Skip to main content

Multiple iOS apps found to be harvesting Snapchat user credentials

Sad_Snapchat

Users of third-party Snapchat apps may want to delete them and change their passwords on the social media platform as soon as possible. New discoveries revealed today point to the fact that multiple third-party Snapchat apps are sending copies of user credentials over non-secure connections to their own servers.

Will Strafach, of Sudo Security Group, discovered these apps harvesting Snapchat credentials while doing some app security research. His company’s upcoming mobile app intelligence system, Verify.ly, scans through applications to discover whether or not they are respecting user privacy and using safe methods to transmit data over the Internet. Throughout his research, he was able to uncover a handful of applications that are currently transmitting Snapchat credentials over insecure connections.

The first app he noticed was Snapix, an app boasting the ability to upload images from the user’s camera roll to their Snapchat Story or directly to friends. Strafach discovered that when a user enters their Snapchat login into Snapix, the information is then passed over a non-secure connection to Snapix’s own server before passing the credentials onto Snapchat. This allows the app to collect the user credentials, while still logging the user into Snapchat.

A slide showing Snapix's method of harvesting user data into their own servers.

It’s bad enough that they are sending the credentials over a non-secure connection, but there is no legitimate reason for sending a copy to their servers. Sending the data over a non-secure connection means that any credentials could be intercepted when the app is run on a public Wi-Fi network. This means anyone malicious on an airport, coffee shop, hotel, school, or even work Wi-Fi connection could sniff out the credentials and do with them what they will. This security issue has been reported to Apple, and can be found at rdar://problem/24986994.

After discovering Snapix’s insecurity, Strafach decided to search for more issues following similar patterns. He found two other applications, Quick Upload and SnapBox, that also send information using a non-secure plaintext connection.

What’s even worse is that both of these seemingly different applications, by different application developers, both sent information to the same server, “likepotion.topranksoft.com”. On top of that, SnapBox for unknown reasons also sends a user’s precise GPS location to the server. It goes to show that even when a user can begin to think that they are using a “newer” or “more secure” third-party application, they may still be inside of a malicious developer’s ecosystem.

Just four months ago, we reported on a recent third-party Instagram app that was pulled from the App Store for doing just this. Our advice: Don’t use third-party applications that promise extra functionality and “hacks” on top of your social networking experience. Most of these are not using authorized means to authenticate to the service, opening the user to malicious intents. Legitimate applications will attempt to authenticate using OAuth, by first presenting the ability to login using Safari, or by showing the Safari View Controller like popular third-party Twitter clients. A user’s best bet against getting their credentials stolen, when OAuth isn’t utilized, is to solely use the official first-party applications.

These issues bring up the question as to how much of it becomes the App Store review team’s problem, and how much of it is the user’s. It feels like there will be a dichotomy in the App Store that will arise: users will want more apps accepted into the App Store, but they also want apps to be properly vetted for security. Implementing a system like Strafach’s Verify.ly may vary well be the solution Apple uses. Automating the discovery of potential vulnerabilities may help the App Store’s review process become stricter, but overall keep the user safer.

Once the App Store review team has done their due diligence, the security and safety eventually falls back in the hands of the user. User’s should be trained on better security practices, and the evolving ways in how they are broken. A new social media app may launch tomorrow, and a third-party variation may launch soon after. How does the user know if the third-party variant is trust-worthy, let alone know that the original first-party app is using secure practices?

It’s very possible that Apple will become even stricter with how iOS app data is sent over the Internet. Already having implemented App Transport Security with iOS 9, they’ve at least started pushing developers in a more secure direction. It’s when other developers look to circumvent in-place practices, that the issues may re-arise.

When launched, Verify.ly will provide limited connection related information to users for free allowing them to get a better understanding on an app before using it. If you have any particular apps you feel Strafach’s team should analyze, let us know in the comments below and we’ll send it their way.

We’ve reached out to Snapchat for more information and inquiries, and will update once we get a response back.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. rnc - 8 years ago

    Why isn’t Snapchat using proper security, issuing API keys to legitimate Apps and blocking phony Apps?

    For some reason this doesn’t happen to Google, Facebook, Twitter, etc.!

    • lukeumehrlichzusein - 8 years ago

      You’re right. At the end of the day it really does all come down to their leniency with the API keys. Quite the contrast to how the iOS AppStore is.

    • Will Strafach (@chronic) - 8 years ago

      Hopefully Snapchat consider’s opening up a public API at some point, it would relaly help address legitimate needs for third-party clients while weeding out the more hacky approaches such as the above 3 apps.

  2. AbsarokaSheriff - 8 years ago

    This is a larger problem than just Snapchat because of reuse of passwords.

  3. djonesuk1978 - 8 years ago

    Ok some apps are not as secure as they should be, but Will is talking shit and knows nothing about the sc app scene!
    SC don’t offer a valid API, so any third party apps have to hack the original SC API. A lot of the work has to be done remotely and not on the users device, that is why credentials are sent to a third party server.
    Wills comment “there is no legitimate reason for sending a copy to their server” is total amateurism on Wills part.
    An extra click of his mouse would have shown him that the response from the third party server is a token needed for the login to snapchat by the users device.
    Maybe if Snapchat had a public API like Facebook and Instagram, then situations like this wouldn’t happen.
    There’s plenty of third party apps out there that encrypt the data, but still need to send it to a server to aid the login.

    • 9to5IT (@9to5IT) - 8 years ago

      That might be the case, but that doesn’t explain sending user credentials clear text! Thing that is concerning is why Apple didn’t pick this up during their app review process?

      Security and piece of mind is part of using Apple’s app store(s) and essentially paying a premium for using these app stores (through higher prices than other app stores or the developers own website).

      Hope this causes Apple to tighten their security audits and app reviews.

    • Will Strafach (@chronic) - 8 years ago

      Hello djonesuk1978,

      I will try to break down your concerns. I can certainly understand where you are coming from.

      1. I definitely understand why third-party Snapchat clients have popped up and why there has been research into the API by various groups, especially with there being no official Snapchat client for some platforms.
      2. The login token should be generated on the device and then sent to Snapchat’s official API endpoint, in order to handle this 100% securely. Communicating with this remote server is what I’d consider amateurism, to be honest. I understand it is more difficult to do it device-side, but doing so is much safer for users.
      3. The apps mentioned here have two problems. Not only are the credentials sent to remote servers, but it’s over plaintext and completely non-secured. This means that the details can be sniffed out by users using Wi-Fi at school/work/etc. The reason I made mention of those apps are because in the best case scenario, they are not doing anything malicious with the details, but still exposing them for anyone who logs into the apps over public Wi-Fi.
      4. There have been past cases in which apps did this, and ended up retaining information, then they got hacked and millions of photos got leaked out. Regardless of the intentions of the website (SnapSaved I believe?), adding middle men like this can make things more insecure for both users and the people they communicate with.
      5. As you can see from the above post, the URLs are not known or popular ones. For example, if this was Casper or something else well-trusted, then I wouldn’t point out that as a concern as I understand many trust them. But these are unknown servers.

      Once again, this is not an a blanket condemnation of third-party clients for Snapchat. This is a criticism of those who use very poorly-planned methods of implementation.

      Hopefully this additional information helps. Feel free to reply here or email me will@sudosecuritygroup.com and I am happy to answer further questions as well.