
Snapchat Detection on iOS (2019) - mpweiher
https://aeonlucid.com/Snapchat-detection-on-iOS/
======
rvz
The title in the blog sounds slightly confusing here. It should at least add
the word 'Jailbreak' which clears up the confusion and adds more context to
the readers. Thus, it should be "Snapchat Jailbreak Detection on iOS".
Likewise for the Android version of the app. [0]

Otherwise a great read for the security research folks interested in reversing
iOS apps.

[0] [https://aeonlucid.com/Snapchat-detection-on-
Android/](https://aeonlucid.com/Snapchat-detection-on-Android/)

------
saagarjha
I'm actually quite surprised that Apple allows apps on the App Store that make
system calls directly, as those are as "private API" as you can possibly get.
Also,

> I need to be honest, this is a very annoying way how they check for
> injection because it is annoying to fix. Instead of using getenv they use
> the environ variable. Since it is a variable, you can not “hook” it.

Once you have code execution I don't see why you can't just go change it back
to how it should look…

One more interesting fact is that the checks mentioned here often catch people
who are jailbreaking…and people who _look_ like they are jailbreaking, like
Apple employees with internal devices. They're indiscriminate, so if you're
thinking of implementing these in your app and the many other reasons to not
do so aren't enough for you, consider that you may end up annoying a number of
engineers at the company that you're solely dependent on to distribute your
application.

~~~
monocasa
Right? I'm surprised Apple doesn't have a ban on an aligned "d4000001", aka
'svc #0', being anywhere in your executable segments. There's no reason for
that unless you're making syscalls directly.

That being said, snapchat I'm sure makes an absolutely ludicrous amount of
money for Apple given that Apple would be dipping into snapchat premium
subscriptions. I bet they're special cased, can annoy all the Apple engineers,
and not have any repercussions from it.

------
kevincox
It is mildly upsetting that it says "These tweaks can compromise the security
of your account" when the reason for the bans is clearly so that it is more
difficult for you to save images you receive.

[https://support.snapchat.com/en-US/a/jailbroken-
iphone](https://support.snapchat.com/en-US/a/jailbroken-iphone)

~~~
jayd16
Presumably its for bot detection.

~~~
asdff
It's for the tweaks. For a while there was an update to update arms race
between Phantom and snapchat. Snapchat would detect phantom, then the next
phantom update would evade the detection, then back and forth back and forth.
Phantom basically added more power to the app, along with the ability to save
videos and phtos, plus some other quality of life features that took snapchat
years to implement natively (groups, more design tools, access to camera roll,
etc). Honestly, probably 90% of snapchats features over the past 5 years came
from copying features from that tweak.

I can't imagine why snapchat is so militant, probably just some ego or
personality on their dev team that doesn't want a subset of power users to
emerge. It reminds me of twitter going to war with alternative clients. I tend
to hold on to my phone for pretty long, and snapchat is always the first app
that forces me to update my phone to the latest OS or even buy a new one
entirely if I've reached the final OS for that phone.

------
quenix
Holy shit. That’s overkill for a texting app for high schoolers.

~~~
Spivak
Snapchat is aggressive in preventing people from reverse engineering it as a
spam prevention measure. If you make it really really hard to automate its use
the spammers will move on to other targets.

~~~
rvz
Exactly. That's why the presence of bots on Snapchat is close to zero and the
accounts are almost certainly created by real users, unlike other platforms.

However, the daily active users on Snap is a more interesting metric than the
total number of users signed up.

~~~
asdff
Citation needed. Bots add me every week, it's no different than what you find
on instagram.

~~~
Nextgrid
Even if we assume these are "manual" bots from click farms, it still doesn't
fulfill Snapchat's objective.

Users hate _spam_ , not bots per-se. Snapchat should be focusing on fighting
spam, through a karma system, rate limits, etc instead of purely focusing on
bots and preventing _good_ bots (or users that appear to be bots, with
alternative clients, etc) from existing.

------
xVedun
Interesting that even apple apps with the strictest sandboxing by default
still has over ten different methods of determining if a jailbreak exists. Now
maybe these methods are only useful when a phone is jailbroken, but it seems
that this just seems like another way of collecting information.

~~~
saagarjha
Many of these methods are probing for whether the sandbox exists and is in
effect–on a normal device they will return errors (you tried to access
something you shouldn't have) or predictable values (the libraries loaded
should just be your own and Apple's) based on the app's execution. The point
of such checks is that on a jailbroken device they will unexpectedly succeed
due to relaxed policy enforcement or give away information that code execution
is occuring. In my opinion most of these should not pass App Store Review. But
Apple lets it through regardless…

------
solarkraft
It refusing to work on modified devices is exactly why I don't use it. It's a
little sad because I like the format (Instagram doesn't feel the same), but
the clear lack of respect (they won't even tell you why the login fails on
Android) is pretty disappointing.

------
departure
Are there any good open source libraries or even commercial tools for root
detection and app code obfuscation like discussed in this thread:

[https://news.ycombinator.com/item?id=23557998](https://news.ycombinator.com/item?id=23557998)

~~~
saagarjha
Snapchat bought the team that was doing it for them, Strong.codes. But you
might have luck searching for things like "LLVM obfuscator" or some of the
other techniques discussed in the thread. (Obligatory disclaimer: obfuscation
is not a substitute for proper server-side security.)

------
mrtksn
I expected to see use of DeviceCheck.[0]

[0][https://developer.apple.com/documentation/devicecheck](https://developer.apple.com/documentation/devicecheck)

~~~
Nextgrid
I expect this to be the first thing bypassed by jailbreakers. In fact,
concentrating the checks into a single place makes it easier. Ultimately,
attempting to establish security in a hostile environment (where your code is
running on someone else's machine) is and will always be impossible.

Even Apple acknowledges this:

> No single policy can eliminate all fraud. For example, App Attest can’t
> definitively pinpoint a device with a compromised operating system. Instead,
> the DeviceCheck services provide information that you can integrate into an
> overall risk assessment for a given device.

------
sloshnmosh
Interesting techniques.

I wonder if Snapchat would also flag a user if their iPhone was jail broken or
otherwise hooked by NSO groups Pegasus spyware?

~~~
saagarjha
Depends. If the malware's job is to just pull the Messages database off the
device, then no, this wouldn't find it because the exploit would likely make
minimal patches to things it cares about and Snapchat would not be aware that
the kernel has been compromised. But if the spyware tried to inject code into
the Snapchat process–which is the only thing that malware would do that it can
really check for–it's possible, but depending on the sophistication of the
malware authors it's quite possible to bypass these checks.

------
marczellm
I don't even understand what this is about.

~~~
diegoperini
Snapchat doesn't want technically proficient people to be a part of its social
network. This is an analysis of how they achieve it on iOS.

~~~
gcbw3
You are being downvoted by the sacarms, but it is a very clear and concise
description of unintended consequences of this.

Advanced users get root on their phones, and use linux on their computers. And
as a consequence, they must fight uphill battles or outright give up their
access to some tools/networks/games, effectively censoring them there for
unrelated choices.

This is the modern equivalent of being silenced by email spam filters false-
positives, but today, nobody gives this a thought.

~~~
diegoperini
Thank you for explaining it better than me.

Just to be clear, I don't consider Snapchat's decision as evil or good.
"Alienating techies" vs "enabling revenge porn" isn't like your everyday
dilemma.

