image

Snapchat

Snapchat is an American mutimedia instant messaging app and service. That's what the 
Wikipedia entry says. I've used Snapchat for a while some time ago and in my time using
the app I discovered two security vulnerabilities. Both of those are about the feature
that notifies chat participants/ contacts when you take a screenshot.

The first one is already patched, I'm still writing this down to spread awareness of
what was possible to do. Snapchat needs permission to your camera roll to detect 
screenshots. Blocking screenshots is not something you need this permission for. So if
Snapchat needed this permission to detect a screenshot, you just turn it of right?
Yes and no, if you denied this permission you couldn't go past a screen telling you to
enable access to your photos. You could just click on the message allow access and deny
it. If you then close the app and open it again, it would take you to the settings to 
enable it. If it did that, you pressed on the back button or use the back gesture and
you were allowed into the app with no way of screenshots being detectable. This is now
patched because you can't open the app anymore without the permission, like it's 
intended to do. The pressing the back button doesn't work anymore.

THE SECOND EXPLOIT REQUIRES SEVERE TECHNICAL KNOWLEDGE AND 
SHOULD'NT BE TRIED TO REPLICATE UNLESS YOU KNOW WHAT YOU ARE
DOWNLOADING AND DOING. 

The second exploit is still there, it requires technical knowledge. First of all, you need
a work profile. I used the app "shelter" available on the f-droid to achieve this. Then 
you download Snapchat in the play store or using other means to achieve this. When
opening it you give it all the permissions it needs. Taking a screenshot would place the
screenshot in your main gallery, not in the gallery of the work profile. Snapchat can 
only read the contents of the gallery in the work profile so it's undetectable. 

Do not use these exploits for malicious intent. You can try these out, to spread 
awareness, in educational circumstances with permission to do so from both parties