all means run Meitu. I'm sure whoever's buying their data will thank you."

In response to the claims, Meitu advised CNET it collected the data because it is based in China, and tracking services provided by the App Store and Google Play are blocked in the country. For the iOS app, the carrier information is apparently used for geo-based features and targeted advertising.

The Jailbreak detection code is claimed to have come from a software development kit supplied from WeChat, another Chinese service, which it uses to share photographs.

While the app's questionable approach to user privacy may be legitimized as a workaround to China's tight restrictions, users should still be aware of the security risks associated with overreaching apps, as there is no guarantee that the data will only be used for marketing purposes.



3 Comments

🎄
linkman 11 Years · 1041 comments

Wow, it looks like the Android version is even less restricted. It can make and manage phone calls? Sure, Meitu will only use the information for good and never for nefarious purposes.

❄️
GeorgeBMac 8 Years · 11421 comments

For myself, unless the app has some functional reason for needing access to a parameter (like Location), I always say No!'.

But I worry about those apps that don't ask and just take.   I don't know how well IOS protects against unauthorized access to phone parameters and metrics.   I hope it is a strong wall without too many hidden peep holes.

🕯️
misa 13 Years · 827 comments

linkman said:
Wow, it looks like the Android version is even less restricted. It can make and manage phone calls? Sure, Meitu will only use the information for good and never for nefarious purposes.

On the Android version apparently it sends the IMEI (the device serial number) and the IMSI (the carrier number), but not enough information to "clone" the phone (which it would need to copy the SIM card to do so, and that's not trivial.)  It's essentially lazy if it asks for more permission than it really needs, and this is one case where I would absolutely refuse to allow it to have access to anything but the camera. If I want to post it to twitter, I'll post it after it saves it to the camera roll.