M | T | W | T | F | S | S |
---|---|---|---|---|---|---|
1 | 2 | 3 | ||||
4 | 5 | 6 | 7 | 8 | 9 | 10 |
11 | 12 | 13 | 14 | 15 | 16 | 17 |
18 | 19 | 20 | 21 | 22 | 23 | 24 |
25 | 26 | 27 | 28 | 29 | 30 | 31 |
Last week, I live tweeted some reverse engineering of the Meitu iOS app, after it got a lot of attention on Android for some awful things, like scraping the IMEI of the phone. To summarize my own findings, the iOS version of Meitu is, in my opinion, one of thousands of types of crapware that you’ll find on any mobile platform, but does not appear to be malicious. In this context, I looked for exfiltration or destruction of personal data to be a key indicator of malicious behavior, as well as performing any kind of unauthorized code execution on the device or performing nefarious tasks… but Meitu does not appear to go beyond basic advertiser tracking. The application comes with several ad trackers and data mining packages compiled into it – which appear to be primarily responsible for the app’s suspicious behavior. While it’s unusually overloaded with tracking software, it also doesn’t seem to be performing any kind of exfiltration of personal data, with some possible exceptions to location tracking. One of the reasons the iOS app is likely less disgusting than the Android app is because it can’t get away with most of that kind of behavior on the iOS platform.
Over the life span of iOS, Apple has tried to harden privacy controls, and much of what Meitu wishes it could do just isn’t possible from within the application sandbox. The IMEI has been protected since very early on, so that it can’t be extracted from within the sandbox. Unique identifiers such as the UDID have been phased out for some years, and some of the older techniques that Meitu’s trackers do try and perform (such as using the WiFi or Bluetooth’s hardware address) have also been hardened in recent years, so that it’s no longer possible.
Some of the code I’ve examined within Meitu’s trackers include the following. This does not mean these features are turned on, however many features appear to be managed by a configuration that can be loaded remotely. In other words, the features may or may not be active at any given time, and it’s up to the user to trust Meitu.
A number of these trackers were likely written at different times in the iOS life cycle, and so while some trackers may attempt to perform certain privacy-invading functions, many of these would fail against recent versions of iOS. A number of broken functions no longer used likely also were at one point, until Apple hardened the OS against them.
Meitu, in my opinion, is the quintessential data mining app. Apps like this often provide menial functionality, such as fart and flashlight apps do, in order to get a broad audience to use them and add another data point into a series of marketing databases somewhere. While Meitu denies making any money off of using these trackers, there’s very little other reason in my mind to justify seeing so many built into one application – but that is a judgment call for the user to make.
Because of all of the tracking packages baked in, Meitu is a huge app. I cannot vouch for its safety. There may very well be something malicious that I haven’t found, or perhaps something malicious delivered later through their JSPatch system. It’s a big app, and I’m not about to give them a free complete static binary analysis.
At the end of the day, using Meitu isn’t likely to adversely affect your system or steal your data, however it’s important to understand that there is a fair bit of information that could be used to track you as if cattle in some marketing / data mining system used by advertisers. Your adversary here isn’t China, it’s likely the department store down the street (or perhaps a department store in China), but feel free to insert your favorite government conspiracy theory here – it could possibly be true, but they have better ways to track you. If you don’t mind being tracked in exchange for giving yourself bug eyes and deleting your facial features, then Meitu might be the right app for you.
M | T | W | T | F | S | S |
---|---|---|---|---|---|---|
1 | 2 | 3 | ||||
4 | 5 | 6 | 7 | 8 | 9 | 10 |
11 | 12 | 13 | 14 | 15 | 16 | 17 |
18 | 19 | 20 | 21 | 22 | 23 | 24 |
25 | 26 | 27 | 28 | 29 | 30 | 31 |