First off I'd like to give props to the gibsonsec.org guys, that is a really high quality protocol breakdown and the attack is neat. I see nothing wrong with going full disclosure after being ignored this long.
The key point is to understand that I, as a protocol reverse engineer/attacker/professional bad dude have access to _everything_ the Snapchat app has. I own the network and the device the app is running on. I can look at every bit of Snapchat's memory space if I want.
I can view all network traffic between the app and the servers. Either by MITMing the app or if the app has cert pinning nothing stops me from peaking at buffers(I did this with Square, it was actually not that painful).
With just that you can see it is not possible to stop me from saving a Snap. I don't even need to make my own API calls, I can simply intercept the traffic of the actual Snapchat client and pull the image out of there. Even if you had a magical way to make sure only the actual app was requesting the Snap it wont help, it is the legit client.
The more important take away though isn't that Snapchat is broken, because that's not super interesting.
What you should take away from Snapchat is that you cannot stop people from calling your remote APIs that your apps are using. All it takes is someone sufficiently bored to go dig through pcaps and decompiled code to map out the API.
So what do you do? Don't trust the damn client. Your service shouldn't be broken just because I am calling your API outside of the bounds of how your application will call them.
This isn't a new idea, but it seems like a lot of people never learned this lesson.
First off I'd like to give props to the gibsonsec.org guys, that is a really high quality protocol breakdown and the attack is neat. I see nothing wrong with going full disclosure after being ignored this long.
The key point is to understand that I, as a protocol reverse engineer/attacker/professional bad dude have access to _everything_ the Snapchat app has. I own the network and the device the app is running on. I can look at every bit of Snapchat's memory space if I want.
I can view all network traffic between the app and the servers. Either by MITMing the app or if the app has cert pinning nothing stops me from peaking at buffers(I did this with Square, it was actually not that painful).
With just that you can see it is not possible to stop me from saving a Snap. I don't even need to make my own API calls, I can simply intercept the traffic of the actual Snapchat client and pull the image out of there. Even if you had a magical way to make sure only the actual app was requesting the Snap it wont help, it is the legit client.
The more important take away though isn't that Snapchat is broken, because that's not super interesting.
What you should take away from Snapchat is that you cannot stop people from calling your remote APIs that your apps are using. All it takes is someone sufficiently bored to go dig through pcaps and decompiled code to map out the API.
So what do you do? Don't trust the damn client. Your service shouldn't be broken just because I am calling your API outside of the bounds of how your application will call them.
This isn't a new idea, but it seems like a lot of people never learned this lesson.