Background information

Security alert: Meitu - the app catapults your personal data to China

20.1.2017

Translation: machine translated

The Chinese application Meitu embellishes your photos according to Chinese beauty standards - with pomp, kitsch and pastel shades. And it sends personal data to China uninvited. So: don't install the app or uninstall it.

The free newspaper 20 minutes announced yesterday: "Raz de marée des filtres de l'app de selfie Meitu". This article talks about the furore caused by the Meitu app. There are sure to be a lot of people downloading the app over the next few days.

Users who download the app to their phones are taking risks: on its Twitter account, Security Researcher FourOctets drew attention to the following security breaches

As Twitter is now one of the exchange platforms in the InfoSec field, the search was on. Incredulous, Greg Linares posts the following Tweet: "If I understand correctly, you installed an application with the following permissions. Let me know how it turns out."

In French:

Device and app history

Recover running apps

Location data

approximate location (network-based)
accurate position (GPS and network based)

Phone

see phone status and identity

Photos/multimedia/files

Read the contents of the USB storage memory
Edit or delete the contents of the USB storage memory

Storage space

Read the contents of the USB storage memory
Edit or delete the contents of the USB storage memory

Camera

Taking photos and filming videos
Wi-Fi connection information
display Wi-Fi connections

Device ID and call information

view phone status and identity

Other

receive data from the Internet
display network connections
change system display settings
enjoy full network access
change your audio settings
run at startup
Rearrange running applications
control vibrate
Prevent the device from going to sleep
Google Play licence verification

To compare: the Facebook app is interested in your data in the same way, but also offers many more functions. For Meitu, access to memory and camera would have been enough if the programmers had been allowed to be minimalists.

What is my IMEI?

IMEI stands for Mobile Equipment Identity. Literally: international mobile equipment identity. All your "smarts" in your pocket have an IMEI, i.e. your smartphone, smartwatch, tablet, phablet, etc. The IMEI number is a series of numbers. Each device has a unique number that generally remains secret and unused. With the IMEI, you can know with certainty which phone is being used to transmit the signal.

The IMEI is one of the most important sets of metadata in the mobile field. Admittedly, it doesn't identify you directly, but if you have an account on your phone that you've protected with a password, PIN or fingerprint and your account is called prénom.nom@gmail.com or nearly so, then all is clear.

In this video (in German), data analyst David Kriesel explains everything you can do with metadata (from 12:08).

In addition, according to AndroidPolice.com, data about smartphone models, screen resolutions, Android and iOS versions, device MAC address and other data is transmitted to the Chinese server.

In exchange for selfies, Meitu sends this data around the world. Among others to China, a country that doesn't always care about human rights and the law.

Why is Meitu doing this?

There's still a lot of speculation about why, but Twitter user Pheonix7284 thinks he has a solution. He links to an article on InsidePrivacy.com, which outlines the new conditions that must be met by apps in China.

In short: since 1 August 2016, all apps programmed in China must harvest metadata.

Apps must authenticate their users by attaching a verified phone number or any other identified data to an online profile. So your anonymous Twitter profile is linked to your account named prénom.nom@gmail.com.
Records of your activities must be saved for 60 days
The application must comply with regulators and obtain licences specific to it. This is not described in more detail.
The app's providers must be able to ensure that their app does not authorise any publication that may violate Chinese law in any way.
App providers must be able to track down these breaches on the software side

App providers must mention all breaches without exception
App providers must submit to one or more local authority inspections

China still practices censorship. Need some examples?

If you search for "Tiananmen Square" (literally: Heavenly Peace Gate Square) in the Swiss version of Google, the following results appear:

If you search for 天安门广场 - the Chinese translation of the place name - on Google Hong Kong (there is no direct Chinese version), you find the following results:

But, last its great firewall, China has its own search engine; it's called Baidu. So if we launch Baidu and search for 天安门广场, the following results appear:

The repercussions of censorship

You're probably wondering "What protests?". Maybe you don't know much about these protests, but you've certainly seen a photo before. Chinese people who never look outside China don't know the iconic image of the Tank Man.

Outside China, the image is easily found using the international Google version directly. The problem is that this could already count as breaking Chinese law and would mark you as a political dissident. As a tourist, this isn't really a big problem. But as a Chinese citizen who has to live in China, you have big problems that, in the worst case, could turn into an execution.

The mechanisms imposed on Chinese application providers - especially those with identifying features - are therefore there to track down and identify dissidents. Exceptionally, this is not about advertising, but about human lives.

Now...

Now for my polemical question: would you, in exchange for a few unusual selfies, disclose your identity to the Chinese so that they can analyse your data and perhaps mark you as a dissident and a danger to their government?