REPORT: The Viral FaceApp Age Challenge Could Be A Huge Security Risk

Yesterday, AI photo editor app FaceApp went viral on social media as celebrities, athletes, and musicians all shared their faces with an age challenge old person filter. As more celebrities downloaded and utilized the app, the usage spread until millions were downloading and using it. Now, however, tech sources are raising security concerns about the app.


As many flash in the pan apps do, FaceApp already went viral two or so years ago with a more rudimentary version its photo editing stware. Returning this year, it has reignited security concerns as the core R&D group is located in Russia.

In its Terms & Conditions, writes New York Post, the app includes “they have the right to modify, reproduce and publish any the images you process through its AI.” This raises concerns about using users’ photos for commercial purposes, especially as the threat Russian interference in elections is looming overhead.

According to TechCrunch, the app cannot see your entire photo library unless you give it permission, even if you are still able to edit photos — at least on iOS. This is due to certain API permissions that enable an app to let a user pick a single photo to work on.

9to5Mac first published a story about security concerns based f a tweet from tech author Joshua Nozzi. However, the allegation that FaceApp “immediately uploads your photos without asking, whether you chose one or not” was debunked by security researcher Elliot Alderson in a separate Twitter thread.

FaceApp issued a statement addressing most the concerns regarding its security and practices:

We are receiving a lot inquiries regarding our privacy policy and therefore, would like to provide a few points that explain the basics:

1. FaceApp performs most the photo processing in the cloud. We only upload a photo selected by a user for editing. We never transfer any other images from the phone to the cloud.

2. We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.

3. We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.

4. All FaceApp features are available without logging in, and you can log in only from the settings screen. As a result, 99% users don’t log in; therefore, we don’t have access to any data that could identify a person.

5. We don’t sell or share any user data with any third parties.

6. Even though the core R&D team is located in Russia, the user data is not transferred to Russia.

Additionally, we’d like to comment on one the most common concerns: all pictures from the gallery are uploaded to our servers after a user grants access to the photos (for example, https://twitter.com/joshuanozzi/status/1150961777548701696).  We don’t do that. We upload only a photo selected for editing. You can quickly check this with any network sniffing tools available on the internet.

As always, it’s up to the consumer to do their due diligence when allowing unknown apps permission to possibly sensitive material. Good advice is to never download apps like this on work computers or phones, and always read the permissions carefully before installing.