DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

Mobile Database Essentials: Assess data needs, storage requirements, and more when leveraging databases for cloud and edge applications.

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • 8 Things to Consider When Choosing an Embedded Analytics Vendor
  • CX Platform Enables Developers to Focus on Apps for Customers
  • Why True End-To-End Encryption is Important for Distributed Apps
  • Challenge Your Cybersecurity Systems With AI Controls in Your Hand

Trending

  • DZone's Article Submission Guidelines
  • Revolutionizing Software Testing
  • Agile Estimation: Techniques and Tips for Success
  • REST vs. Message Brokers: Choosing the Right Communication
  1. DZone
  2. Data Engineering
  3. Data
  4. Security Lessons Courtesy of Snapchat

Security Lessons Courtesy of Snapchat

Denis Goodwin user avatar by
Denis Goodwin
·
Dec. 05, 14 · Interview
Like (0)
Save
Tweet
Share
4.15K Views

Join the DZone community and get the full member experience.

Join For Free
[This article was written by John Mueller.]

snapchat_uhoh

Some apps are there to teach the rest of us the painful lessons of doing it wrong—Snapchat is one of them.

  1. We all know Snapchat – it’s a popular smartphone app that lets you send a picture to a friend that disappears into the ether after 10 seconds or less. Snapchat is in part successful because of the temporary nature of its sharing – in a world where everything online is permanent, it’s refreshing to be able to share images and video with little to no risk of an embarrassing public leak. At least, that’s the theory. The app is supposed to notify you if a recipient attempts to take a screenshot of your picture or save it in any other way. The image is truly supposed to cease existing after the short time interval expires.
  2. Yes, this is an excellent theory. But in spite of the temporary nature of a “snap,” some users download third-party applications to clandestinely screenshot the potentially salacious content they receive. And this week, one of those third party apps was hacked.

“@jesperjurcenoks: 90K Snapchat photos leaked via snapsaved http://t.co/uDcF1dYWw7#snappening#infosec#security” #oops

— Doug Standley (@DougTI) October 14, 2014

The #Snappening — Snapchat Hacker Threatens to Leak thousands of Nude Images http://t.co/wUN3suPk5y

— Mohit Kumar (@unix_root) October 11, 2014

#protip: Never do anything online/on the phone you'd be ashamed to show your mother. #Snappening

— Jim Gardner (@jimgardner) October 14, 2014

Herein lies Snapchat’s flaw – it’s so easy to overcome the restrictions Snapchat sets. With just a little skill, it’s possibly to simply override the notification function in the Snapchat binary, configure an application to intercept the data stream before the Snapchat application processes it, or run Snapchat in an emulator (which would override all the restrictions). Of course, using the right tools would also let you undelete the image that was stored on the hard drive—Snapchat performs a standard delete, rather than overwriting the image as part of the deletion process. In short, it’s an app that purports to do something that it really can’t do—make pictures and videos that you don’t want to last a long time go away. The promises were so false that the FTC finally took action against Snapchat. (As part of the settlement, Snapchat agreed to be monitored for 20 years.) A basic Internet rule is that anything you upload is there forever.

Problematic design theory aside, Snapchat has all sorts of other issues. If your only problem was having to deal with an acquaintance who kept a copy of your risqué image after you thought it was gone, then things wouldn’t be quite so bad (depending on the acquaintance, of course). Unfortunately, Snapchat has a considerable number of issues that make it a security nightmare.

Let the User Beware

The emphasis on Snapchat seems to be that the user is the one responsible for security of any kind. For example, when it comes to data,the Electronic Frontier Foundation (EFF) rated Snapchat extremely low on the list (they garnered just one star out of six for data protection in the recent Who Has Your Back? report). The attitude of the company toward your data is telling in the way in which they set up security as a whole. You’re dealing with a company that has produced an app that is basically unsecure and can’t possibly fulfill its promises to you. Just in case you weren’t aware, Snapchat also collects user address books without consent or notice and also transmits user location information. The latest version of the app allows you to opt out of this behavior, but the app shouldn’t be doing this sort of thing in the first place (and most definitely not require the user to opt out of it). When creating an app that is supposed to guard user security, it’s a really bad idea to perform tasks in the background that tend to break the privacy rules the user has a right to expect.

