The fundamental concept of snapchat is impossible. It's the same problem as DRM. You can't control how somebody views some content because as long as they can see it, they can copy it (even if they magically fixed all screenshot and 3rd party app issues, you could always take a picture of the phone screen)
Doing all that crypto stuff is the equivalent of using 6 locks on your bikes wheel. No matter how good the locks are, it's still going to get stolen by removing the wheel.
Them not removing the images client side is a bit bad, yes, but 99% of people who could recover images like that could recover them 101 other ways
Of course, for a company valued at billions (hah!), implementing anything that can get them in to hot water with the authorities, or breaks the user experience, isn't going to happen just before or after an IPO or buyout.
but...his proposal involves trusting snapchat... so it's completely useless.
Even if they did implement all of it, at any point they could update a backdoor into it and you would have no way of knowing.
While in theory yes, a system is only as secure as its weakest component, this completely misses the point that what we're trying to prevent here is casual spying and that the person receiving the content is not always the one you want to guard against. True, if you don't trust the one you're sending pictures to there is nothing you can do, but that's not a reason to make all other types of spying effortlessly easy.
Because users believe (whether they're right to do so is beside the point; fact is, they do) their messages disappear from the target device, they might be compelled to send photos that are a bit more private in nature than those they'd usually send through other channels. Most often, what you want to prevent is curious third parties ("friends", jealous boyfriends or girlfriends, the police) who somehow got access of your phone from easily accessing all the pictures you've ever received after the fact, and properly deleting images after reception (which I believe they now do, as this issue has been known for a long time now) would actually achieve just that.
Even if they could lock down the phone and successfully implement a DRM I could just take a dang picture of the picture....
There are a million and one ways to compromise a local image cache that's intended to be private. You can potentially recover it from the NAND flash if you're sophisticated enough, you can decrypt the data while it's still alive, but deleting the image when you said you would is, well, a pretty basic feature that would prevent the easiest of easy attacks.
I'd expect this sort of thing from an app where people are sending private images, against the initial intent/design. But Snapchat?
The analog hole makes this app a fun game at best, it's certainly not secure in any way, so I don't see why this is a big deal. By sending a photo to someone, you are leaking info, and if they can see it, they can copy it trivially with a cameraphone (far more trivially than by trying to get it off a locked down file system on something like ios).
In this case, making sure the file isn't on the device longer than it should be.
Keep in mind, when it comes to extracting images, you can't stop a sufficiently informed or sufficiently determined end user, because all of your code runs on a device that's wholly in control by the end user. All you can do is basic due diligence.
There is the side problem where the attacker isn't the end user (e.g., malware attempting to extract private images from a phone). At the end of the day though, there is squat all you can do against code that has root.
Contrary to some other platforms (to my knowledge, most notably Android), iOS apps are very sandboxed.
Edit: I have personally confirmed this on iOS. According to a commenter below, this is also true on Android.
The thing about Snapchat is that it's basically held together with sticky tape and string. It's not totally dissimilar to where Facebook was a year or so from launch (2006 or so): code that was pretty much thrown together, and hasn't had much time for improvement.
I haven't seen the codebase itself, but I'm coming to this conclusion based upon pulling apart both the client apps and the god-awful API that's used. Perhaps in the last few months it has improved somewhat, but it was still pretty dodgy back in May or so.
Their startup game isn't about engineering quality, it's about rapid growth at all costs. In this game, you aren't even a product—you're just something to be walked all over.
When you think Snapchat, go back to their origin stories: http://valleywag.gawker.com/snapchat-had-the-frattiest-creat... and http://valleywag.gawker.com/snapchats-creator-another-spoile...
So hilariously sad.
Secret chats use end-to-end encryption. We do not store your secret chats on our servers. We also do not keep any logs for messages in secret chats. What this all means, is that there is no way for us to know who or when you message via secret chats — as soon as the messages are delivered, they're gone. And there is no way for anybody, including us, to learn what was in those messages, photos or videos. For the same reasons secret chats are not available in the cloud — you can only access those messages from the device they were sent to or from.
And from [the FAQ](http://telegram.org/faq#q-whats-this-encryption-key-39-thing):
When a secret chat is created, the participating devices exchange encryption keys using the so called Diffie-Hellman key exchange. After the secure end-to-end connection has been established, we generate a picture that visualizes the encryption key for your chat. You can then compare this image with the one your friend has — if the two images are the same, you can be sure that the secret chat is secure and no man-in-the-middle attack can possibly succeed.
Note: I'm in no way affiliated with Telegram—I just happen to think it's a great piece of software and deserves more highlight.
And Telegram [supports](http://telegram.org/faq#q-how-do-self-destructing-messages-w...) true self-destructing messages.
The issue isn't the security of the network layer for Snapchat, it's the security of the data once it's on the devices.
Which is to say, when the message self-destructs, it doesn't actually self-destruct on the device, at least not fully.
There are a lot of problems with just saying "it's encrypted."
Am I missing something about what would make this hard or impossible? It just seems like such an obvious solution to me.
Assuming everything worked as described, people could always take video screenshots, or record the screen with a camera (30+ fps is very common these days).
Brightness seems a real potential problem.
Load time and total battery/CPU consumption seem to be things that would be algo dependent.
But it would still be possible to just videotape a snap.
Caching images on the device is basically a universal problem for mobile apps. It improves responsiveness and prevents unnecessary network usage. As such, there are open source libs that do all the boring heavy lifting for you.
Most images caches also don't hold sensitive images, nor do they really expire.
In this case, you may have deleted the database row around the post, but the image cache still has the image on-disk.
I assumed the purpose was to shift the expectation of reasonable behavior from "keep for as long as your like" to "let the image expire".
If you send someone an image via email or some other platform, it's perfectly reasonable for them to keep the image in their archives forever.
If you send someone a snapchat, the expectation of reasonable behavior is to let the image expire and disappear. If one discovered that someone was using clandestine means to keep snapchats sent to them, that person will suffer social repercussions.
In other words, snapchat have created a system where it's creepy to keep snaps forever, against the will of the sender. Yes, it's possible, perhaps even trivial. But it's also trivial to rummage through a friend's underwear drawer when visiting their home. The "security" of the underwear drawer is established by trust and social convention. That's how I feel about snapchat. It's an easy way of saying "please don't keep my messages".
Encryption does not fully seal the analog hole, at best it is suitable for protecting structured groups of bits until they must be prepared for crossing the analog gate.
The only way to have exclusive control of any analog or digital property is to exclusively own all access vectors to it. Any form of communication that is not neuron-based removes this lock by necessity, permitting various external channels and receivers access.
Share freely or share nothing - possibly not just a zealous philosophy, also a honest reflection of reality.
All this hand-wringing is by non-Snapchat users who have read about the app in the media and completely misunderstood what it is for. It's just for sending funny pictures to your friends, not for sending PIN numbers or secret mission briefings.