Snapchat or: Not so private APIs

Recently it became clear that popular mobile app Snapchat has some issues concerning security and privacy. The documenting of their API, which was meant to be private, revealed ways of exploiting the service, exposing users to privacy concerns.

Snapchat is a popular app for Android and iOS that enables users of the app to send photos to each other. The receiver can only view the photo for a set amount of time. After that the photo is supposedly removed from existence.

Because of this news I want to share my opinion on APIs and security concerns that come with them cialis non prescription.

Why APIs?

The concept of an API is pretty old. If we choose to see SOAP as an early form of API we could say it was invented around 1998 with a real start in 2001. The general idea could probably be traced to much earlier times. Providing access to a service in a standardized way is nothing new.

The APIs we see today are greatly different from SOAP. Even though they share the same goal(standardized interaction with a service) they are often used differently. SOAP is about remotely accessing objects. Modern APIs are about non-human interaction with a service in more ways than just access. With the increased functionality(and thus complexity) of modern webservices this has become a useful and popular piece of technology.

The good

Lets take a look at Facebook. While originally developed to be about social interaction, it has grown to be a platform for many things. While it was already successful as a social platform it sought even more growth. What better way than to delegate the developing to anyone who’d like to?

By implementing a public API they’ve enabled a mutual benefit. A service like Farmville would probably never have become as big if it wouldn’t have been able to use Facebook as a platform. Facebook also benefits greatly from these popular services that are connected to them.

Implementing an OAuth service is a similar move. Developers benefit by being able to let users authenticate with minimal effort(for the user and the developer). Facebook benefits by all the people that are exposed to their service because of this feature. It also keeps existing users close by making them more dependent on Facebooks services.

Twitter’s public API is used somewhat differently. While Twitter has an enormous amount of services and applications making use of their API, their main use still seems to be the one they started with. From their website: “Twitter helps you create and share ideas and information instantly, without barriers.” On Twitters website there is only mention of one third-party app,  Tweetdeck. The most popular services that use their public API are there to improve the experience of users, mostly by implementing a different layout or design.

The bad

In the case of Snapchat we are talking about a “private” API, meant to be used solely by their app. The API was probably not developed to be used by third-party apps. That is to say, they never publicly documented it.

This is were the problem begins. It is naive to think of an API as private, at least on mobile devices. APIs can be thought of as private by not exposing them to public applications. This, however, does not combine well with mobile applications.

An API will not be private as long as a user has full control of the device using the API. Which is definitely the case in Android and (to some lesser extend) Apple devices. Even obfuscation does not change this. Android applications can easily be “decompiled“. Network traffic is also very easily inspected. Using these methods exposes the whole inner workings of the app and thus the API.

By assuming their API was private, the developers of Snapchat seemingly did not think about security. This could also be because of a lack of concern, seeing as the exploits have been public for about four months.

The ugly

APIs are an essential part in modern (web)apps and services. As a way to establish mutual benefit for a service and it’s users or as a way to implement communications between parts of your services, like an app and your central server/database. The former has a very clear focus on security, the latter not so much.

As long as there are developers thinking of their API as private, these kind of exploits will be an issue. We can’t (and don’t want to) remove APIs from the equation. We can however, make developers more aware of the importance of security concerning APIs. Gibsonsec has done a great job of doing this. Making the public aware of these issues will force companies to pay attention. Hopefully that includes Snapchat.

Discussion

It could be argued that these exploits aren’t really exploits but just unintended use of intended features. I do think this distinction matters in this case. While using Snapchat links your telephone number to your username this does not necessarily mean the link should be public. By not rate-limiting the requests it is possible for other people to acquire this information through brute-force, which makes it more likely to be used for exploitative purposes.

It is, at the very least, food for thought and discussion.

This article has 1 comments

Leave a Comment

Your email address will not be published. Required fields are marked *