Temporary messaging apps can’t keep pictures and video secure

snapchat ghosts

Want to send a picture or message but don’t want it shared with friends, leaked all over the internet, and potentially traced back to you? Unless you’re 100% certain that you can trust whoever you’re sending a message to, then you shouldn’t send it. The most popular temporary photo messaging apps can leak your data on devices that aren’t even jailbroken, and with a few tweaks you can easily get past one of the most secure messaging apps available.

The current versions of Snapchat and Facebook Poke aren’t secure apps. Evan Spiegal, Snapchat’s founder, doesn’t seem overly concerned about the possibility of users saving and sending their received pictures. In a comment to BuzzFeed Spiegal said: “The people who most enjoy using Snapchat are those who embrace the spirit and intent of the service. There will always be ways to reverse engineer technology products — but that spoils the fun!” That’s not exactly what you want to hear if you’re using the service to send pictures and video that you don’t want publicly shared…

snapchatIt’s very easy to snag Snapchat videos with iTools and the current version of the app.

If the recipient has a non-jailbroken device, it’s possible to download photos and videos received through Snapchat and Facebook Poke with iOS filesystem browsers like iTools or iFunBox. The files themselves are unencrypted, so someone could get to them without much fiddling around. Facebook Poke even has a dedicated jailbreak tweak called PokerFace for disabling the app’s security features, and there are rumors floating around of similar tweaks being developed for Snapchat.

While you may have assumed that the purpose of the app was to prevent your photos from being saved and shared, neither app claims to be secure. The iTunes pages both describe these temporary message apps as services for quickly sharing ‘moments’.

How about an app built with security in mind?

import denied

Foxygram is an app with serious cryptographic credibility. The software was name-dropped in MIT’s Technology Review as an example of how 256-bit military-grade encryption in the hands of consumers could potentially lead to uninterceptable organized crime. FoxyFone’s own promotional material goes as far as to say: “Foxygram is Secure Messaging and a Swiss Vault in the palm of your hand.”

Foxygram doesn’t just stop interception with strong encryption, it also includes measures to prevent information from leaking while it’s on the intended device, such as its own app-specific password, screenshot protection, and timed messages. The app even attempts to prevent jailbroken phones and tabets from running the software.

If you try to access Foxygram’s data in iTools or iFunbox, you’ll just see the encrypted .foxy files. On a non-jailbroken device, the security is almost perfect.

But if the user has a jailbroken iPhone then leaking data from any ‘secure app’ is a simpler matter. Once the app’s jailbreak detection is foiled with xCon, a malicious user could stream pictures to a computer using Veency, snag video through Universal Video Downloader, or find another way to get at the privately shared content. I’ve tested these methods with my own messages, and they all work. It seems even a portable Swiss vault can be cracked.

foxygram veencyThere are just too many ways to thwart security on a jailbroken device.

The bottom line: While the most secure messaging apps can prevent unwanted eyes from intercepting your data, if your recipient can see your message and wants to leak it, you have to assume they can. Regardless of advertising, there currently aren’t any apps or tweaks that can replace trust.

Would you bother with secure messaging apps, or skip the technology altogether? Share your thoughts in the comments section.