Security Lessons Courtesy of Snapchat
Join the DZone community and get the full member experience.Join For Free
Some apps are there to teach the rest of us the painful lessons of doing it wrong—Snapchat is one of them.
- We all know Snapchat – it’s a popular smartphone app that lets you send a picture to a friend that disappears into the ether after 10 seconds or less. Snapchat is in part successful because of the temporary nature of its sharing – in a world where everything online is permanent, it’s refreshing to be able to share images and video with little to no risk of an embarrassing public leak. At least, that’s the theory. The app is supposed to notify you if a recipient attempts to take a screenshot of your picture or save it in any other way. The image is truly supposed to cease existing after the short time interval expires.
- Yes, this is an excellent theory. But in spite of the temporary nature of a “snap,” some users download third-party applications to clandestinely screenshot the potentially salacious content they receive. And this week, one of those third party apps was hacked.
Herein lies Snapchat’s flaw – it’s so easy to overcome the restrictions Snapchat sets. With just a little skill, it’s possibly to simply override the notification function in the Snapchat binary, configure an application to intercept the data stream before the Snapchat application processes it, or run Snapchat in an emulator (which would override all the restrictions). Of course, using the right tools would also let you undelete the image that was stored on the hard drive—Snapchat performs a standard delete, rather than overwriting the image as part of the deletion process. In short, it’s an app that purports to do something that it really can’t do—make pictures and videos that you don’t want to last a long time go away. The promises were so false that the FTC finally took action against Snapchat. (As part of the settlement, Snapchat agreed to be monitored for 20 years.) A basic Internet rule is that anything you upload is there forever.
Let the User Beware
The emphasis on Snapchat seems to be that the user is the one responsible for security of any kind. For example, when it comes to data,the Electronic Frontier Foundation (EFF) rated Snapchat extremely low on the list (they garnered just one star out of six for data protection in the recent Who Has Your Back? report). The attitude of the company toward your data is telling in the way in which they set up security as a whole. You’re dealing with a company that has produced an app that is basically unsecure and can’t possibly fulfill its promises to you. Just in case you weren’t aware, Snapchat also collects user address books without consent or notice and also transmits user location information. The latest version of the app allows you to opt out of this behavior, but the app shouldn’t be doing this sort of thing in the first place (and most definitely not require the user to opt out of it). When creating an app that is supposed to guard user security, it’s a really bad idea to perform tasks in the background that tend to break the privacy rules the user has a right to expect.
The API is Already Hacked
It’s relatively easy to find full documentation for Snapchat’s API online, along with notes about how to exploit it to do things like download all of the images that someone is sending to someone else, grab Snapchat usernames and telephone numbers, or even replace the images that a sender is sending to a recipient with something else. One such place is GibonSec, but there are many others.The point is that the API is completely open to any hacker who wants to make your life miserable.
Some of the more interesting bits of information you can find online is that Snapchat uses symmetric encryption and that the encryption key is hidden in plain sight. The form of encryption is also suspect in that it relies on Advanced Encryption Standard (AES) in Electronic Code Book (ECB) mode, which is easily cracked even if you don’t know the key from the outset. So, anyone who wishes really can look at all your data without too much trouble at all.
The #Snappening Was Inevitable
You may have recently heard about a Snapchat hack called the Snappening where 200,000 pictures and 9,000 videos were downloaded without the originator’s consent. According to a number of sources, most of the content was explicit in nature—the sort of data that the sender didn’t want anyone other than the intended recipient to see. Given that some of the content was likely created by underage users in the 13 to 17 year range, the breach falls into the area of child pornography. The company denies that its servers were compromised and blames a third party app, SnapSaved, for the leak.
The Snappening was inevitable because Snapchat is poorly constructed and the organization as a whole doesn’t want to take responsibility to ensure the safety of user data. A third party app using API documentation created by others and breaking substandard encryption isn’t the problem—the problem is that it was possible to create such an app in the first place.
When you want to keep something private, don’t upload it to the Internet. The best way to keep a secret is not to tell anyone about it. If you really must share those compromising pictures with someone, do it in person, in a way that won’t come back to haunt you later (usually at the worst possible time). The best policy you can have is to always assume everything you post to the Internet is instantly accessible to everyone. If you follow this simple guideline, then you won’t have to deal with the fallout from that embarrassing picture (or other post).
Published at DZone with permission of Denis Goodwin, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.