Sophos Cloud Optix
Oh, those darn third-party apps, their home-brewed APIs and their photo-leaking ways, Snapchat moaned on Wednesday morning, promising to cook up a public API to fix the situation… sooner or later.
It was referring to the entire ecosystem of third-party apps that’s sprung up around Snapchat’s ostensibly ephemeral but in actuality not-disappearing-at-all image app.
Developers of those third-party apps reverse-engineer the Snapchat API: the apps are neither built nor maintained by Snapchat itself.
Unfortunately, those third-party apps, which often have security as porous as Swiss cheese, often ask for login credentials for the first-party app in order to send or receive images (and often to snatch, and retain, those images before they go “poof!”) and to access account information.
As “Team Snapchat” points out, when we hand over our login credentials to a third-party app, that opens the door for a developer or a crook to get at your account and send information on your behalf.
Snapchat has been picked up by a lot of young people lured in by the appeal of supposedly disappearing photos, so when it says “send information on your behalf”, we can translate that into “potentially steal your sexting nudies”.
The cottage industry of apps and websites that have sprung up around Snapchat includes SnapSaved.com, which uses a reverse-engineered Snapchat API to save Snapchat images.
SnapSaved on Saturday admitted its Swiss cheese problem: namely, an attacker walked through a misconfigured Apache server and scooped up 500MB worth of images, hundreds of thousands of which were subsequently published online last week.
The reason SnapSaved had to reverse-engineer the Snapchat API – like other third-party apps hovering around Snapchat – is that Snapchat itself hasn’t yet provided a public API.
That’s a convenient position to maintain, given that it allows Snapchat to distance itself from security catastrophes like the SnapSaved incident.
Snapchat’s Terms of Use prohibit these third-party apps, which state that these services can’t be trusted. It’s also quick to point out that it aggressively trawls Google Play and the App Store to stamp out third-party apps.
None of that saved Snapchatters from having their photos stolen out from under their noses, though.
In fact, developers have for years pointed out that the unofficial API – an open secret that’s “widely circulated on the web”, The Verge reports – is a cinch to hack.
Furthermore, Snapchat’s been asleep at the wheel when it should have been working to close technical loopholes that allow unsecure third-party apps to flourish, they say.
Adam Caudill is one of those developers. Since 2012, the security researcher has been sounding alarms about how easy it is to reverse-engineer Snapchat’s API.
After this past weekend’s mass image spillage, he told Wired that he’s surprised it hasn’t happened sooner:
Your average developer can build something in a day’s time that interacts with Snapchat's API and saves everything that comes through it.
Soon after Caudill first gave Snapchat a head’s-up about how easy it would be to build a pirate app that stripped out Snapchat’s time-deletion features and that unauthorized third-party apps that could do the same were “unavoidable”, Snapchat reworked its API.
Whatever it did in that rebuild, it didn’t slow Caudill down much: in a matter of months, he showed that he could still twist things around as he’d done before.
So now Snapchat’s going to tackle the issue of building a public API that it can control.
And what’s the timeline on that?
Welllllll….. you know, these things are hard, Snapchat says:
It takes time and a lot of resources to build an open and trustworthy third-party application ecosystem. That’s why we haven’t provided a public API to developers and why we prohibit access to the private API we use to provide our service. Don’t get us wrong - we’re excited by the interest in developing for the Snapchat platform - but we’re going to take our time to get it right. Until then, that means any application that isn’t ours but claims to offer Snapchat services violates our Terms of Use and can’t be trusted.
Snapchat’s known for its lackadaisical attitude about security.
Back in January, an attack vector it had dismissed as “theoretical” was used to turn it upside down and shake out 4.6 million user names and phone numbers.
Let’s see, how did Snapchat respond, do you recall? Did it apologise? Fix the problem? Convince us that this time its fix really worked?
Oh, no, that’s right, I remember now: it praised itself, didn’t apologise, and said it was really, truly fixing the problem this time around.
In sum, Snapchat’s chastising of third-party apps is a shirking of the company’s own responsibility in creating a safe environment for its users to inhabit, but it’s also in keeping with the history of how it approaches security.
Yes, third-party apps are potentially dangerous. Let’s hope that Snapchat’s going to expedite work on the most airtight public API it can muster.
There isn’t anything SnapChat can do, using technology, to prevent any third party application from saving or copying images. There also isn’t anything they can, using technology, do to ensure “only their official or licensed applications can access their api”. Any secrets can be reverse engineered their application binaries and network protocols.
The only remedies they would have is legal/business remedies to have apple/google remove all “third party snapchat apps” from the store. That would be an interesting feat given the difficulties getting actual malware removed from the app stores.
This is the exact same thing that large content companies (music, movies, etc) are trying to do with all the dvd copy protection schemes. They were even able to get custom hardware embedded, player to screen encrypted channels and cryptographic keys embedded in players… all to no real effect. Those schemes continuously get cracked.
When one party in a communication wants to share (or in this case save) the data they have access to, they will be able to.
The real issue with snapchat is that what they are promising isn’t possible.
“Trying to make digital files uncopyable is like trying to make water not wet.” ~ Bruce Schneier
Water gets fairly dry at -15C 🙂 Maybe Snapchat should seek a cryogenic solution?
Let me see if I get this right:
– user A sends a photo (probably that kind of photo) to user B, trusting Snapchat to show the photo to user B only for 10 seconds (or some predefined time) and then making it dissapear (forever…), without allowing user B (and/or anybody else) to copy/save it.
– user B uses a (non-approved) third party, that saves those protos.
– that third party has a leakeage and the photo appears online.
The problem is not the security of that third party problem, is that it just existed. That app, Snapsaved, dares to say that “Do you want to save snaps without the sender knowing you saved it?”, what simply should not be possible in the first place, according to what Snapchat said. So there are two security problems here (related, but different), one with Snapsaved, and the other with Snapchat.
I agree with the first post, to achieve that the receiver of a photo be not able of saving it might be as impossible as creating the perpetuum mobile (analogic gap at least, anyone?), but to recognize that would simply destroy the business model of Snapchat…