Technical Information Regarding Analytics Collection in the “Meitu” app for iOS

There has been some commotion today regading to a mobile app named Meitu. This post will only focus on the iOS version (Others have taken an initial look at the Android version, if interested).

Assessed Content (v6.1.1)

• “美图秀秀” (com.meitu.mtxx)
• “MTXXFilterExtension” (com.meitu.mtxx.MTXXFilterExtension)
• “MTMosaicMessage” (com.meitu.mtxx.MTMosaicMessage)

Analytics Information Collected

• The device IMEI, IMSI, and MAC Address does not appear to be sent to Meitu’s first-party or any packaged third-party analytics servers. This sensitive radio-related information is not possible to obtain on an iOS device updated to the latest firmware version. During preliminary testing, The Meitu app does appear to send a fake MAC address of “02:00:00:00:00:00” to the server. Jonathan Zdziarski has mentioned use of MAC address by the Meitu app due to the binary code still containing functionality used to obtain the device’s MAC address. However, as stated above, the device’s real MAC address is not accessible to iOS applications within the App Store sandbox (As with IMEI and IMSI). This functionality is not a risk for devices on iOS 8 or above.
• The following information does appear to be sent to Meitu analytics server (adui.tg.meitu.com): iOS Version (such as“10.2”), Device Model (such as“iPhone7,2”), Network Type (such as “WiFi”), Device Language, Device Locale, Mobile Country Code, along with a randomly generated unique identifier.
• As noted by by Jonathan Zdziarski, the Meitu app does obtain cellular provider name, due to use of a third party analytics library. The cellular provider name is sent to a the server of the third-party analytics provider, Umeng/Youmi (alogs.umeng.com).
• A “channel_id” is sent to the adui.tg.meitu.com server as well. This is a common occurance within Chinese applications, due to the heavy use of “assistant” or “helper” tools to sideload applications in the region. The value “App Store” is sent under this parameter when the application has been downloaded directly from the App Store.
• The Meitu app collects GPS location (if authorized) and sends it to an analytics server. I was unable to determine with high certainty which analytics server the GPS location is sent to, but I have moderate confidence that the analytics server is a third party analytics server, and not directly invoked by Meitu themselves (Sidenote: Meitu does request permission to access location with the vague message of “开启后美图秀秀才可访问你的地理位置哦”, but the only use case directly attributable to Meitu themselves is to check local weather for the user).

Private API Usage

Private API loading within “Meitu”

• As noted by Jonathan Zdziarski, the application contains code which loads two functions from a private framework.
• However, this code cannot work as-is. This is because the app loads the private framework from the path “/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.0.sdk/System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices” (This path does not exist on an iOS device).
• There is indeed code within the Meitu app which could allow dynamic loading of private frameworks at runtime. However, there is no indication that it is used. This code is not from Meitu, and is present due to being compiled in as part of the iOS Facebook SDK.

Third Party Code

• The Meitu app binary has matched internal high-confidence fingerprints for the following third-party analytics-related libraries: AppsFlyer, Crashlytics, Fabric, Umeng/Youmi.
• The Meitu app binary has matched internal high-confidence fingerprints for the follwing third-party social networking libraries: Facebook, WeChat. Weibo.

Conclusion

This was a very brief assessment conducted in under 30 minutes, to get a useful collection of accurate technical information to the publilc with regards to the latest iOS version of the Meitu app, due to high public interest surrounding it at the moment. This assessment should not be considered exhaustive, and I encourage others to continue digging into the iOS and Android versions of this app.

Overall, the information collected by this app would appear to be on-par with analytics information collected within most iOS apps which are currently live in the App Store.