Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Confide, Screenshots, and Imaginary Threats

Recently Vice published a story about a lawsuit against the makers of the ‘secure’ messaging application Confide. This isn’t just a lawsuit, it’s a class-action lawsuit and brought by Edelson PC – an amazingly successful (and sometimes hated1) law firm – this isn’t a simple case. The complaint includes a very important point:

Specifically, Confide fails to deliver on two of the three requirements that it espouses as necessary for confidential communications: ephemerality and screenshot protection. […] Confide represents, in no uncertain terms, that its App blocks screenshots. But that isn’t true. Any Confide user accessing the platform through the Windows App can take screenshots of any and all received messages.

This article isn’t about the lawsuit though, it’s about threat modeling and screenshots.

Of Screenshots and Cameras #

Preventing screenshots, or at least attempting to, has been around for some time, and was made popular thanks to Snapchat – their client would detect that a screenshot was captured, and using an API call, notify the server that this had happened (unsurprisingly, this API was rarely documented, as none of the third-party clients wanted it), so the sender could be alerted. When this feature was added, technical attacks were discussed by many that were following Snapchat’s attempts at living up to their word – from modifying the binary to not make the API call, to using a proxy server that would block the call to the server.

Yet for all of the technical solutions, there was an easier answer: grab another device with a camera and take a picture.

Many people that work in corporate or other environments that have strict security requirements often carry two mobile devices – if you know (or suspect) that a messaging application will block or report a screenshot, just take a picture of it with your other device. This completely bypasses the technical restriction on screenshots2. It’s simple, it works, and it’s undetectable. Then there are virtual machines – you could run an application in a virtual machine, and capture the screenshot from the host, instead of the guest operating system. Once again, this is effective and undetectable. Then there are numerous others.

Trust Violated #

If you can’t trust the person you are talking to, don’t talk to them. If send a message to somebody that contains sensitive statements, and you can’t trust them to keep it private – the only way to ensure that it’s not shared is to simply not send it. There is no technical solution to ensure that a message displayed on a screen is actually ephemeral. This is why high security environments where sensitive (i.e. classified) information may be on display don’t allow cameras or devices with cameras at all.

If a user wants to capture information about a conversation, and there are numerous ways that they are able to do just that, they will get it. If they take a little care, nobody will know that they’ve done it. If they have technical ability (of know somebody that does), then it’ll be effortless and undetectable. Confide may, and should, make changes to address the technical issues with their screenshot protection feature to behave in a more effective way; that said, they will never be able to actually prevent all screenshots.

Screenshot protection is a vain effort; if it’s displayed on screen, it can be captured. People may think that they need it because it’s how they would capture a conversation, but it doesn’t actually provide any effective security. Features like this, and claims that applications implement them, are little more than snake-oil aimed at making consumers believe that an application provides a level of security that isn’t actually possible.

  • Jay Edelson & team may be hated by some in Silicon Valley – but they have done a lot to protect consumers, and suing over security claims is an important avenue to ensure that companies live up to their promises. My research on Snapchat was cited by the FTC in their action against Snapchat, which I am still very proud of. Needless to say, I favor whatever action is necessary to ensure that companies live up to their promises, and consumers aren't being sold snake-oil. 
  • There are theoretical means to complicate this, by using a controlled "flicker" to make it more difficult to capture a useable photo. This comes with various downsides, not the least of which is the high likelihood of giving users a constant headache. 
  • Adam Caudill


    Related Posts

    • On Apple, Privacy, and Device Control

      If you’ve bothered to look at Twitter or any technology news source, you’ve seen that Apple made a major announcement: Expanded Protections for Children. This has been written about by countless outlets, so I’ll assume you’re familiar with the basics. The announcement covered a few new features being added to the next version of Apple’s operating systems, namely: Scanning of inbound and outbound messages for sexually explicit images. Scanning images being uploaded to iCloud for CSAM.

    • Crypto Crisis: Fear over Freedom

      Yesterday, President Obama spoke at SXSW on topics including the oft-discussed fight between Apple and the FBI – what he called for, while more thoughtful than some of the other comments that we have been hearing from Washington, was still tragically misinformed. He repeated the call for a compromise, and by compromise, he meant backdoors. Here, I feel I must paraphrase one of my favorite authors to properly express the magnitude of what’s being discussed here:

    • The Door to Nowhere

      Today I was walking around, exploring the local downtown area, and I noticed a door. Or more accurately, what used to be a door, and the symbolism was too perfect to ignore. It’s a door to nowhere. A door once stood here, carefully built, thoughtfully placed, well crafted. Long ago someone decided that they didn’t want the door to exist anymore — so they filled it in. They made an attempt at reversing the decisions of the past to suit their desire at the moment — but they couldn’t.

    • Crypto Front Door: Everyone Welcome!

      For decades, the US Government has fought — sometimes with itself — to prevent the use of secure cryptography. During the first crypto war, they allowed strong cryptography within the US, but other countries were limited to small keys — making brute force attacks practical. But what about those pesky US citizens? They didn’t really want them to have strong crypto either — enter key escrow. What is key escrow? According to Wikipedia:

    • SMIMP at the DEFCON Crypto Village

      Last week I gave a lighting talk at the DEFCON CryptoVillage on SMIMP. The talk went over the basics of why the project is needed, and how the specification works. Here are the slides: Here is a rough transcript of the talk: Slide 1: I’m Adam Caudill, I’m a developer and security researcher; I work on a number of different things, but my recent work has been around privacy and secure messaging.