Snapchat is a popular social media app that lets users send photo and video messages called “snaps” to friends. A key feature of Snapchat is that snaps disappear after being viewed. This gives Snapchat a reputation for privacy and ephemerality. But are snaps really encrypted and secure? Let’s take a closer look at how Snapchat handles encryption and security.
What is encryption?
Encryption is the process of encoding data or messages so that only authorized parties can access it. Encrypted data appears scrambled or unintelligible to anyone who doesn’t have the key to decrypt it. The purpose of encryption is to protect confidential information as it is stored or transmitted.
Strong encryption converts plaintext data into ciphertext using an algorithm and a secret key. Only those who have the key can decrypt the ciphertext back into readable plaintext.
Does Snapchat use encryption?
Yes, Snapchat does use some encryption in their system:
- Snaps are encrypted from the sender’s device until they reach Snapchat’s servers.
- Snapchat encrypts snaps stored temporarily on their servers while waiting to be downloaded.
- Once the snap is opened by the recipient, the decrypted photo or video is displayed for 1 to 10 seconds before being deleted.
However, there are some limitations to Snapchat’s encryption implementation:
- Encryption keys are controlled by Snapchat, not the users.
- Snapchat has the technical ability to decrypt snaps on their servers.
- Recipients can use workarounds to save opened snaps instead of having them automatically deleted.
- Snapchat complies with law enforcement data requests with a valid warrant.
So while there is some encryption involved, Snapchat snaps are not as secure as end-to-end encrypted messages like those from Signal or WhatsApp. The company can access unopened snaps stored on their servers.
Details on Snapchat’s Encryption Process
Let’s go through Snapchat’s encryption step-by-step from the sending to viewing of snaps:
Sending Snaps
When a user takes a snap and taps send, the snap is encrypted on their device before being transmitted to Snapchat’s servers. The encryption uses AES 128 in Counter Mode, which is a symmetric encryption algorithm. This converts the snap into an encrypted cipher text that looks like random gibberish.
The encryption key used to encode each snap is unique and temporary. Keys are generated on the sender’s device so that the unencrypted snap is inaccessible to Snapchat.
Snap Storage
The encrypted snaps are uploaded to Snapchat’s cloud storage servers. Here the snaps wait encrypted until requested by the recipient’s device. The encryption keys remain on the sender’s device only. Snapchat’s servers see only the encrypted cipher text version of the snap.
However, Snapchat has full control over their servers. They can technically decrypt snaps on their servers if they choose, even without the encryption key.
Snap Delivery
When the recipient opens Snapchat, their device contacts Snapchat’s servers to retrieve new snaps. Snapchat sends the encrypted snap file and uses a new temporary encryption key known only to the recipient’s device to decrypt the snap. This key exchange is made possible using public-key cryptography.
The unencrypted snap can then be displayed for viewing (for 1 to 10 seconds depending on settings). The user is prevented from capturing, copying or otherwise saving the snap during this viewing time.
Snap Deletion
After the allotted viewing time, Snapchat explicitly deletes the decrypted snap from the recipient’s device. The encrypted cipher text remains on Snapchat’s servers until automatically deleted after 30 days.
So in summary, snaps are encrypted in transit and storage using keys unknown to Snapchat. But Snapchat controls the servers and encryption process. Recipients also have ways to capture snaps before deletion.
The Pros and Cons of Snapchat’s Encryption
Pros
- Snaps are encrypted from the sender’s device until received and opened by recipients. The unencrypted data is not accessible to Snapchat in transit.
- Encryption keys are device-specific and temporary rather than tied to user accounts.
- The self-destructing nature of snaps adds another layer of security and privacy.
Cons
- Encryption keys are managed by Snapchat, not users. Snapchat can technically access unopened snaps on their servers.
- There is no end-to-end encryption. Snapchat can comply with law enforcement requests.
- Recipients can screenshot or otherwise save snaps before they are deleted.
- Metadata like usernames, timestamps, geolocations remain unencrypted.
So while there are some privacy protections built into Snapchat’s system, it lacks the security guarantees of true end-to-end encryption. Users cannot verify Snapchat’s claims or control the encryption process. Trust in the platform’s security is still required.
How Snapchat’s Encryption Compares to iMessage, WhatsApp and Signal
iMessage
iMessage also uses end-to-end encryption for text, photo and video messages between iOS devices. This means only the sender and recipient can access the unencrypted data – not even Apple can decrypt messages.
iMessage holds a security advantage over Snapchat since users don’t have to trust Apple’s business practices or respond to government data requests. Messages are encrypted with keys controlled by user devices only.
However, iMessage lacks built-in disappearing messages. Saved iMessages remain accessible and encrypted in Apple’s iCloud backup. The content lives on beyond the conversation.
WhatsApp also provides true end-to-end encryption for messages, voice calls and video chats. Not even WhatsApp can access the decrypted data. All WhatsApp communications are encrypted with keys held only by the conversing users.
WhatsApp uses the Signal protocol developed by Open Whisper Systems. This is the same highly secure protocol used by the encrypted messaging app Signal.
However, WhatsApp backups in Google Drive and iCloud are not protected by end-to-end encryption. Backups can be decrypted by Google, Apple and law enforcement.
Signal
Signal is considered the gold standard for end-to-end encrypted messaging. It uses the Signal protocol developed by Open Whisper Systems. No one but the conversing users, not even Signal, can access decrypted messages or listen in on calls.
Signal also provides encrypted chat backups, encrypted group chats and encrypted media attachments. It exceeds WhatsApp’s level of security.
The tradeoffs are Signal’s smaller user base and fewer social features compared to WhatsApp and Snapchat. You can only message others who also have Signal installed.
App | End-to-end encrypted | Provider can decrypt | Disappearing messages |
---|---|---|---|
Snapchat | No | Yes | Yes |
Yes | No | Optional | |
iMessage | Yes | No | No |
Signal | Yes | No | Optional |
This comparison shows that while Snapchat provides some security, true end-to-end encryption requires trusting no centralized entity like Snapchat or Apple. The most private and secure option is an app like Signal built solely around encryption.
Can Snapchat Snaps Be Recovered and Decrypted?
Although Snapchat promotes the ephemerality of snaps, there are various ways snaps can be recovered and potentially decrypted:
Screen Capture
The recipient can simply take a screenshot of a snap before it closes. The snap lives on saved as an image or video file. Snapchat notifies senders when a snap has been screen captured. But there is no way to prevent it from occurring.
Android File Recovery
Forensic data recovery tools can dig into an Android device’s storage and find Snapchat files even after they are marked as deleted. This depends on how thoroughly the files are overwritten during deletion.
iOS File Recovery
Apps like iMazing and iExplorer can recover Snapchat photos saved in backups on an iOS device. Snapchat files may persist in backups that haven’t been updated to remove them.
Snapchat Storage Access
Snapchat has direct access to all unopened snaps on their servers. They have the technical capability to retrieve and decrypt unopened snaps.
Legal Interception
Law enforcement agencies can legally compel Snapchat to provide access to user communications with a valid search warrant or wiretap order. Snapchat discloses this possibility in their privacy policy and transparency report.
So while Snapchat doesn’t give users access to delete or decrypt transmitted snaps, the company itself reserves these technical capabilities. With the right tools or legal orders, decryption and recovery is possible. True disappearing messaging requires tightly controlled end-to-end encryption.
Conclusion
Snapchat provides some privacy protections by encrypting snaps in storage and transit, controlling access through viewing timeouts, and deleting them after consumption.
However, the lack of true end-to-end encryption means users must inherently trust Snapchat’s business practices, data policies, and capacity to respond to legal data requests. Snapchat reserves the technical ability to decrypt data at their servers. And snaps can still be captured by recipients or recovered forensically in some cases.
For the highest degree of security and control over encryption, users should opt for an end-to-end encrypted messaging app like Signal rather than rely on Snapchat’s closed encryption system. But Snapchat may be sufficiently private for more casual social sharing where absolute vanishing of all copies is not critical.