Snapchat images that have "disappeared forever" stay right on your phone...

Filed Under: Cryptography, Data loss, Featured, Privacy

Snapchat is a wildly popular app for Androids and iDevices that allows you to share photos with your friends.

Snapchat replaces more pedestrian ways of sharing photos, such as sending them by email.

The app enables you - indeed, it pretty much encourages you - to share snapshots you would probably be wiser to keep to yourself, or better yet not to take in the first place (my emphasis below):

Snapchat is a new way to share moments with friends. Snap an ugly selfie or a video, add a caption, and send it to a friend (or maybe a few). They'll receive it, laugh, and then the snap disappears.

The image might be a little grainy, and you may not look your best, but that's the point. It's about the moment, a connection between friends, and not just a pretty picture.

The allure of fleeting messages reminds us about the beauty of friendship - we don't need a reason to stay in touch.

Give it a try, share a moment, and enjoy the lightness of being!

Clearly, Snapchat's primary feature, if not its raison d'etre, is "managed risk".

You can live a bit recklessly, Snapchat seems to be saying, because the snap disappears after your friends have looked at it.

In fact, the app description on Google's Play Store goes one step further, promising disappearance for all eternity:

Snapchat is the fastest way to share a moment with friends.

You control how long your friends can view your message - simply set the timer up to ten seconds and send.

They'll have that long to view your message and then it disappears forever.

We'll let you know if they take a screenshot!

As fellow Naked Security writer Graham Cluley asked late last year, early on in Snapchat's short history, "How do you reconcile 'dispappears forever' with 'if they take a screenshot'?"

After all, if the screenshot warning ever does come up (assuming the screenshot detector does its job), the one thing you can be sure of is that the image has not disappeared forever, or even at all.

That's because the screenshot function creates a new image, not managed by the Snapchat application, and saves it where your friend is in complete control of it, rather than you or Snapchat.

So "disappears forever" is something of a bogus concept to start with.

But just how meaningful is Snapchat's promise if you completely ignore the screenshot problem, or the taking-​a-​picture-​of-​the-​screen-​with-​another-​camera problem?

US-based computer forensics geek Richard Hickman thought he'd find out.

Be prepared to laugh (or cry - it's not really funny): according to Hickman, "expired" Snapchat photos don't disappear at all!

He grabbed a forensic image of a phone running Snapchat, found a directory called received_image_snaps and looked in it.

Both unviewed and expired images were still there.

If Hickman's analysis is correct (and it certainly seems to be), Snapchat relies on two steps to make your images "disappear":

  • It adds the extension .nomedia to the filenames, which is a standard Android marker that says, "Other apps should ignore this file. Do not index it, thumbnail it, add it to any galleries, or whatnot. Leave it to me."

  • It adds a record to its own database to say, "The following image should be treated as though it doesn't exist. Leave it to me, and I will pretend it has disappeared forever."

Just as egregiously, Snapchat doesn't even come close to guaranteeing that your images get deleted from its own servers once they've been delivered:

When you send or receive messages using the Snapchat services, we temporarily process and store your images and videos in order to provide our services. Although we attempt to delete image data as soon as possible after the message is received and opened by the recipient (and after a certain period of time if they don't open the message), we cannot guarantee that the message contents will be deleted in every case.

So when you share that "ugly selfie", where does it end up?

It's stored on your phone, but you'd expect that because you took it, so that's your lookout.

It's stored on Snapchat's servers, where it will probably be deleted once it's been delivered, but not in every case.

And it's stored on the recipients' phones, from where it apparently won't be deleted at all, though it will be marked "not for display," which seems to be synonymous in Snapchat's argot with "disappears forever".

What to do about this?

The obvious first step is to share snapshots only if you don't mind them hanging around forever.

The second step is to stop using Snapchat until these issues get fixed.

And the third is to write to the Snapchat guys and suggest that they could use cryptography and positive erasure to come much closer to fulfilling their promises, so you can start using their app again.

Here are some cryptographic tricks that Snapchat might consider:

  • When user X signs up, generate a public/private key pair on his device and send the public key to the Snapchat servers.
  • When storing an image for delivery to X, encrypt it with X's public key so it can't be decrypted unless and until X receives it on his device. That way, images implicitly 'disappear' from the Snapchat servers even before they are delivered.
  • Encrypt each image delivered to X's device with a random key, and keep the key on the Snapchat server until X requests to view the image. That way, the key and the decrypted image only ever need to exist in memory on X's device, and thus implicitly 'disappear' once viewed.
  • When 'disappearing' an image, positively erase (i.e. actively overwrite) the random key off the Snapchat servers. Without the key, the encrypted image becomes shredded cabbage.
  • When 'disappearing' an image, positively erase the encrypted image file on X's device, just in case the key survived, for defence in depth.
  • When uninstalling the app, positively erase X's private key. That way, as-yet unviewed images become shredded cabbage.
  • Whenever X has no unexpired images left to view, positively erase X's private key and generate a new keypair as though starting a fresh install.

