Mobile social apps have larger user bases than almost any other type of software. Facebook had 874 million active monthly mobile users by October 2013, Instagram has been installed more than 100 million times on Android alone and apps such as Snapchat have become overnight sensations, with tens of millions users signing up within only a few months.
The incredible reach of these apps has made them natural targets for cyber attackers keen to turn millions-strong networks into conduits for spam and credential harvesting. However, many mobile and Web apps have not stepped up to the plate, or have done so only after the fact, when it comes to security, despite being such bull’s-eyes for malware distribution and privacy infringement.
In 2012, attackers exposed 6.5 million unsalted passwords from professional social network LinkedIn, which later attracted attention for routing all email from iOS devices running its Intro companion app through company servers. This year has already featured several incidents highlighting mobile social apps’ ongoing struggles with keeping cybercriminals at bay. These range from Google’s controversial, but perhaps inconsequential, decision to let strangers send Gmail to anyone via Google+, to Snapchat’s deep problems with spam and authentication.
Snapchat, which allows users to exchange self-destructing photos and videos, is a uniquely interesting case since its premise is one of preserving privacy and security and ultimately pushing back against the perceived permanence of Facebook et al, which increasingly serve as de facto online identities. If even Snapchat struggles to keep usernames, passwords and phone numbers under lock and key, what does that say about the state of mobile app security?
Snapchat beset by rising spam and flaws within core social features
Compared to the other social networks mentioned above, Snapchat’s reach is relatively small, with more than 10 million installs on Google Play and more on the Apple App Store. However, more than 400 million “snaps,” or messages, are sent each day, making Snapchat a bigger photo sharing service than Facebook. With such volume and easy sharing mechanisms, Snapchat was bound to become a target for spammers.
In late 2013, many Snapchat users noticed an uptick in spam. Although the app has privacy settings that allow users to block messages from strangers, individuals can still receive add requests from anyone, and many got unsolicited submissions from spam accounts that adhered to a distinctive naming convention. If one of these was approved, users saw a photo that also included a username for Kik Messenger, a mobile OTT messaging service, to prolong the chain of spam.
Snapchat’s settings make it especially difficult to block spam. On Twitter, which has similar spam issues, users can report spambots and immediately block them, while on Snapchat each bot has to be added as friend and then blocked individually.
The issue was serious last year, but it escalated following a Snapchat security breach around New Year’s Day 2014. The app’s Find Friends features always seemed like a vulnerability – it linked phone numbers with Snapchat usernames so that users could find others by simply searching for a number, and a group of attackers ultimately exploited it to harvest millions of credentials.
More than 4.6 accounts were compromised, with partial phone numbers and usernames posted online. In a letter sent to TechCrunch, the attackers stated that they carried out the exploit in the hopes that its success would spur Snapchat to bolster security. For an app with a brand that promotes privacy and discretion, Snapchat has struggled to implement the technical measures that would shield legitimate users from bots and cybercriminals.
“The problem for Snapchat is kids seek it out because they think it’s more secure,” stated Rob Enderle, principal analyst at advisory firm Enderle Group. “This goes against the brand. It makes them seem less secure when their advantage is supposed to be more security.”
The breach wasn’t catastrophic – usernames and phone numbers are not sensitive credentials like passwords or Social Security numbers. But it shows how even an ostensibly privacy-focused mobile social app can have issues living up to its promises and addressing flaws that observers have pointed out for some time.
Lessons from Snapchat’s struggle to implement fixes and human user verification
To its credit, Snapchat updated its app to make Find Friends an opt-out feature so that users could avoid linking phone numbers with usernames. It wasn’t clear at the time if any other security mechanisms were implemented, which may be cause for concern given the app’s increasing prominence and stratospheric valuation.
However, Snapchat later added a verification system apparently designed to solve the larger problem of spam. The feature is similar to CAPTCHA, in that it’s meant to weed out robots and restrict access to actual humans. Rather than enter a code, first-time Snapchat users have to locate the app’s distinctive ghost icon in a series of photos.
While clever, the system isn’t secure. Technologist Steve Hickson was able to bypass it within 30 minutes by taking advantage of the ghost’s predictable design.
“The problem with this is that the Snapchat ghost is very particular,” wrote Hickson on his blog. “You could even call it a template. For those of you familiar with template matching (what they are asking you to do to verify your humanity), it is one of the easier tasks in computer vision.”
The verification system is an unfortunate failure, although Hickson’s revelation may spur Snapchat to quickly overhaul it. Still, its implementation may be indicative of the wider struggle by mobile social apps to lock down data and credentials in the face of mounting cybercriminal pressure.
Not all social networks promote privacy – the Gmail integration in Google+, and Facebook’s usage of mobile numbers as an alternative usernames show how these services are putting lots of information and access out in the open. But Snapchat positioned itself as being different – more private and secure – and still stumbled over age-old problems such as spam. Ideally, the breach and verification issue will be catalysts for greater seriousness about mobile security, but software companies will need guidance from the security community as they try to align their defenses with the scope of their projects.