

For $300 a Utah company can recover vanished Snapchats - hansy
http://www.businessweek.com/articles/2013-05-09/for-300-utah-company-can-recover-vanished-snapchats#r=hpt-ls

======
DigitalSea
Well it was only a matter of time. On my Galaxy S4 I rooted it and am running
GameSpector and downloaded a patch that not only removes the warning sent to
the sender of said Snapchat I have taken a screenshot of their Snapchat but it
also keeps the Snapchat indefinitely (the countdown drops to zero, but the
video or image remains until you press clear). Anyone who honestly believes
Snapchat is truly anonymous is very much mistaken. Be careful.

Any anonymous service is bound to be abused and used for nefarious purposes.
The high price tag ensures that only serious situations will warrant a
Snapchat recovery (primarily law enforcement and on occasion, paranoid
parents). Considering most people use Snapchat on their iPhone's mainly, I
think most are safe for now.

~~~
treahauet
There are tweaks available on Cydia for jailbroken iOS devices that provide
similar functionality.

------
grey-area
_The appeal of Snapchat—and a growing number of companies specializing in
ephemeral media—is that once the expiration date has passed, you no longer
have to worry about whatever it is you just shared. It’s gone forever. Nobody
can dredge it back into public view._

It's not necessary to root your phone to circumvent snapchat or run special
software after the fact.

Since you can always use a camera (say on another phone) to take a photograph
of the screen and record the image that way, why would anyone consider
snapchat or similar services secure or reliable? If you can see it, you can
reproduce it, and share it as much as you want via other channels.

~~~
steveklabnik
Snapchat alerts users that the person on the other end has saved a screenshot,
so as long as you don't see that, most people would assume that it has, in
fact, disappeared.

~~~
YPetrov
Is that for Android only? Yesterday my friend and I tried it (I have an
iPhone, he has a Samsung), because I was curious if I will be able to take a
screenshot while holding my finger on the image and it worked. He received no
notification about the screenshot, though.

~~~
steveklabnik
Nope, my iPhone has told me when another iPhone user has saved a screenshot
before. Unsure about Android/iPhone.

------
saurik
A bunch of people here seem to misunderstand this as less powerful than being
able to just modify the software (largely trivial on both iOS and Android) to
not delete the images in the first place, or to save them while viewing them:
that requires forethought to have made that modification ahead of time. The
people who talk about "forensics" are interested in situations like "cell
phone belonging to victim found at the murder scene: checking the system logs,
the most recent application to have been used was SnapChat; if we knew what
they had just received, we might have a clue (or just a naked picture of
someone close to the victim)".

Honestly, what they are doing is probably about as "lame" as "undelete a
file", possibly with the at-most complexity of "undo some simple encoding" or
"undelete a file that was stored as a row in an SQLite database that has yet
to be vacuumed". So, this isn't technologically "wow" (one of the threads here
is "how is this 'special'?"), but this also really isn't "engh, I can root it
and scrape the framebuffer". It isn't even a company bragging that they beat
SnapChat, so the "it's lame tech" part doesn't even matter: it is a company
advertising a product/service for police departments to undelete self-
destructing messages from a program that is very very popular.

I thereby feel a more interesting conversation to be having on HN about this
article isn't "lame, we knew SnapChat was insecure" or "lame, I could have
done that" or "lame, there are easier ways to do that": it would be something
closer to "damn, that was easy, we all knew it could be done, I could have
even done it, and apparently it is worth $300 a pop to do this for forensics
purposes? what other business opportunities are low-hanging fruit I'm missing
out on by dismissing them as 'lame'?". (Yes: I know that "lame" wasn't a quote
from any of the responses; I am summing up the sentiment. It isn't just HN
either, but the other places I've seen this discussed don't have the business
focus.)

~~~
A1kmm
I think that given Snapchat's advertising ('the snap disappears') they should
really be doing more on the client to make sure third parties don't get access
to the picture, for example, by not storing it on the device at all.

------
shmageggy
I know nothing about Android development (this service isn't available for iOS
yet, according to the article). Does the OS give you low enough level control
to overwrite specific memory locations, say with random data? In other words,
could the snapchat app shut this down with a simple update?

~~~
georgemcbay
Even if they did this, there's still a huge problem on Android in that it is
trivial to root virtually any Android phone and a rooted phone can be running
a background app with READ_FRAMEBUFFER_ACCESS and constantly polling the
framebuffer, so anything you see on the screen is leaked out of any app. And
you can do this all at the app level without even getting into kernel driver
hacks.

Anyone who thinks the photos passed along through these apps are in any way
safe from being saved and leaked by the receiver is very technically naive.
All of the old rules about all bets being off if someone has physical access
to a device in the chain still apply.

~~~
rajivm
You could draw the photos in a SurfaceView with a "secure" flag (see
[http://developer.android.com/reference/android/view/SurfaceV...](http://developer.android.com/reference/android/view/SurfaceView.html#setSecure\(boolean\))).
This would prevent other apps from reading them out of the framebuffer, or
even taking a screenshot of them. If Snapchat isn't doing this, well their
developers should do some research...

~~~
georgemcbay
That flag only exists in the very newest JellyBean MR1 release (API level 17).
The best they can do is set it if the user is running an Android device at 4.2
and higher, which is a VERY small minority* of all Android devices right now.
Until they are willing to limit the app to devices running Android 4.2 and
above (and there is no way anyone would do this right now, it would be
commercial suicide) the easy escape hatch remains.

* 2.3% as of this writing according to <http://developer.android.com/about/dashboards/index.html>

------
vxNsr
It really was only a matter of time before this came out.

Though by making it $300 they really restrict their clientele to companies or
the government, both of whom would be able to cough up the money for
investigations. This will almost definitely keep out the riff-raff trying to
retrieve that dick-pic or nip-slip.

~~~
greenyoda
Anyone who has enough money to pay for a smart phone could probably scrape up
$300 if they wanted that photo badly enough. Kids who are too young to have a
credit card might find it difficult to use the service, however.

But now that this company has figured out how to do it, others will figure it
out too and the competition will lower the price.

~~~
vxNsr
I don't know... Most people I know with smart phones didn't pay >$200 and a
lot got some sorta deal. Regardless, @ ~$300 or even if it went down to $100
most people aren't gonna spend that to retrieve a pic unless it's supremely
important.

------
tagabek
What does "special forensics software" even mean? What is stopping some smart
hackers from making a software that does the same thing, open sourcing it, and
allowing 'regular' people to do the same thing for free?

~~~
illuminate
Not much, really. Anything that scrapes the disk image should be able to
recover the images. There's already a "free" open source application or three.

I don't work in the field, but I've had some classes with local forensics
engineers. Forensics teams buy software almost solely because they are able to
reliably cite the software's use in court, and the developers could be
subpoenaed easily to explain the function if the defense decided to call its
use into question. Open-source solutions likely will never be used for that
reason.

------
quarterto
They spelt danah boyd's name wrong.

