Temporary messaging apps can’t keep pictures and video secure

By , Jan 23, 2013

snapchat ghosts

Want to send a picture or message but don’t want it shared with friends, leaked all over the internet, and potentially traced back to you? Unless you’re 100% certain that you can trust whoever you’re sending a message to, then you shouldn’t send it. The most popular temporary photo messaging apps can leak your data on devices that aren’t even jailbroken, and with a few tweaks you can easily get past one of the most secure messaging apps available.

The current versions of Snapchat and Facebook Poke aren’t secure apps. Evan Spiegal, Snapchat’s founder, doesn’t seem overly concerned about the possibility of users saving and sending their received pictures. In a comment to BuzzFeed Spiegal said: “The people who most enjoy using Snapchat are those who embrace the spirit and intent of the service. There will always be ways to reverse engineer technology products — but that spoils the fun!” That’s not exactly what you want to hear if you’re using the service to send pictures and video that you don’t want publicly shared…

snapchatIt’s very easy to snag Snapchat videos with iTools and the current version of the app.

If the recipient has a non-jailbroken device, it’s possible to download photos and videos received through Snapchat and Facebook Poke with iOS filesystem browsers like iTools or iFunBox. The files themselves are unencrypted, so someone could get to them without much fiddling around. Facebook Poke even has a dedicated jailbreak tweak called PokerFace for disabling the app’s security features, and there are rumors floating around of similar tweaks being developed for Snapchat.

While you may have assumed that the purpose of the app was to prevent your photos from being saved and shared, neither app claims to be secure. The iTunes pages both describe these temporary message apps as services for quickly sharing ‘moments’.

How about an app built with security in mind?

import denied

Foxygram is an app with serious cryptographic credibility. The software was name-dropped in MIT’s Technology Review as an example of how 256-bit military-grade encryption in the hands of consumers could potentially lead to uninterceptable organized crime. FoxyFone’s own promotional material goes as far as to say: “Foxygram is Secure Messaging and a Swiss Vault in the palm of your hand.”

Foxygram doesn’t just stop interception with strong encryption, it also includes measures to prevent information from leaking while it’s on the intended device, such as its own app-specific password, screenshot protection, and timed messages. The app even attempts to prevent jailbroken phones and tabets from running the software.

If you try to access Foxygram’s data in iTools or iFunbox, you’ll just see the encrypted .foxy files. On a non-jailbroken device, the security is almost perfect.

But if the user has a jailbroken iPhone then leaking data from any ‘secure app’ is a simpler matter. Once the app’s jailbreak detection is foiled with xCon, a malicious user could stream pictures to a computer using Veency, snag video through Universal Video Downloader, or find another way to get at the privately shared content. I’ve tested these methods with my own messages, and they all work. It seems even a portable Swiss vault can be cracked.

foxygram veencyThere are just too many ways to thwart security on a jailbroken device.

The bottom line: While the most secure messaging apps can prevent unwanted eyes from intercepting your data, if your recipient can see your message and wants to leak it, you have to assume they can. Regardless of advertising, there currently aren’t any apps or tweaks that can replace trust.

Would you bother with secure messaging apps, or skip the technology altogether? Share your thoughts in the comments section.

  • Share:
  • Follow:
  • http://twitter.com/Cesuva Matthew

    You could only install xCon and Veency if you were holding the device or on the same wifi network. Even then the victim might have a passcode in their device, have changed their SSH password (if installing over wifi through SSH), not have OpenSSH installed, have a password on Foxygram itself (likely if the person has downloaded an app marketed as a secure messaging service) or notice their device is acting strangely i.e. opening apps and unlocking without them touching the screen (if using Veency).

    • Matthew

      I know it’s off topic but our disqus usernames are the same.

      • http://www.facebook.com/siggen Sigurd Bøe

        It is not off topic, now i do not know which one of you to send pictures and messages I do not want leaked D:

    • http://Michaelschnier.tumblr.com Michael Schnier

      “Want to send a picture or message but don’t want it shared with friends, leaked all over the internet, and potentially traced back to you? Unless you’re 100% certain that you can trust whoever you’re sending a message to, then you shouldn’t send it.”

      The idea is the person you’re sending a message to could intentionally leak your pictures.

      • Falk M.

        If it’s that confidential, why send it? Obviously a camera pointed to the screen will do the trick.
        It’s just less convenient.

      • http://Michaelschnier.tumblr.com Michael Schnier

        “Regardless of advertising, there currently aren’t any apps or tweaks that can replace trust.”

        That’s exactly what I was pointing out.

  • http://twitter.com/xXJeanmarchpXx JeanMarc

    Most people don’t know that snap chat is not safe

    • Falk M.

      That’s because most people don’t think for a second before using a pseudo-cool service.

  • Falk M.

    Camera pointed to iPhone screen, boom.

    Don’t message me something if you don’t want me able to store it, as I love archiving my conversations and friend’s pictures too much.

    If you don’t want to send it without trusting pseudo-security measure, just open whatever you have on your phone and show it to me. Simples.

    ffs…

  • http://www.facebook.com/colten.thiel Colten Thiel

    Not sure about other apps, but I just use the tweak Display recorder and activate it before I open snapchat, record the photo, end the video an then screen shot the photo from that. Or I’ll have the snapchat video too! Think That’d work with foxygram or poke too?