Security researchers recently discovered a serious flaw in Yik Yak, the “anonymous” messaging app popular with teens. In surprisingly simple fashion, the flaw offered hackers a way to discover the identities of Yik Yak’s supposedly unnamed users. It also provides a good opportunity to issue this very important PSA: Anonymous apps aren’t anonymous at all, and they probably never will be.
Why? It’s just too hard to pull off with with any degree of certainty. Yik Yak is only the latest purportedly anonymous app to expose identifiable user data. By now, every single one of the most popular anonymous messaging apps — Secret, Whisper, Yik Yak, and the non-anonymous but supposedly self-destructing Snapchat — has been breached in some form or another.
These are all social networking apps with millions of users, users they promise will remain anonymous. The trend of exploits suggests that building a truly anonymous app is a bit of an impossible dream in an ecosystem filled with GPS coordinates, app store accounts, phone numbers, password keychains, and any other data point that could expose a user’s identity. Yet still the promises get made.
“None of the apps use anything like Tor to anonymise communications,” Matthew Green of the Johns Hopkins Information Security Institute told Gizmodo. “The providers collect a ton of information, then say ‘trust us’ when it comes to the anonymity of their users. Maybe that’s an acceptable tradeoff, but it sounds pretty scary to me.”
Not all of the incidents with the major anonymous messaging apps in the past year have been identical. Some were straight up hacks. Some were exploits revealed. Some were just invasive data collection measures exposed. They all support the thesis that anonymous apps tend not to stay anonymous, however. And you shouldn’t surrender a bunch of sensitive information through these apps, because you’ll probably get screwed. Let’s look at this issue app by app.
Yik Yak claims to be a place to “share your thoughts with people around you while keeping your privacy.” That promise rings a little hollow though, since the recent Yik Yak exploit was so ridiculously simple. The main issue is that Yik Yak doesn’t have passwords. If you know the user ID, you can log into anyone’s account. However, Yik Yak also encrypts data flowing between the app and the server, so you should be fine as long as you don’t tell anyone your user ID, right?
No, not even close. Apps commonly communicate with other servers in order to enable things like user tracking and advertising. And Yik Yak was sending user data in plain text to an analytics company called Flurry every time the app launched. That data would be easy for a hacker to intercept, and it also makes user ID information very easy to find. Yik Yak has since fixed the exploit, but who’s to say there won’t be another one?
The sudden rash of secret-sharing apps showed just how dangerous feigned anonymity could be. Secret, for one, invited users to expose their deepest secrets, but the app didn’t bother to take bot behaviour into account. With a simple script, a pair of hackers used bots on Secret to discover the identity of specific users earlier this year. Secret fixed the exploit, but who knows that other bad security secrets the app is hiding.
This is just a bad app. A small scandal erupted a couple of months ago, when The Guardian revealed the staggering volume of data the supposedly anonymous Whisper was collecting from unsuspecting users. The app even recorded location data when users opted out. Security researcher Jonathan Zdziarski identified a number of serious issues with how the app was built soon thereafter.
“The application generates unique identifiers the first time it is run, without any initial user interaction,” wrote the iOS forensics expert. “These user identifiers appear to exist for the life of the application, and are assigned even if the user wishes to remain anonymous while using the application.” Not quite anonymous.
Snapchat is not an anonymous app exactly, but it does specialise in promises to obscure certain information (aka n00dz). In other words, it promises to delete messages after they have been viewed. And like actual anonymous posting apps, Snapchat has also made itself the victim of stupid simple oversight several times. Many of these instances involved a hacker-supplied revelation that Snapchat didn’t delete old snaps at all. It hid them in plain sight! The company had made this mistake more than once.
The messaging app also got caught with its pants down a year ago, when a group of researchers obtained (and released) some 4.6 million user names and passwords thanks to a basic exploit involving the app’s Find Friends feature. The feature was handy! But it was dangerous. Within a few months, hackers used a different exploit to steal user data. Those are just the breaches we know about. It’s obvious, however, that Snapchat’s “trust us” promise has been empty for a long time.
It’s not necessarily impossible to build an app that protects users’ identities well. As Green pointed out, one way to do this would be to use an anonymous network like Tor to protect users. Apps could also collect less data, though this might limit their ability to sell ads in the future. Quite frankly, many aspiring anonymous app builders could start by focusing on security first.
Green said it best: “It’s easier to build a pretty app that claims to be secure than to build an app that actually is secure.” And then after the apps have compiled millions of users, it’s just as easy for them to beg for forgiveness after a hack. It’s also easy for you not to give them your personal information in the first place. So just remember that if you don’t want anyone to know you said anything, the safest course of action is not to shout it from a random app.
Picture: Michael Hession