Being too fast for the app: The tale of a Snapchat screenshot bug

Before we start

This bug has been known for a while, me and many others have spread the existence of this bug across the internet. While this bug is something I found myself months ago in quite a curious manner, I'm sure many others have found it too and in which case I'm not going to take full credit for finding it however I was never told about this so all of this research is just me being curious.

Why do people use Snapchat?

This is a question I ask myself regularly as to the average consumer I'm sure it's a no brainer that to send and receive images you have to transfer them between you and a server which always leaves a hole open for someone to get said images, whether it's from your phone or via hacking Snapchat itself however it seems to remain that people think that sending explicit images or even embarrassing images via Snapchat stops the other person from being able to use the image against you for whatever reason later on.

The bug

On Android devices there seems to be no kind of API that tells the app when the user has screenshotted or if there is I don't really know why this kind of issue happens with Snapchat. What Snapchat seems to do for its screenshot detection is a loop which constantly scans the screenshots folder on Android for new files while the app is in focus, the issue here being that it only runs when the app is in focus and has no way to check when the app is in the background which is where the exploit comes into play.

The exploit

It is very easy to avoid this loop on Android with gestures that are built into the OS, in this example I will mention the double tap to switch apps gesture and the pill gestures introduced in Android 10. The method is simple, Android takes a while to save the screenshot which means that you can screenshot the content in the Snapchat app and quickly switch to another app via a gesture until Android gives you the "screenshot saved" notification in which case you can then switch back to the Snapchat app and you will see that the other person was never notified of your screenshot.


How can it be fixed?

As many will know with banking apps, Android has a permission named SECURE_FLAG which disables the ability to screenshot within the app,and therefore would be great for Snapchat since it is an app that tends to battle people who screenshot images of others, they're not doing it very well on the Android side compared to their iOS counterpart which requires much harder techniques to screenshot within their app. 

 Post by Lunarixus, as always you can find me on Telegram, Twitter and GitHub.

Popular posts from this blog

How to lock your bootloader on hentaiOS (Pixel devices only)

Before we begin Despite the contrary and statements I have made in the past, bootloader unlocking is not an unsafe measure unless as a user you disable the OEM Unlocking option yourself. The reason we keep OEM unlocking enabled is to ensure that if an update goes badly you can always run the fastboot command to unlock again afterwards. As for updates, hentaiOS will soon have it's own OTA updater however for the moment we will have to sideload updates to the built in AOSP recovery (more on that later). Locking your bootloader will erase your data so make sure you have a backup first, same goes for unlocking!! How it works With the Pie release of Android, Google released documentation on how the Android Verified Boot 2.0 system works and what developers need to do to implement it, for those who want to read up on how it works the link is here . The TLDR of this post is that Google announced their "avb_custom_key" mode on Pixel 2 and newer devices which allows for a user to ...
Read more

How to make a Google Pixel UART cable

Image
As most may be aware judging by the URL, I am an Android developer in my spare time and my main devices to have fun with are the Google Pixel series of devices, I won't dive into the reasons why in this blog post as I just want to get directly into the content here. One of the most annoying things about developing on Pixel devices is the inability to get most of the logs if something were to go wrong, on the Pixel 1 the kernel dmesg is logged to /proc/last_kmsg however in some cases that may end up empty, corrupted or the recovery will write itself over the previous log. With a UART cable you are able to completely bypass the file-based logging mechanism and instead get logs straight from the kernel and even the bootloader. To make one of these cables it's fairly easy, here are the things you need: - A TRRS breakout board (£2.79 in the UK on eBay) - A TRRS cable (£6.95 if you search for Rode microphone cables) - An FTDI USB adapter (£10.55 on UK eBay) - Female to female Dupont ...
Read more

What is the difference between SAR and A/B?

Introduction:  As some may know in the latest version of Android, AOSP have decided to enforce SAR (System-as-root). This requires OEM's to now ship SAR in any updates to Android 10 for previous devices, in this blog post I am going to use the Mi 8 Lite as an example since it just got an Android 10 beta update from China. Included with this update is system as root which means the kernel's ramdisk is now merged into the root of the system image. The difference between SAR and A/B:  Before Android 10, SAR would only really exist on devices that shipped on Android 9 or were Pixels which is where they got the "AB" name from since the Pixels have AB partition schemes for their seamless OTA feature (more on that later) but were also the first devices to show off the merge of the kernel ramdisk and system image. In the new Android 10 enforced system as root you are NOT getting AB partition schemes or seamless OTA's, you are just getting the merged ramdisk a...
Read more