Skip to content

Actually, Snapchat does delete your photos. Just not straight away.

2013-07-01 00.03.11

Decipher Forensics didn’t tell the whole story when they claimed Snapchat doesn’t delete expired snaps. But they did overhype the impressiveness of their discovery.

It’s not surprising that people have wanted to verify Snapchat’s claim that expired snaps are “deleted forever”. So Decipher Forensics’ grab for attention is appreciable, with their press release claiming to research exposing that snaps are “actually saved on your phone”.

However, despite some credible work in understanding how Snapchat deals with metadata, their core finding is not that insightful. Anyone with more than basic knowledge about Android will know to look in the “/data/data/com.snapchat.android” directory to find the snaps. You need to have a rooted phone to access this, but that’s neither hard nor uncommon.

The key question is, are they deleted when Snapchat claims they’re deleted? On this, Decipher is wrong. But to be fair, so is Snapchat. In fact, some other commentators have got this wrong too. Snapchat doesn’t always delete photos once they’re viewed, but they’re not “saved” like Decipher claims, either.

The correct answer is this: Snapchat deletes all received snaps after you view your last unviewed snap.

So if you receive one snap, it gets deleted from your phone after you’ve viewed it. But if you receive two, they both stay on your phone until you’ve seen both, and then they both get deleted.

It’s this second situation that Decipher presented in their “preliminary findings”, except that they only opened one, then (correctly) found that both snaps (opened and unopened) were still in /data/data/com.snapchat.android. So their observation was fine, but their conclusion implying that all expired snaps are “indeed recoverable” is incorrect.

In theory, it is possible for the snaps to linger around forever. If you never viewed all your snaps—i.e., if you always left one unviewed in your inbox—then the condition to empty the received snaps folder would never be satisfied. This is indeed a flaw in Snapchat’s app—a more careful design would have deleted just the viewed photo straight away. But in fairness, this situation wouldn’t happen often. Keeping one unopened isn’t how most people use Snapchat.

Before

The received_image_snaps directory before you view all snaps

After

The received_image_snaps directory after you view all snaps

Good work, little one?
I’m not bragging when I say that Decipher’s findings aren’t impressive: I know a little bit, but I’m no Android expert. Rather, it’s astonishing that Decipher was able to dramatise this as a huge discovery.

Where the snaps are stored on the phone is old news: at least one developer has used it to write an app, Snapgrab, allowing users to deliberately save received snaps. Once you can find them, it’s trivial to check when they’re deleted. Decipher has also done some work on understanding the metadata Snapchat uses, but it seems to be little more than poking around the application’s data files and seeing what’s there.

Similarly, it’s hardly “research” that shows the “.nomedia” extension was used. They’re also wrong about what it does. It’s not this that makes the image not viewable on the phone, but the fact that it’s stored in what Android calls “internal storage”, which users can’t access without rooting. The actual use of “.nomedia” is as a blank file in “external storage”, where files you can access ordinarily is stored. Why the “.nomedia” extension was added is beyond me.

Lastly, there is no “special forensics software” necessary to find everything I’ve described in this blog post. As Jordan Crook at TechCrunch observes, forensics software can be used to recover photos even after they’ve been (actually) deleted. This isn’t surprising: it’s no different to files emptied from the trash can, and is just as deleted as any app can do. But this isn’t what Decipher talked about in its blog post or press release.

I don’t know much about Decipher Forensics; I don’t follow the computer forensics industry. For all I know, their actual work might be excellent. But Decipher’s recent press release has all the hallmarks of a small firm trying to make a name for itself quickly by over-dramatising what is really quite amateur work.

About these ads
4 Comments Post a comment
  1. vladimir #

    jpg.nomedia is because a simple .nomedia in a folder is broken:

    http://code.google.com/p/android/issues/detail?id=24162

    13 May 2013
    • Chuan-Zheng #

      Oh, I didn’t know that, thanks! But still, Android doesn’t scan for media in internal storage?

      14 May 2013
  2. rohansingh #

    if want to view nomedia file….just remain it from 123.jpg.nomedia to 123.jpg… u cn see them

    7 April 2014

Trackbacks & Pingbacks

  1. On the Snapchat user info leak/hack | Trying to Reason

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 1,447 other followers

%d bloggers like this: