Stories
Slash Boxes
Comments

SoylentNews is people

Popular Selfie App Sending User Data to China, Researchers Say

posted by on Tuesday January 24 2017, @09:57PM   Printer-friendly
from the better-or-worse-than-facebook? dept.

Arthur T Knackerbracket has found the following story:

Meitu, a Chinese selfie editing app, has amassed billions in downloads since launching in 2008; it's been trendy in Asia for several years, and just recently began gaining popularity in the United States. The anime-style photo-editing tool, which is available through the Apple and Android app stores, features airbrushed, fairylike depictions of people.

But there's a serious privacy and security issue with the app, according to mobile security researchers who performed tests running the application, primarily on Android phones. The code instructs users' phones to send a large amount of data back to China, and possibly around the world.

That information that[sic] could potentially be used to spy on users and their communications.

Some of the application's permissions, presented before users download the app, include access to the calendar, camera, geolocation data, contacts, screen resolution, photos, the contents of  the phone's USB storage, and other data.

The application also appears to be collecting the unique ID, the IMEI number, of users' phones, according to Greg Linares, a security researcher who examined the application. The IMEI is a 15-digit long serial number that can pinpoint the phone's country of origin and individual model.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Popular Selfie App Sending User Data to China, Researchers Say | Log In/Create an Account | Top | 14 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by FatPhil on Wednesday January 25 2017, @02:44PM

    by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Wednesday January 25 2017, @02:44PM (#458496) Homepage
    Why do the software platforms use the same kind of scheme that browser platforms have use for permissions.

    Really, what's the fundamental difference between this:

    www.foo.com wants to set a cookie foo_tracker
    [ ] don't ask me again
    [accept] [deny]

    and:

    com.foo.funnycamera wants to access security domain "calendar"
    [ ] don't ask me again
    [permit] [deny]

    Then again, I've always thought these permissions were under-specified anyway, they should be more like VMS or Unix directory permissions.

    Compare:

    com.foo.funnycamera wants to perform "readall" on domain "calendar" with reason:
    "this will let me tag party photos taken on your birthday, honest, nothing suspicious about it at all"
    [ ] don't ask me again
    [permit] [deny]

    a unix 'x' directory permission, with the more innocent 's'ticky and 'w' combo

    com.foo.funnycamera wants to perform "create" on domain "calendar" with reason:
    "adding a reminder date for you to register for the full version, this is just the free trial version"
    [ ] don't ask me again
    [permit] [deny]

    It's a shame when people re-invent access control, and reinvent it immeasurably worse than what's come before.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2