Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Security Lessons Courtesy of Snapchat

DZone's Guide to

Security Lessons Courtesy of Snapchat

· Integration Zone
Free Resource

Modernize your application architectures with microservices and APIs with best practices from this free virtual summit series. Brought to you in partnership with CA Technologies.

[This article was written by John Mueller.]

snapchat_uhoh

Some apps are there to teach the rest of us the painful lessons of doing it wrong—Snapchat is one of them.

  1. We all know Snapchat – it’s a popular smartphone app that lets you send a picture to a friend that disappears into the ether after 10 seconds or less. Snapchat is in part successful because of the temporary nature of its sharing – in a world where everything online is permanent, it’s refreshing to be able to share images and video with little to no risk of an embarrassing public leak. At least, that’s the theory. The app is supposed to notify you if a recipient attempts to take a screenshot of your picture or save it in any other way. The image is truly supposed to cease existing after the short time interval expires.
  2. Yes, this is an excellent theory. But in spite of the temporary nature of a “snap,” some users download third-party applications to clandestinely screenshot the potentially salacious content they receive. And this week, one of those third party apps was hacked.

Herein lies Snapchat’s flaw – it’s so easy to overcome the restrictions Snapchat sets. With just a little skill, it’s possibly to simply override the notification function in the Snapchat binary, configure an application to intercept the data stream before the Snapchat application processes it, or run Snapchat in an emulator (which would override all the restrictions). Of course, using the right tools would also let you undelete the image that was stored on the hard drive—Snapchat performs a standard delete, rather than overwriting the image as part of the deletion process. In short, it’s an app that purports to do something that it really can’t do—make pictures and videos that you don’t want to last a long time go away. The promises were so false that the FTC finally took action against Snapchat. (As part of the settlement, Snapchat agreed to be monitored for 20 years.) A basic Internet rule is that anything you upload is there forever.

Problematic design theory aside, Snapchat has all sorts of other issues. If your only problem was having to deal with an acquaintance who kept a copy of your risqué image after you thought it was gone, then things wouldn’t be quite so bad (depending on the acquaintance, of course). Unfortunately, Snapchat has a considerable number of issues that make it a security nightmare.

Let the User Beware

The emphasis on Snapchat seems to be that the user is the one responsible for security of any kind. For example, when it comes to data,the Electronic Frontier Foundation (EFF) rated Snapchat extremely low on the list (they garnered just one star out of six for data protection in the recent Who Has Your Back? report). The attitude of the company toward your data is telling in the way in which they set up security as a whole. You’re dealing with a company that has produced an app that is basically unsecure and can’t possibly fulfill its promises to you. Just in case you weren’t aware, Snapchat also collects user address books without consent or notice and also transmits user location information. The latest version of the app allows you to opt out of this behavior, but the app shouldn’t be doing this sort of thing in the first place (and most definitely not require the user to opt out of it). When creating an app that is supposed to guard user security, it’s a really bad idea to perform tasks in the background that tend to break the privacy rules the user has a right to expect.

The API is Already Hacked

It’s relatively easy to find full documentation for Snapchat’s API online, along with notes about how to exploit it to do things like download all of the images that someone is sending to someone else, grab Snapchat usernames and telephone numbers, or even replace the images that a sender is sending to a recipient with something else. One such place is GibonSec, but there are many others.The point is that the API is completely open to any hacker who wants to make your life miserable.

Some of the more interesting bits of information you can find online is that Snapchat uses symmetric encryption and that the encryption key is hidden in plain sight. The form of encryption is also suspect in that it relies on Advanced Encryption Standard (AES) in Electronic Code Book (ECB) mode, which is easily cracked even if you don’t know the key from the outset. So, anyone who wishes really can look at all your data without too much trouble at all.

The #Snappening Was Inevitable

You may have recently heard about a Snapchat hack called the Snappening where 200,000 pictures and 9,000 videos were downloaded without the originator’s consent. According to a number of sources, most of the content was explicit in nature—the sort of data that the sender didn’t want anyone other than the intended recipient to see. Given that some of the content was likely created by underage users in the 13 to 17 year range, the breach falls into the area of child pornography. The company denies that its servers were compromised and blames a third party app, SnapSaved, for the leak.

The fact that Snapchat wasn’t hacked directly, but as the result of users relying on a third party app to work with Snapchat, isn’t the issue. The issue is that the company is blaming users for the problem, rather than taking responsibility for a shoddily constructed app. A company representative was quoted as saying that the Snapchat terms of service specifically forbid users from using third party apps to work with Snapchat—as if a policy ever prevented users from experimenting and trying to use apps in ways they were never intended to be used. A robust app provides safeguards that assume users will break the rules.

The Snappening was inevitable because Snapchat is poorly constructed and the organization as a whole doesn’t want to take responsibility to ensure the safety of user data. A third party app using API documentation created by others and breaking substandard encryption isn’t the problem—the problem is that it was possible to create such an app in the first place.

Bottom Line

When you want to keep something private, don’t upload it to the Internet. The best way to keep a secret is not to tell anyone about it. If you really must share those compromising pictures with someone, do it in person, in a way that won’t come back to haunt you later (usually at the worst possible time). The best policy you can have is to always assume everything you post to the Internet is instantly accessible to everyone. If you follow this simple guideline, then you won’t have to deal with the fallout from that embarrassing picture (or other post).

As a developer, you need to rely on robust security measures that assume users will break the rules. In addition, you need to keep the specifics of your app away from prying eyes and use security measures that actually work and aren’t easily hacked. The need to use robust security, especially encryption, is even more important when your app handles confidential data or information that affects user privacy.
The most important lesson to learn from the Snappening is that organizations must take responsibility for the promises they make. It’s never a good idea to promise the user one thing and then break that promise behind the user’s back. Snapchat’s major failing isn’t in the software or in the use of an easily broken encryption algorithm, but in the fact that the app promised something that clearly isn’t possible to provide. Other organizations avoid this problem by not making the promise. For example, when Amazon came out with the Look Inside feature, it made it really hard to copy the content. It never said that it would be impossible to copy the content and,in fact, people have found workarounds for the protections that Amazon put in place. If you make a promise to users, then be sure you can actually keep that promise.

The Integration Zone is proudly sponsored by CA Technologies. Learn from expert microservices and API presentations at the Modernizing Application Architectures Virtual Summit Series.

Topics:

Published at DZone with permission of Denis Goodwin, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}