The free Meitu app for iOS and Android asks for (and apparently was granted by users thirsty for glowing-skin likes) far more permission on Google's operating system (access to the calendar, contacts, SMS messages, location, auto launches at startup, external storage, and IMEI number) than a normal camera application.
The iOS version checks to see if your phone is jailbroken (probably to see if it can used the compromised OS to send more data back to the developer in China), which carrier you're using and can probably figure out your iPhone's unique ID. Yeah, not great.
One security researcher noted that the app is sending Android IMIE information to several servers in China.
Now all of this data could be a goldmine if the company sells it to third parties. But according to a statement the developer sent to CNET, the company is not peddling your data to the highest bidder.
Meitu says the reason for all the data collecting is because it's headquartered in China where the tracking services offered by Apple and Google are blocked. It's workaround is a combination of in-house and third-party information tracking. The developer says that all that data is "is sent securely, using multi-layer encryption to servers equipped with advanced firewall, IDS and IPS protection to block external attacks." It also insisted that its iOS code shenanigans only asks for permissions allowed by Apple's developer guidelines.
The developer might in fact only be using the data it collects for tracking right now, but more than a few companies have changed their business practices and terms of service when cash starts to run low. Suddenly all that personal information that was supposed to be used internally is a great way to make a quick buck.
Plus the hype around the app has already passed at this point so you might as well delete the app and enjoy those photos. They may have taken your data, but they'll never take away your selfies.