Users of third-party Snapchat apps may want to delete them and change their passwords on the social media platform as soon as possible. New discoveries revealed today point to the fact that multiple third-party Snapchat apps are sending copies of user credentials over non-secure connections to their own servers.
Will Strafach, of Sudo Security Group, discovered these apps harvesting Snapchat credentials while doing some app security research. His company’s upcoming mobile app intelligence system, Verify.ly, scans through applications to discover whether or not they are respecting user privacy and using safe methods to transmit data over the Internet. Throughout his research, he was able to uncover a handful of applications that are currently transmitting Snapchat credentials over insecure connections.
The first app he noticed was Snapix, an app boasting the ability to upload images from the user’s camera roll to their Snapchat Story or directly to friends. Strafach discovered that when a user enters their Snapchat login into Snapix, the information is then passed over a non-secure connection to Snapix’s own server before passing the credentials onto Snapchat. This allows the app to collect the user credentials, while still logging the user into Snapchat.
It’s bad enough that they are sending the credentials over a non-secure connection, but there is no legitimate reason for sending a copy to their servers. Sending the data over a non-secure connection means that any credentials could be intercepted when the app is run on a public Wi-Fi network. This means anyone malicious on an airport, coffee shop, hotel, school, or even work Wi-Fi connection could sniff out the credentials and do with them what they will. This security issue has been reported to Apple, and can be found at rdar://problem/24986994.
After discovering Snapix’s insecurity, Strafach decided to search for more issues following similar patterns. He found two other applications, Quick Upload and SnapBox, that also send information using a non-secure plaintext connection.
What’s even worse is that both of these seemingly different applications, by different application developers, both sent information to the same server, “likepotion.topranksoft.com”. On top of that, SnapBox for unknown reasons also sends a user’s precise GPS location to the server. It goes to show that even when a user can begin to think that they are using a “newer” or “more secure” third-party application, they may still be inside of a malicious developer’s ecosystem.
Just four months ago, we reported on a recent third-party Instagram app that was pulled from the App Store for doing just this. Our advice: Don’t use third-party applications that promise extra functionality and “hacks” on top of your social networking experience. Most of these are not using authorized means to authenticate to the service, opening the user to malicious intents. Legitimate applications will attempt to authenticate using OAuth, by first presenting the ability to login using Safari, or by showing the Safari View Controller like popular third-party Twitter clients. A user’s best bet against getting their credentials stolen, when OAuth isn’t utilized, is to solely use the official first-party applications.
These issues bring up the question as to how much of it becomes the App Store review team’s problem, and how much of it is the user’s. It feels like there will be a dichotomy in the App Store that will arise: users will want more apps accepted into the App Store, but they also want apps to be properly vetted for security. Implementing a system like Strafach’s Verify.ly may vary well be the solution Apple uses. Automating the discovery of potential vulnerabilities may help the App Store’s review process become stricter, but overall keep the user safer.
Once the App Store review team has done their due diligence, the security and safety eventually falls back in the hands of the user. User’s should be trained on better security practices, and the evolving ways in how they are broken. A new social media app may launch tomorrow, and a third-party variation may launch soon after. How does the user know if the third-party variant is trust-worthy, let alone know that the original first-party app is using secure practices?
It’s very possible that Apple will become even stricter with how iOS app data is sent over the Internet. Already having implemented App Transport Security with iOS 9, they’ve at least started pushing developers in a more secure direction. It’s when other developers look to circumvent in-place practices, that the issues may re-arise.
When launched, Verify.ly will provide limited connection related information to users for free allowing them to get a better understanding on an app before using it. If you have any particular apps you feel Strafach’s team should analyze, let us know in the comments below and we’ll send it their way.
We’ve reached out to Snapchat for more information and inquiries, and will update once we get a response back.