A Meitu spokesperson has issued a final statement in regards to a controversial issues surrounding the photo app.
The company explains that Meitu app only asks for permission similar to those other photo editing apps in the market. The company goes on by saying “Meitu’s sole purpose for collecting the data is to optimize app performance, its effects and features and to better understand our consumer engagement with in-app advertisements. Meitu DOES NOT sell user data in any form. As Meitu is headquartered in China, many of the services provided by app stores for tracking are blocked. To get around this, Meitu employs a combination of third-party and in-house data tracking systems to make sure the user data tracked is consistent. Furthermore, the data collected is sent securely, using multilayer encryption to servers equipped with advanced firewall and IDS, IPS protection to block external attacks.”
Meitu also explains why the need of so many permissions as below:
- App Store: Meitu follows Apple developer guidelines and terms rigorously
- Google Play: The permissions requested by Meitu are similar to those users will find with most popular photo editing apps
- Offsite Server: As Meitu is headquartered in China, many of the services provided by app stores for tracking are blocked. To get around this Meitu uses a combination of third-party and in-house data tracking systems, they’ve developed to make sure the tracked data is consistent. For example:
- MAC address/IMEI number: In some cases, Meitu cannot get both info at the same time and in some cases different devices even have the same IMEI number, so we combine these two pieces of data into one unique ID to track user devices
- LAN IP address is used to prevent business fraud
- SIM card country code is used for a rough location detection
- GPS and network location are used for detecting countries and regions for Geo-based operation and advertisement placement
- Phone carrier information is used as a standard tracking channel for analytics, just like the other third-party analytics tools (e.g., Flurry)
- RUN_AT_START: because the Google service (including GCM) is not available in mainland China, Meitu uses a third-party push notification service called Getui (www.getui.com)
- Jail Breaking: This is a requirement from both WeChat SDK (Meitu’s sharing module) and for advertising to check if a handset is jailbroken. Meitu implements this verification process because jailbroken devices can manipulate and modify the app source code, thus resulting in commercial settlement errors. Meitu also requires such process to provide protection against malicious modification of the source code and illegal API usage.
- Offsite Servers: user data is sent ONLY to Meitu. The two reported domain names belong to the top domain name “meitustat.com,” which is owned by Meitu. This can be confirmed via “whois”
- rabbit.tg.meitu.com -> 124.243.219.160
- rabbit.meitustat.com -> 124.243.219.159
In the essence, Meitu vows that no user data is sold and there are security measure to keep them safe.