The bottom line?

Call me a killjoy, but don't share a selfie, ugly or not, or any other file, for that matter, unless you are willing to risk it being in circulation forever.

And if you're not willing to risk it being in circulation forever, consider not even taking it in the first place.

, , ,

You might like

17 Responses to Snapchat images that have "disappeared forever" stay right on your phone...

  1. Brian · 533 days ago

    Just saw something along these lines the other day, but much easier to view the photos.

    A co-worker plugged their i-phone into a shared computer. Trying to figure out who it belonged to, I accessed the phone via the file explorer, and all snapchat images were readily available (Windows XP).

  2. access2godzilla · 533 days ago

    The key and the encrypted/decrypted content still require to be stored somewhere. In this case, an user can still capture the required content. So all those measures are also going to be futile.

    Someone might think that it is very far fetched, but anyone having a rooted Android device can do it. The location where images are stored can be easily retrieved by some inspection, then simply utlise the shell and the lsof command to get the content as soon as it is written to the disk.

    • Paul Ducklin · 533 days ago

      Sure, the recipient can snarf the images *anyway*, and thus violate the "disappear forever" dictum.

      But Snapchat could get a lot closer to its promises with crypto, because:

      * The use of per-user public/private key pairs means that it would at least be possible for the original image *never to be stored* on Snapchat's servers. (In practice, images might end up in temporary files, unless handled entirely in memory during upload, but at least the stored-until-delivered images can be made "invisible" to Snapchat, so forgetting to purge them after their expiry date simply doesn't matter any more.)

      * The one-time key and decrypted image only ever have to be in memory on the recipient's device, so they need *never be stored* on SSD/flash.

      This makes capturing the images harder. It also means that a recipient who *wants* to do the right thing (e.g. not snapping screenshots) now *can* do the right thing.

      At the moment, even a well-meaning recipient unknowingly keeps the "disappeared" images (where anyone who steals his phone, for example, might recover them).

      Using a server-side key for each image, plus the public-private trick, is a nice workaround for the complexity of positively erasing data on SSD/flash devices. (When you overwrite sector X, the writes might end up on sector Y, due to clever SSD/flash firmware such as load-levelling.)

      That's why iOS uses full-disk crypto even if you don't set a passcode. It makes an emergency wipe of the device much faster (you can zap the key, not the entire device) and a bit more certain (you only need to concern yourself with whether the key really has been zapped, not the whole device).

  3. CanadianLlama · 529 days ago

    Don't ever put anything online that you aren't OK with the world seeing, its digital, its hackable, and most likely will get put somewhere you don't want it to be.

  4. DalaiDan · 447 days ago

    Slightly over the top CanadianLlama (if that is your real name). Most likely everything will be fine but the potential for misuse is what should make you err on the side of caution.

  5. Ashish · 403 days ago

    Even with the crypto changes, the recipient can still take a screenshot. Is there any defence against that?

    • wmr · 347 days ago

      No, apps cannot modify the Android OS. It will also always be possible to have a custom client that does everything the normal client does, except it saves all pictures.

  6. Andy · 361 days ago

    yeah make sense because I would sometimes have old snapchats reappearing when I viewed it a day before, some sort of glitch. Proves that these images are stored in your phone.

  7. cimnine · 347 days ago

    What about using the Jelly Bean hardware-backed credential storage for Public/Private Key. Extraction of the Key is close to impossible.

  8. Bob · 347 days ago

    I have a rooted Android phone and I can tell you that the versions of Snapchat I've used do not save the images. They delete it shortly after you've viewed it, or if you clear your feed. Besides that, Snapchat isn't meant to be used for government secrets. It's just for fun.

  9. A way for teens to circumvent parental web-safety monitoring. A way for sickos or bullies to send graphic images and/or threats without worry.

    • Anonymous · 220 days ago

      don't accept their request to become a snapchat "friend".....

  10. Grunt · 290 days ago

    Don't forget the NSA will surely get a kick out of all these naughty snaps.

  11. Sam Keets · 286 days ago

    can a snapchat notification appear after the app has been deleted? the answer to this question is yes it has happened and it is caused by the app glitching and parts of it remain on the phone when it was deleted.

  12. Joseph Coscia · 201 days ago

    I've always known that SnapChat was a bad idea, (spam is apparently rampant, their data got stolen, and their CAPTCHA system was defeated in less than an hour) but now I wouldn't touch SnapChat with a 31.5-foot stylus. I would even say that their system is fatally flawed; even if they used properly implemented cryptography and could stop screenshots from being taken from the device, anyone with a second camera could just take a picture of the device running Snapchat. (refer to XKCD comic 538, if you want something to compare this to)

  13. Anonymous · 91 days ago

    What if for example someone send you a pic and you use another phone to take a pic of the other pic on sc does it warn like a screenshoot?

    • Paul Ducklin · 91 days ago

      No. The screen doesn't know it's being photographed :-)

      Snapchat does now warn that this is one way an image can live on after it's supposed to have "vanished."

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog