What WeChat Knows: Pervasive First-Party Tracking in a Billion-User Super-App Ecosystem
Authors: Mona Wang (Princeton University), Pellaeon Lin (Citizen Lab), Jeffrey Knockel (Citizen Lab / Bowdoin College), Will Greenberg (Electronic Frontier Foundation), Jonathan Mayer (Princeton University), Prateek Mittal (Princeton University)
Volume: 2025
Issue: 4
Pages: 896–911
DOI: https://doi.org/10.56553/popets-2025-0163
Abstract: This work studies the analytics and first-party tracking ecosystem of WeChat Mini Programs. WeChat Mini Programs have almost one billion monthly active users, comprising one of the largest ap- plication and analytics ecosystems in the world. A key challenge in investigating the privacy of WeChat’s Mini Programs is WeChat’s use of a proprietary network encryption protocol, MMTLS, to trans- mit analytics data. First, we reverse-engineer WeChat’s network stack, and release tooling and specifications for investigating net- work requests sent to WeChat servers. Leveraging this tooling, we analyze the requests sent by 104 popular Mini Programs to perform the first characterization and analysis of WeChat’s user tracking across their Mini Program ecosystem. Overall, we identified fine- grained browsing data in 76.0% of the network traces we decrypted. This tracking including browsing and search queries performed within third-party Mini Programs, some of which manage particu- larly sensitive data; for instance, we also identified browsing data in 89.7% of the traces we decrypted from 40 health-related Mini Programs. We ultimately find that the first-party platform, WeChat, is comprehensively tracking user activity with third-party Mini Programs, at an unprecedented scale. There is no way for users nor Mini Program developers to opt-out of this data collection.
Keywords: WeChat, super-app, privacy, MMTLS
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
