Meitu, a Chinese selfie editing app, has amassed billions in downloads since launching in 2008; it's been trendy in Asia for several years, and just recently began gaining popularity in the United States. The anime-style photo-editing tool, which is available through the Apple and Android app stores, features airbrushed, fairylike depictions of people.
But there's a serious privacy and security issue with the app, according to mobile security researchers who performed tests running the application, primarily on Android phones. The code instructs users' phones to send a large amount of data back to China, and possibly around the world.
That information that[sic] could potentially be used to spy on users and their communications.
Some of the application's permissions, presented before users download the app, include access to the calendar, camera, geolocation data, contacts, screen resolution, photos, the contents of the phone's USB storage, and other data.
The application also appears to be collecting the unique ID, the IMEI number, of users' phones, according to Greg Linares, a security researcher who examined the application. The IMEI is a 15-digit long serial number that can pinpoint the phone's country of origin and individual model.
(Score: 3, Informative) by WizardFusion on Tuesday January 24 2017, @10:23PM
...presented before users download the app...
See, even when presented with what the app with steal, people just don't care.
You can't educate idiots.
(Score: 3, Interesting) by Zz9zZ on Tuesday January 24 2017, @10:32PM
Oh please, the only apps I've ever found that didn't request insane permissions were from F-Droid. Every Play store app requests access to just about everything, because of this users have just thrown in the towel and don't care. If there were a greater percentage of apps that did NOT spy on you then these permission requests would probably be more of a red flag. It's not that people are idiots, they just don't have time to figure it all out or better options to choose from that are clearly safer.
~Tilting at windmills~
(Score: 4, Funny) by DannyB on Tuesday January 24 2017, @11:02PM
They're not spying on you. They're just "backing up" your personal information into their servers for safety. And selling your into to other parties without your knowledge, to ensure redundancy of your personal information.
I'm sure these new Chinese apps are backing up your IMEI number for purely innocent reasons. And asking for permission to access your files and storage is also just for your protection.
Infinity is clearly an even number since the next higher number is odd.
(Score: 2) by Zz9zZ on Tuesday January 24 2017, @11:43PM
Phew! Guess I can finally go download all those cool apps I've been avoiding then.
~Tilting at windmills~
(Score: 4, Interesting) by Unixnut on Tuesday January 24 2017, @11:07PM
This is so true. I paid attention to the app permissions, and every single app apparently needed access to everything. Sometimes for stupid reasons. e.g. whatsapp wanted to be able to read my SMS and make/answer calls, just for that one time when it does the handshake upon initial install. So because of that, the app wants the ability to make calls and increase my bill without my knowledge. I was fine with getting a SMS, and copy/pasting the code into it, but noooo, this is apparently too hard for the average person to do.
Likewise a perfectly plain streaming radio app, wanted access to SMS, contacts, calendar, secure storage, google wallet and to make phone calls. More than two pages of permission requests. None of this had anything to do with streaming mp3 audio down the internet connection, yet it wanted it all, even stuff that would cost me money. God only knows why.
And I suspect all these apps hoover everything they can off your phone, and send it to a server somewhere, be it in the US, China or Somewhere in Europe. Doesn't matter. Not even sure the app writers are aware, or they are using some third party library that by default just sticks its claws into everything "Just in case", so that everything "just works" in future.
I just treat my phone an a compromised device at all times. I try to keep private stuff off it as much as possible, but it is getting harder. Also ripped out Google services, and only have f-droid on it. The only place where apps seem to be coded properly and don't need more permissions than would logically be needed to fulfil their function.
I guess when people write software for the community, they are not looking to strip-mine your personal life, so don't bother hoovering up all your data. Either that, or they are much better coders, who don't all use the same dodgy back end library that wants its claws in everything. Take your pick, either stupidity or malice is the cause.
(Score: 4, Informative) by bob_super on Tuesday January 24 2017, @11:23PM
A lot of it is indeed because the free ad-supported versions rely on canned subsystems which are just imported by the person trying to get paid for their work. They come with an insane amount of privacy-invading requests, to maximize the value of the ad to you, of course.
I've found a few apps totally devoid of any permissions (stuff to read the accelerometer of other device-bound feature), but that took scrolling past pages and pages of BigBrotherWannabees.
