Technical Analysis: Meitu is Junkware, but not Malicious

Last week, I live tweeted some reverse engineering of the Meitu iOS app, after it got a lot of attention on Android for some awful things, like scraping the IMEI of the phone. To summarize my own findings, the iOS version of Meitu is, in my opinion, one of thousands of types of crapware that you’ll find on any mobile platform, but does not appear to be malicious. In this context, I looked for exfiltration or destruction of personal data to be a key indicator of malicious behavior, as well as performing any kind of unauthorized code execution on the device or performing nefarious tasks… but Meitu does not appear to go beyond basic advertiser tracking. The application comes with several ad trackers and data mining packages compiled into it – which appear to be primarily responsible for the app’s suspicious behavior. While it’s unusually overloaded with tracking software, it also doesn’t seem to be performing any kind of exfiltration of personal data, with some possible exceptions to location tracking. One of the reasons the iOS app is likely less disgusting than the Android app is because it can’t get away with most of that kind of behavior on the iOS platform.

Over the life span of iOS, Apple has tried to harden privacy controls, and much of what Meitu wishes it could do just isn’t possible from within the application sandbox. The IMEI has been protected since very early on, so that it can’t be extracted from within the sandbox. Unique identifiers such as the UDID have been phased out for some years, and some of the older techniques that Meitu’s trackers do try and perform (such as using the WiFi or Bluetooth’s hardware address) have also been hardened in recent years, so that it’s no longer possible.

Tracking Features

Some of the code I’ve examined within Meitu’s trackers include the following. This does not mean these features are turned on, however many features appear to be managed by a configuration that can be loaded remotely. In other words, the features may or may not be active at any given time, and it’s up to the user to trust Meitu.

  1. Checking for a jailbreak. This code exists in several trackers, and so there are a handful of lousy, ineffective ways that Meitu checks to see if your device is jailbroken, such as checking for the presence of Cydia, /etc/apt, and so on. What I didn’t find, however, was any attempt to exploit the device if it was found to be jailbroken. There didn’t appear to be any attempts to spawn new processes, invoke bash, or exfiltrate any additional data that it would likely have access to on a jailbroken device. Apple’s App Review team would have likely noticed this behavior if it existed, also. Apple 1, Meitu 0.
  2. Attempts to extract the MAC address of the NIC (e.g. WiFi). There were a few different trackers that included routines to extract the MAC address of the device. One likely newer tracker realized that this was futile and just returned a bogus address. Another performed the sysctl calls to attempt to obtain it, however the sandbox would similarly return a bogus address. Apple 2, Meitu 0.
  3. Meitu uses a tool called JSPatch, which is a very sketchy way of downloading and executing encrypted JavaScript from the server. This is basically an attempt to skirt iOS’ unsigned code execution by downloading, decrypting, then eval’ing… but isn’t quite evil enough that Apple thinks it’s necessary to forbid it. Nonetheless, it does extend the functionality of the application beyond what is likely visible in an App Store review, and by using Meitu you may be allowing some of its behavior to be changed without an additional review. No points awarded to either side here.
  4. The various trackers collect a number of different bits of information about your hardware and OS version and upload that to tracker servers. This uses your network bandwidth and battery, so using Meitu on a regular basis could consume more resources. There wasn’t any evidence that this collection is done when the application is in the background, however. If the application begins to use a lot of battery, it should gravitate towards the top of the battery usage application list. Apple 3, Meitu 0.
  5. Code did exist to track the user’s location directly, however it does not appear to be active when I used it, as I was never prompted to allow access; if it does become active, iOS will prompt the user for permission. Apple 4, Meitu 0.
  6. Code also existed to indirectly track the user’s location by extracting location information from the EXIF data in images in the user’s photo album. Any time you take a photo, the GPS position where the photo was taken is written into the metadata for the picture, and other applications have access to read that (if they’re granted access to the photo album or camera). This can be aggregated to determine your home address and potentially your identity, especially if it’s correlated with existing data at a data mining company. This is a very clever way to snoop on the user’s location without them being prompted. It was not clear if this feature was active, however the hooks did exist to send this data through at least some trackers compiled into Meitu, and appeared to include MLAnalytics and Google AdMob trackers. Apple 4, Meitu 1.

Other Observations

  1. Code existed to use dlopen to link directly to a number of frameworks, which can often be used by developers to invoke undocumented methods that are normally not allowed by the App Store SDK. Chronic reported this in his own assessment, but indicated that it was never called. I have since discussed some of my findings with him – namely, suspicious long jumps in the code involving pointer arithmetic that indicate the calls may have been obfuscated. It is very likely, however, that these calls no longer work in recent versions of iOS due to ASLR. The entire issue is a moot one anyway, as I’ve been informed that weak linking in this fashion is now permitted in the App Store, so long as the developer isn’t using it as a means to call unsupported methods. I did not see evidence of that happening.
  2. Meitu does obtain your cellular provider’s name, using an authorized framework on the device, as well as observes when that carrier changes (possibly to determine if you’re switching between WiFi and LTE). This appears to be permitted by Apple and does not leak information beyond what’s stated here.
  3. Code was found that makes private framework calls, but as Chronic pointed out, they no longer work. This was likely also old code lying around from earlier versions of the app or trackers.

A number of these trackers were likely written at different times in the iOS life cycle, and so while some trackers may attempt to perform certain privacy-invading functions, many of these would fail against recent versions of iOS. A number of broken functions no longer used likely also were at one point, until Apple hardened the OS against them.

Summary

Meitu, in my opinion, is the quintessential data mining app. Apps like this often provide menial functionality, such as fart and flashlight apps do, in order to get a broad audience to use them and add another data point into a series of marketing databases somewhere. While Meitu denies making any money off of using these trackers, there’s very little other reason in my mind to justify seeing so many built into one application – but that is a judgment call for the user to make.

Because of all of the tracking packages baked in, Meitu is a huge app. I cannot vouch for its safety. There may very well be something malicious that I haven’t found, or perhaps something malicious delivered later through their JSPatch system. It’s a big app, and I’m not about to give them a free complete static binary analysis.

At the end of the day, using Meitu isn’t likely to adversely affect your system or steal your data, however it’s important to understand that there is a fair bit of information that could be used to track you as if cattle in some marketing / data mining system used by advertisers. Your adversary here isn’t China, it’s likely the department store down the street (or perhaps a department store in China), but feel free to insert your favorite government conspiracy theory here – it could possibly be true, but they have better ways to track you. If you don’t mind being tracked in exchange for giving yourself bug eyes and deleting your facial features, then Meitu might be the right app for you.

We will be happy to hear your thoughts

Leave a reply