Recently Vice published a story about a lawsuit against the makers of the ‘secure’ messaging application Confide. This isn’t just a lawsuit, it’s a class-action lawsuit and brought by Edelson PC – an amazingly successful (and sometimes hated1) law firm – this isn’t a simple case. The complaint includes a very important point:
Specifically, Confide fails to deliver on two of the three requirements that it espouses as necessary for confidential communications: ephemerality and screenshot protection. […] Confide represents, in no uncertain terms, that its App blocks screenshots. But that isn’t true. Any Confide user accessing the platform through the Windows App can take screenshots of any and all received messages.
This article isn’t about the lawsuit though, it’s about threat modeling and screenshots.
Preventing screenshots, or at least attempting to, has been around for some time, and was made popular thanks to Snapchat – their client would detect that a screenshot was captured, and using an API call, notify the server that this had happened (unsurprisingly, this API was rarely documented, as none of the third-party clients wanted it), so the sender could be alerted. When this feature was added, technical attacks were discussed by many that were following Snapchat’s attempts at living up to their word – from modifying the binary to not make the API call, to using a proxy server that would block the call to the server.
Yet for all of the technical solutions, there was an easier answer: grab another device with a camera and take a picture.
"People can only understand attacks they can imagine themselves performing." — @jhebertocx
— Chris Palmer (@fugueish) June 9, 2015
Many people that work in corporate or other environments that have strict security requirements often carry two mobile devices – if you know (or suspect) that a messaging application will block or report a screenshot, just take a picture of it with your other device. This completely bypasses the technical restriction on screenshots2. It’s simple, it works, and it’s undetectable. Then there are virtual machines – you could run an application in a virtual machine, and capture the screenshot from the host, instead of the guest operating system. Once again, this is effective and undetectable. Then there are numerous others.
If you can’t trust the person you are talking to, don’t talk to them. If send a message to somebody that contains sensitive statements, and you can’t trust them to keep it private – the only way to ensure that it’s not shared is to simply not send it. There is no technical solution to ensure that a message displayed on a screen is actually ephemeral. This is why high security environments where sensitive (i.e. classified) information may be on display don’t allow cameras or devices with cameras at all.
If a user wants to capture information about a conversation, and there are numerous ways that they are able to do just that, they will get it. If they take a little care, nobody will know that they’ve done it. If they have technical ability (of know somebody that does), then it’ll be effortless and undetectable. Confide may, and should, make changes to address the technical issues with their screenshot protection feature to behave in a more effective way; that said, they will never be able to actually prevent all screenshots.
Screenshot protection is a vain effort; if it’s displayed on screen, it can be captured. People may think that they need it because it’s how they would capture a conversation, but it doesn’t actually provide any effective security. Features like this, and claims that applications implement them, are little more than snake-oil aimed at making consumers believe that an application provides a level of security that isn’t actually possible.
