Random Thoughts: On Snapchat’s snafu

Background

A security company reverse engineered Snapchat’s android client and found all the api endpoints (source).
Bigger issue: The published proof of concept of using “find friends” feature to find whether a phone number is registered on Snapchat or not, and if it is, then its associated username and location of the user.
Their claim was that despite informing Snapchat about the hole, Snapchat did nothing about it.
As expected, someone published data of 4.6M registered users (source) using the proof of concept provided. Snapchat responded saying that soon users will be able to opt-out of find friends feature.

Thoughts on Reverse Engineering

Preventing reverse engineering of client side code is in principle, impossible. It can be made difficult and there are entire industries set up around this. It can definitely be made difficult using obfuscation but ones a company has rumoured valuation of 4 billion, its impossible not to attract attention of security researchers and any efforts made to prevent reverse engineering will be arms race.

Thoughts on user information leak

A new generation of mobile focused social apps (three I use – Snapchat, WhatsApp, Viber┬ábut there are many more) uses mobile phone address book as connections, this leads to some interesting situations. Two years back, some people reverse engineered WhatsApp’s api and found out a way to read (and modify) status of users on WhatsApp (source), since Snapchat authenticates its users, the problem of modification is not an issue but the first issue still remains. Mobile numbers are from a small namespace (10 digits in USA and cannot be longer than 15 digits as per ITU), its easy to scan this range and I believe rate limiting would not have helped much either.

A better solution

What surprises me more is that Snapchat did not implement a simpler fix of requiring “mutual contacts in address book” before disclosing information about one’s contacts.
Imagine this Adam has Eve’s phone number in his contact list but Eve does not Adam in her contact list, in that case, letting Adam know that Eve uses Snapchat or being able to pull her location is a bad idea. A simple fix like this would, in my opinion, have prevented this fiasco.
I must admit, the fix is not novel, that’s how Google Talk’s status and online/offline presence works, Adam cannot get that info about Eve through her email address lest Eve adds her back as well.