The API is Already Hacked

It’s relatively easy to find full documentation for Snapchat’s API online, along with notes about how to exploit it to do things like download all of the images that someone is sending to someone else, grab Snapchat usernames and telephone numbers, or even replace the images that a sender is sending to a recipient with something else. One such place is GibonSec, but there are many others.The point is that the API is completely open to any hacker who wants to make your life miserable.

Some of the more interesting bits of information you can find online is that Snapchat uses symmetric encryption and that the encryption key is hidden in plain sight. The form of encryption is also suspect in that it relies on Advanced Encryption Standard (AES) in Electronic Code Book (ECB) mode, which is easily cracked even if you don’t know the key from the outset. So, anyone who wishes really can look at all your data without too much trouble at all.

The #Snappening Was Inevitable

You may have recently heard about a Snapchat hack called the Snappening where 200,000 pictures and 9,000 videos were downloaded without the originator’s consent. According to a number of sources, most of the content was explicit in nature—the sort of data that the sender didn’t want anyone other than the intended recipient to see. Given that some of the content was likely created by underage users in the 13 to 17 year range, the breach falls into the area of child pornography. The company denies that its servers were compromised and blames a third party app, SnapSaved, for the leak.

The fact that Snapchat wasn’t hacked directly, but as the result of users relying on a third party app to work with Snapchat, isn’t the issue. The issue is that the company is blaming users for the problem, rather than taking responsibility for a shoddily constructed app. A company representative was quoted as saying that the Snapchat terms of service specifically forbid users from using third party apps to work with Snapchat—as if a policy ever prevented users from experimenting and trying to use apps in ways they were never intended to be used. A robust app provides safeguards that assume users will break the rules.

The Snappening was inevitable because Snapchat is poorly constructed and the organization as a whole doesn’t want to take responsibility to ensure the safety of user data. A third party app using API documentation created by others and breaking substandard encryption isn’t the problem—the problem is that it was possible to create such an app in the first place.

Great @WiredOpinion about "The #Snappening" by @hartzog: good data security means not throwing users under the bus http://t.co/n32ZsFfEVN

— ashkan soltani (@ashk4n) October 14, 2014

Bottom Line

When you want to keep something private, don’t upload it to the Internet. The best way to keep a secret is not to tell anyone about it. If you really must share those compromising pictures with someone, do it in person, in a way that won’t come back to haunt you later (usually at the worst possible time). The best policy you can have is to always assume everything you post to the Internet is instantly accessible to everyone. If you follow this simple guideline, then you won’t have to deal with the fallout from that embarrassing picture (or other post).

As a developer, you need to rely on robust security measures that assume users will break the rules. In addition, you need to keep the specifics of your app away from prying eyes and use security measures that actually work and aren’t easily hacked. The need to use robust security, especially encryption, is even more important when your app handles confidential data or information that affects user privacy.
The most important lesson to learn from the Snappening is that organizations must take responsibility for the promises they make. It’s never a good idea to promise the user one thing and then break that promise behind the user’s back. Snapchat’s major failing isn’t in the software or in the use of an easily broken encryption algorithm, but in the fact that the app promised something that clearly isn’t possible to provide. Other organizations avoid this problem by not making the promise. For example, when Amazon came out with the Look Inside feature, it made it really hard to copy the content. It never said that it would be impossible to copy the content and,in fact, people have found workarounds for the protections that Amazon put in place. If you make a promise to users, then be sure you can actually keep that promise.
snapchat Data security app

Published at DZone with permission of Denis Goodwin, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • 8 Things to Consider When Choosing an Embedded Analytics Vendor
  • CX Platform Enables Developers to Focus on Apps for Customers
  • Why True End-To-End Encryption is Important for Distributed Apps
  • Challenge Your Cybersecurity Systems With AI Controls in Your Hand
Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: