Decipher Forensics didn’t tell the whole story when they claimed Snapchat doesn’t delete expired snaps. But they did overhype the impressiveness of their discovery.
It’s not surprising that people have wanted to verify Snapchat’s claim that expired snaps are “deleted forever”. So Decipher Forensics’ grab for attention is appreciable, with their press release claiming to research exposing that snaps are “actually saved on your phone”.
However, despite some credible work in understanding how Snapchat deals with metadata, their core finding is not that insightful. Anyone with more than basic knowledge about Android will know to look in the “/data/data/com.snapchat.android” directory to find the snaps. You need to have a rooted phone to access this, but that’s neither hard nor uncommon.
The key question is, are they deleted when Snapchat claims they’re deleted? On this, Decipher is wrong. But to be fair, so is Snapchat. In fact, some other commentators have got this wrong too. Snapchat doesn’t always delete photos once they’re viewed, but they’re not “saved” like Decipher claims, either.
The correct answer is this: Snapchat deletes all received snaps after you view your last unviewed snap.
So if you receive one snap, it gets deleted from your phone after you’ve viewed it. But if you receive two, they both stay on your phone until you’ve seen both, and then they both get deleted.
It’s this second situation that Decipher presented in their “preliminary findings”, except that they only opened one, then (correctly) found that both snaps (opened and unopened) were still in /data/data/com.snapchat.android. So their observation was fine, but their conclusion implying that all expired snaps are “indeed recoverable” is incorrect.
In theory, it is possible for the snaps to linger around forever. If you never viewed all your snaps—i.e., if you always left one unviewed in your inbox—then the condition to empty the received snaps folder would never be satisfied. This is indeed a flaw in Snapchat’s app—a more careful design would have deleted just the viewed photo straight away. But in fairness, this situation wouldn’t happen often. Keeping one unopened isn’t how most people use Snapchat.
Good work, little one?
I’m not bragging when I say that Decipher’s findings aren’t impressive: I know a little bit, but I’m no Android expert. Rather, it’s astonishing that Decipher was able to dramatise this as a huge discovery.
Where the snaps are stored on the phone is old news: at least one developer has used it to write an app, Snapgrab, allowing users to deliberately save received snaps. Once you can find them, it’s trivial to check when they’re deleted. Decipher has also done some work on understanding the metadata Snapchat uses, but it seems to be little more than poking around the application’s data files and seeing what’s there.
Similarly, it’s hardly “research” that shows the “.nomedia” extension was used. They’re also wrong about what it does. It’s not this that makes the image not viewable on the phone, but the fact that it’s stored in what Android calls “internal storage”, which users can’t access without rooting. The actual use of “.nomedia” is as a blank file in “external storage”, where files you can access ordinarily is stored. Why the “.nomedia” extension was added is beyond me.
Lastly, there is no “special forensics software” necessary to find everything I’ve described in this blog post. As Jordan Crook at TechCrunch observes, forensics software can be used to recover photos even after they’ve been (actually) deleted. This isn’t surprising: it’s no different to files emptied from the trash can, and is just as deleted as any app can do. But this isn’t what Decipher talked about in its blog post or press release.
I don’t know much about Decipher Forensics; I don’t follow the computer forensics industry. For all I know, their actual work might be excellent. But Decipher’s recent press release has all the hallmarks of a small firm trying to make a name for itself quickly by over-dramatising what is really quite amateur work.