I can't thank enough the people who do go through the pains of coding, debugging, and pushing to the Play store, and don't ask for cash or try to load crapware... Hats off to them
(Score: 2) by Zz9zZ on Tuesday January 24 2017, @11:47PM
Don't get me started on Google services.... I flashed a forked version of Android and also flashed the Google services image as well because I was told google maps and various location services wouldn't work properly without it. It is true, you need the google services to be installed for a lot of things like Uber. However, I then got tired of those services always running in the background even when no app was using them. I had to manually disable so many services just to keep Google from launching their background bullshit, now I'll suffer without being able to call Uber, taxi cabs still seem to work fine though :)
~Tilting at windmills~
(Score: 2) by DannyB on Wednesday January 25 2017, @05:10PM
Google Services is Google's secret weapon to keep control of the important Apps on Android.
This started some years ago and I remember when I recognized it. Stop putting the cool features into the OS and start putting them into the Google Services.
Now a cloned Android doesn't look so attractive.
Infinity is clearly an even number since the next higher number is odd.
(Score: 2) by FatPhil on Wednesday January 25 2017, @02:44PM
Really, what's the fundamental difference between this:
www.foo.com wants to set a cookie foo_tracker
[ ] don't ask me again
[accept] [deny]
and:
com.foo.funnycamera wants to access security domain "calendar"
[ ] don't ask me again
[permit] [deny]
Then again, I've always thought these permissions were under-specified anyway, they should be more like VMS or Unix directory permissions.
Compare:
com.foo.funnycamera wants to perform "readall" on domain "calendar" with reason:
"this will let me tag party photos taken on your birthday, honest, nothing suspicious about it at all"
[ ] don't ask me again
[permit] [deny]
a unix 'x' directory permission, with the more innocent 's'ticky and 'w' combo
com.foo.funnycamera wants to perform "create" on domain "calendar" with reason:
"adding a reminder date for you to register for the full version, this is just the free trial version"
[ ] don't ask me again
[permit] [deny]
It's a shame when people re-invent access control, and reinvent it immeasurably worse than what's come before.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday January 25 2017, @11:29AM
Those people are idiots that do not care that they are idiots.
If the people weren't idiots they wouldn't use such apps and then it wouldn't be a widespread problem.
(Score: 2) by zeigerpuppy on Wednesday January 25 2017, @12:50AM
the real problem here is that the user's choice about which data to share is not being respected by Google and Apple. it wouldn't be hard for them to add a 'permissions' app that overrides the application defaults. But they are exfiltrating so much data themselves that they don't want to remind people about data security. i, for one, have jumped ship and am happily using SailfishOS.
(Score: 1) by terrab0t on Wednesday January 25 2017, @02:20PM
There was an Android update around summer 2015 that finally gave users fine grained control of app permissions. Before that update you either accepted everything the app wanted or rejected the app entirely. Now you should be able to deny an app individual permissions while still installing it. My phone’s version of Android lets me change the permissions of apps that are already installed, so it’s not a one‐time choice either.
Most users don’t know or care what these permissions mean, but the options are there for those who do.
(Score: 4, Insightful) by stormwyrm on Wednesday January 25 2017, @01:44AM
In principle, if you really owned your device, you could make it lie to all of these nasty pieces of software. Give a phony IMEI, phone number, contacts, geolocation data, show contacts with bogus info, firewall the hell out of network access, and so forth. But despite paying as close to a thousand dollars for some of these devices we in general still don’t really ‘own’ them, rather they want to own us. With root access, I suppose it should be possible to write an Xposed module to do this, to make an app think it has private information and send packs of lies back to the mothership without it being the wiser. Maybe someone already has done this, but I haven’t been paying very close attention to this scene of late.
But no, I suppose allowing this sort of capability out of the box would run counter to the business model, and any manufacturer who tried to empower their customers in this way would probably get the short end of the stick from Google.
Numquam ponenda est pluralitas sine necessitate.
(Score: 1) by DeVilla on Friday January 27 2017, @02:58AM
This kind of reminds me of my employer's BYOD policy. They encourage it, but you must install an app that essentially allows them to root the device. They will also flag the device as not be in compliance if you install something to give yourself root access. I won't own one of those devices anyhow since it's design to either fence me in, spy on me or be as insecure as possible if I try to assert any real control over it.