
Reverse engineering Snapchat to store files - rrtwo
https://github.com/hausdorff/snapchat-fs
======
kwx
Already done months ago.. ?
[https://github.com/tlack/snaphax](https://github.com/tlack/snaphax)

~~~
antics
Hi, I'm one of the authors.

I don't read PHP, but you're right that we're not the first to get through the
API. We might be among the first to misappropriate the service for use of
storing and managing arbitrary files, though.

FWIW, we did do this from scratch. I have no idea if this library has the same
secret keys and stuff, but after we finished we went back and looked at other
amateur audits and found the API to be basically unchanged in form between
them, meaning that if they changed the API, it differed only in the specifics
of the keys used, and not in say the protocol for handing server tokens and
request tokens out. (I still don't know if the keys are the same between that
library and our core, for example.)

------
pliu
This seems like kind of a crummy thing to do to snapchat, but I like the idea.

I wonder if that could be successful, like a file swapping service built on
the same premise of one time only. Charge a nickel a shot or something. I have
no idea why that's useful, but for some reason I think it's cool. Maybe just
because it's set and forget and you don't have to worry about cleaning up
later.

Does anything easy to use do that already?

~~~
boyaka
I can see that working. I had this camgirl as a friend on Snapchat and must
have clicked her story update about 200 times fapping to it. I bet Snapchat
has thought of this too, just looking at data like mine xD

------
spullara
I presuming without searching that someone has produced a SnapChat-like
application that just doesn't delete photos and lets you look at them as long
as you like? That seems like a pretty reasonable thing to do and basically
impossible for SnapChat to stop.

~~~
pencilo
Hi, one of the authors here. A good chunk of the core is from my python
Snapchat
API([https://github.com/pencilo/pysnapchat](https://github.com/pencilo/pysnapchat))
which lets you do things like download snaps and send snaps.

You are correct that it is impossible for them to stop you from downloading
the image and saving it. Images are encrypted on upload but they are encrypted
using a fixed key in AES-128 ECB, so it doesn't do any good.

The simple truth with Snapchat is they cannot make it impossible to download
and save the images without trusted computing support(which they wont get).

------
adamnemecek
DMCA takedown notice in 3, 2, 1, ...

~~~
teraflop
If the project doesn't actually contain copyrighted code from SnapChat (and it
doesn't seem to) then a DMCA takedown notice would be illegitimate and
fraudulent.

~~~
sjtgraham
But a prosecution under the Computer Fraud and Abuse Act would be neither, and
far worse for OP.

~~~
sillysaurus2
From a casual glance over the list of cases brought under CFAA[1], that would
be completely unheard of, and seems contrary to the spirit of that law. If I'm
reading correctly, it hasn't ever been used to punish someone who wrote
software, only people who have used software to allegedly exploit servers.
Therefore the users of this tool would be at risk, not the author.

[1]
[http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#No...](http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#Notable_cases_and_decisions_referring_to_the_Act)

~~~
sjtgraham
Excuse me but did you read the README? The author clearly admits to using it:
"Since Snapchat imposes few restrictions on what data can be uploaded (i.e.,
not just images), I've taken to using it as a system to send files to myself
and others."

~~~
sillysaurus2
I was only saying that prosecuting him for creating this tool is very
different from prosecuting him for using this tool.

------
rahimnathwani
If someone wanted to add mount support to this, which of these would be
better?

1\. FUSE Python:
[http://sourceforge.net/apps/mediawiki/fuse/?title=FUSE_Pytho...](http://sourceforge.net/apps/mediawiki/fuse/?title=FUSE_Python_tutorial)

or

2\. pyfilesystem
[https://code.google.com/p/pyfilesystem/](https://code.google.com/p/pyfilesystem/)

I've seen FUSE Python used in some different projects on github, and it seems
to work pretty well. I'd not heard of pyfilesystem until recently.

------
brianbarker
SnapChat is already known to soft delete only, so really there's nothing new
here.

------
mcescalante
What types of files might one actually want to upload to their servers? This
falls into the "cool" category for me more than making me want to try it
(especially since you can't delete files you upload...)

~~~
antics
Hey, I'm one of the authors. In fact you can delete a file. Just "view" it in
the app and it gets deleted. What you can't do is delete it from the command
line!

As for your "is this useful" question, I use it to send files to myself, my
friends, and other computers, since it's a bit like asynchronous SCP. But of
course YMMV.

~~~
mcescalante
Thanks for the reply, and I can see that just a few minutes ago you clarified
the wording in the readme, which was my next suggestion. Definitely a cool
tool, I'll definitely try it out now that I know "viewing" it deletes the file
still (makes perfect sense). I figured it'd be good for temporary file storing
& sending, just was a bit worried about leaving permanent copies on their
servers.

~~~
antics
When I saw it on HN frontpage, I freaked out and started adding more
customization and features. :)

As we speak I'm writing the feature that will allow you to use a config file
('~/.snapchat_fs') to configure, e.g., the encryption protocol used, which
would make storing features more secure for you, the user, in the event
Snapchat starts snooping through stuff you've uploaded.

------
fit2rule
Poor name for the package: sfs is already a filesystem type used in the
embedded/musical-instrument industry (primary Yamaha). A better name would be
scfs, imho.

------
joelcollinsdc
How does one figure out the snapchat API? Presumably the network traffic is
encrypted, were the secret keys extracted from the snapchat app somehow?

~~~
antics
Hey, I'm one of the authors.

Our process was:

* Use MITMProxy to execute a man-in-the-middle attack, which lets you see all the packets in plaintext. It's a command line app which prettifies the packets in a readable way.

* From the packets we can get a lot of info, like where the packets are going, what data the fields contain, etc.

* We can also intercept the packages and mess with the fields to see what breaks when we change things.

* From here we use smali to decompile the Android DPK. Since debugging symbols are left in, this leaves a lot of info for us to look at.

* We ctrl-F for words like "encrypt" and "secret". This leads us right to the call to util android encrypt which is encrypting the images. The argument is a hard-coded secret string that turns out to be used everywhere.

* Looking through the source where that key is used we see that it's also used to generate request tokens, which validate that a request to the API is valid.

* And so on. Eventually with some more poking around we end up with the library here.

~~~
pencilo
You're slightly wrong on the app side of things and the keys.

There are in fact two 'secret' keys. One is a fixed SHA256 hash used for their
weird request generation and one is the fixed AES-128 key for encrypting
snaps. The two have nothing to do with each other besides both being named
secret.

Also it was not ctrl+f for secret as much as it is looking at the call sites
for calls down into crypto libraries, from there it is simple back tracing to
see where the keys came from. Debug symbols are nice but it works just as well
if they strip debug symbols and obfuscate.

~~~
antics
Meh, I literally ctrl-F'd and looked for "encrypt". Worked on the first try.

You're right about the keys though, I always forget which keys get used for
what.

------
moloch
You can also just use Cycript
[http://www.cycript.org/](http://www.cycript.org/)

------
Skovy
"wrote everything else." \- very nice

