You may have seen our story earlier today about the worrying permissions used by photo app Meitu — and you have almost certainly seen the disturbing images created in the app and shared on Facebook. The company behind the app — also called Meitu — has jumped to defend itself, insisting there is nothing sinister going on.
The company insists that there is a very good reason for asking for so many permissions on iOS and Android. It insists there is a very good reason for gathering so much information about users. It insists this data is stored securely and is not shared with or sold to third parties. The defense is worth reading, but whether users are happy to accept what the company says about transmitting collected data back to a Chinese server remains to be seen.
Also read: Privacy warning: Meitu photo app is spyware sharing your phone’s data
The company starts off by saying: “Meitu’s sole purpose for collecting the data is to optimize app performance, its effects and features and to better understand our consumer engagement with in-app advertisements. Meitu DOES NOT sell user data in any form. As Meitu is headquartered in China, many of the services provided by app stores for tracking are blocked. To get around this, Meitu employs a combination of third-party and in-house data tracking systems to make sure the user data tracked is consistent. Furthermore, the data collected is sent securely, using multilayer encryption to servers equipped with advanced firewall and IDS, IPS protection to block external attacks.”
But this alone is not going to be enough to satisfy concerns that many people have about the sheer volume of data that is being sent back to China.
Meitu explains why each piece of information that is collected is gathered, and why the app acts in the way it does:
- App Store: Meitu follows Apple developer guidelines and terms rigorously
- Google Play: The permissions requested by Meitu are similar to those users will find with most popular photo editing apps
- Offsite Server: As Meitu is headquartered in China, many of the services provided by app stores for tracking are blocked. To get around this Meitu uses a combination of third-party and in-house data tracking systems, they’ve developed to make sure the tracked data is consistent. For example:
- MAC address/IMEI number: In some cases, Meitu cannot get both info at the same time and in some cases different devices even have the same IMEI number, so we combine these two pieces of data into one unique ID to track user devices
- LAN IP address is used to prevent business fraud
- SIM card country code is used for a rough location detection
- GPS and network location are used for detecting countries and regions for Geo-based operation and advertisement placement
- Phone carrier information is used as a standard tracking channel for analytics, just like the other third-party analytics tools (e.g., Flurry)
- RUN_AT_START: because the Google service (including GCM) is not available in mainland China, Meitu uses a third-party push notification service called Getui (www.getui.com)
- Jail Breaking: This is a requirement from both WeChat SDK (Meitu’s sharing module) and for advertising to check if a handset is jailbroken. Meitu implements this verification process because jailbroken devices can manipulate and modify the app source code, thus resulting in commercial settlement errors. Meitu also requires such process to provide protection against malicious modification of the source code and illegal API usage.
- Offsite Servers: user data is sent ONLY to Meitu. The two reported domain names belong to the top domain name “meitustat.com,” which is owned by Meitu. This can be confirmed via “whois”
- rabbit.tg.meitu.com -> 220.127.116.11
- rabbit.meitustat.com -> 18.104.22.168
The company goes on to point out that the Meitu app includes ‘only three’ advertising modules, and reiterates that no user data is sold on. Meitu also outlines the security it has in place to ensure the security of user data it stores.
Image credit: minimina / Shutterstock