Reverse Engineering Snapchat: Obfuscation Techniques

I’m surprised that no one has mentioned how this is actually accomplished. The answer is: largely automatically, at the compiler level.<p>Snapchat acquired Obfuscator-LLVM and the people behind it in 2017, which was actually partially open source for a period of time. It is a compiler backend for LLVM that obfuscates your code for you. You can read a bit about some of the techniques used on their old wiki:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;obfuscator-llvm&#x2F;obfuscator&#x2F;wiki&#x2F;Features" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;obfuscator-llvm&#x2F;obfuscator&#x2F;wiki&#x2F;Features</a> (outdated)<p><a href="https:&#x2F;&#x2F;www.bloomberg.com&#x2F;news&#x2F;articles&#x2F;2017-07-21&#x2F;snap-hires-swiss-team-behind-software-protection-startup" rel="nofollow">https:&#x2F;&#x2F;www.bloomberg.com&#x2F;news&#x2F;articles&#x2F;2017-07-21&#x2F;snap-hire...</a>

This is an awesome write-up; I’m shocked at the level of effort that went into Snap’s obfuscation process. It implies that are entire teams of engineers out there whose sole job it is to play cat&amp;mouse with reverse engineers and nothing more. Another comment mentioned that this effort is outsourced, so not only are there teams, but entire companies dedicated to this!<p>What a blast that must be... though the immense amount of [invested|wasted] (take your pick depending on cynicism) effort spent on this game makes me a little sad. All of these brilliant minds just... cosplaying Sisyphus?

Some I see are surprised to see the level of obfuscation used in the application. Many pointed, many ingredients for the obfuscation used in the app are off-the-shelf and few of them can be said to be well known in the industry, but still there is a cost in integrating them into a product. Obfuscation is notorious in breaking things which should work normally (normal compilation process) and as a own goal making it hard to debug as well. Integrating, testing, debugging and difficulty in debugging production crash logs is a considerable cost.<p>That said, obfuscation is increasingly being used in mobile applications now. Check your banking application or some government applications, you will find obfuscation being used. With mobile applications getting richer and lot of code executing on the client side, makes it compelling case to secure applications by using obfuscation (as a defense-in-depth approach).<p>Open standards like OWASP MSTG [1] MSTG-RESILIENCE-9 recommend such approach.<p><pre><code> Obfuscation is applied to programmatic defenses, which in turn impede de-obfuscation via dynamic analysis. </code></pre> [1] <a href="https:&#x2F;&#x2F;github.com&#x2F;OWASP&#x2F;owasp-masvs&#x2F;blob&#x2F;master&#x2F;Document&#x2F;0x15-V8-Resiliency_Against_Reverse_Engineering_Requirements.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;OWASP&#x2F;owasp-masvs&#x2F;blob&#x2F;master&#x2F;Document&#x2F;0x...</a>

Snapchat acquired Strong Codes in 2017. Before the acquisition they used Strong Codes compiler for obfuscation.<p><a href="https:&#x2F;&#x2F;www.bloomberg.com&#x2F;news&#x2F;articles&#x2F;2017-07-21&#x2F;snap-hires-swiss-team-behind-software-protection-startup" rel="nofollow">https:&#x2F;&#x2F;www.bloomberg.com&#x2F;news&#x2F;articles&#x2F;2017-07-21&#x2F;snap-hire...</a>

This is brilliant work, I&#x27;m hoping in part II we get to see it working against the API.<p>I reverse engineered this in a production environment. It took approximately 7 months to build a scalable solution.<p>The investigation on how to create the x-snapchat-client-auth token is brilliant. One day I hope to do a talk on what my old team did to circumvent it.<p>There&#x27;s a painful gotcha on the homestretch for this token: You may be creating the token, but it&#x27;s not obvious what you&#x27;re supposed to be using the method to sign.<p>What do they use it for? As far as I could tell, it&#x27;s so they can verify requests at the edge nodes of their network. When you provide a bad x-snapchat-client-auth, you get a near-instant 403.

I remember back in 2013(?) I went to a collegiate hackathon in Santa Monica. Evan Spiegel showed up to walk the floor and someone showed him how they had sniffed the API and did something interesting with it (forget the particulars now, getting old). If I recall correctly, Evan offered the kid a job on the spot but the kid turned him down.<p>They&#x27;ve come a long way since then!

Snapchat is notoriously difficult to automate&#x2F;spam.<p>The goal is to get the X-Snapchat token. The most elegant solution is to find the secret in the binary and reverse the algorithm to generate tokens. Wouldn&#x27;t it be easier to MITM the endpoint; set up a dummy server (which collects tokens) in front of a proxy that spoofs the DNS and TLS certs (may be easier on rooted Android than iOS).<p>In my last attempt I gave up and went for dumb UI automation, but it would be cool (and worth good money) to exploit the private API.

Well at this point, you might as well run the binary in a Mach-O ARM emulator since Snap has seriously cranked up the reversing difficulty to level 10,000.<p>I suggest anyone looking at this would need to use Corellium such that Snap has made it hard for <i>almost</i> anyone to get their private API.

If you dig very deep, you can also find an offer to come work at Snapchat. Most will never find it.

I&#x27;m curious, can anyone recommend any techniques (or companies providing solutions) for attempting something similar with javascript in a browser calling an API? Obviously it&#x27;s much more difficult to obfuscate an algorithm for generating a client token in JS than it would be in assembly, but I&#x27;m just curious if anyone has tried any form of &quot;lock down my API so it&#x27;s only callable from the web front end I provide&quot; obfuscation.

&gt; <i>To make your life even more miserable, Snap ocassionally deprives you of recognizing some basic standard lib functions ... You won’t be very happy after spending a day or two reversing a function to find it’s memmove in the end.</i><p>That sounds particularly devious.

Philosophically I never gave much thought to securing app client code.<p>Why not just track usage stats and ban clearly fake&#x2F;high throughput users?

This is some pretty heavy-duty obfuscation. What is the business case for this amount of work towards preventing reverse-engineering? Decent rate limiting should be much more effective than making such a herculean effort to obfuscate one&#x27;s API.<p>Edit: another comment mentions that snap chat uses an existing solution, which makes more sense than the expense of developing this sort of obfuscation in-house: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=23558784" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=23558784</a>

Seems like hooking the UI layer and intercepting data on the wire would be a much simpler approach. I wouldn&#x27;t even try to circumvent the UI flow or animations. The more &#x27;user-like&#x27; the activity, the more difficult it is to distinguish automation from human traffic. This doesn&#x27;t scale as well well as many would like, but it can work. You could probably bundle something like this up and resell it as a grey-market API.<p>There may be some money in standing up a datacenter that is filled almost exclusively with smartphones.

How many of these tricks are off the shelf techniques? Seems like a tremendous effort.

Do tiktok next, their obfuscation techniques are quite interesting. :)

Best value of this kind of obfuscation is they usually rely on a random seed, and every time you obfuscate you have different results. So once you update the app (and change hash function), for new version, spammer need to the all reversing once again.

One thing I&#x27;m curious about is what they do to try to stop you from just ripping out the obfuscated token generation library and setting up a harness to run the whole thing in <a href="https:&#x2F;&#x2F;www.unicorn-engine.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.unicorn-engine.org&#x2F;</a> or something. Like presumably they don&#x27;t compile their whole app with obfuscation and it&#x27;s just some library that&#x27;s linked in with some kind of stable-ish API contract with the rest of the app. I wouldn&#x27;t be surprised if they do interesting things to try and stop you from ripping it out and it&#x27;d be cool to learn what those are.

All these to make Snapchat not being recorded. Well, it&#x27;s a mouse and cat game and currently the cat is winning, as in using Memu on my PC allows me to record everything happening there, your crush nudes and dances included.

This sort of thing has been prevalent in the game world for decades.<p>I once had the chance to work on a project disassembling casino machines, and they had similar protection appropriate for the technology of the time

There are already alternative front-ends for YouTube, Facebook, and Reddit. I’d love to see one for Snapchat and Instagram, although it looks like one for Snapchat would be incredibly difficult.

This is what the top 1% of MIT grads work on. Obfuscating IP for a user data company.<p>It’s clever, but man... I have to believe these talented folks were destined for something greater.

How would one go about understanding the content of this write-up? Even after the first paragraph it begins to go completely over my head.

I would love to be able to make a bot for the snapchat group my friends and I have. We already have a blast using it now. A bot that could randomly do things that we could all interact with would be hilarious. Sadly I don&#x27;t think this functionality will be introduced. So it will be cool to maybe slap something together before all of this gets fixed.

Interesting read! I&#x27;d love to read the next post, but at least Miniflux can&#x27;t find any feed.<p>3eed, would you be open to adding an RSS feed?

How does one go about learning reverse engineering? Is it mostly by practicing? Are there any good up-to-date resources?<p>I remember taking a reverse engineering course in the university where the professor didn&#x27;t even bother to explain the basics, it was like black magic and left me frustrated, but I still feel amazed when I read blog posts like these.

I was wondering if there are any steps a developer of a small app can take to add such a header and lock down the API so it only answers to said header. This level of obfuscation doesn’t seem doable for smaller shops. Is there something simpler, that is “good enough”?

I have been advised by researchers in the field that it takes about a day with an optimizing compiler to de-obfuscate most any piece of commercial software of this size, with a good team. With a less than great team, perhaps about a week. Is that true?

CORRECT LINK: <a href="https:&#x2F;&#x2F;hot3eed.github.io&#x2F;2020&#x2F;06&#x2F;18&#x2F;snap_p1_obfuscations.html" rel="nofollow">https:&#x2F;&#x2F;hot3eed.github.io&#x2F;2020&#x2F;06&#x2F;18&#x2F;snap_p1_obfuscations.ht...</a>

Wow, that seems really messy. If you&#x27;re just after the API key or whatever, wouldn&#x27;t reversing the Android app be simpler? As far as I know, you can&#x27;t do all these low-level tricks on the Java platform.

&gt; In Mach-O binaries, functions whose pointers are in the __mod_init_funcs run before main.<p>Remember that obfuscation makes your code run slower. This specific one is part of the reason why the dyld team probably hates you.

to answer everyone asking &#x27;why do they do it????&#x27; its because of spam, that simple. they dont want:<p>a) outbound bots that send messages to users created in bulk messaging millions of users. b) inbound chatbots that answer messages c) when they had snapcash, they didnt want bots generated collecting cash.<p>spam is a multi million dollar industry.<p>@3eed i guess it&#x27;s not considered obfuscation but you gotta pass the correct version # or you won&#x27;t be able to connect either, old versions are immediately obsolete.

Are any of these obfuscation techniques possible on the web? My guess is no, but just curious.

Things were definitely much simpler a couple years ago.

Very nice article. Great piece of work.

Great write up! Thanks for posting!

Will Apple approve an app with this level of Obfuscation in it&#x27;s source? I thought they had to have the source itself?

Doesn&#x27;t Snapchat mainly rely upon the iOS or Android platform having some software that prevents screen shots if a &#x27;no screen shots&#x27; flag is set? I always thought this was their core defense.