This was discovered by forensic researcher Richard Hickman, who concluded, “metadata is stored for Snapchat images, as shown by the com.snapchat.android_preferences.xml file, and that it contains metadata about expired ‘snaps’ as well as unexpired ‘snaps’, and that images that are sent via Snapchat are indeed recoverable, and do not ‘disappear forever’.”
Snapchat is a hugely popular app that allows users to send ‘view once’ photos. The theory is that the sender can specify how long the photo will remain visible on the recipient’s device before it disappears. “Snap an ugly selfie or a video, add a caption, and send it to a friend (or maybe a few). They'll receive it, laugh, and then the snap disappears,” says Snapchat. But ‘disappears’ is relative – Hickman discovered that photos aren’t deleted, they’re just pushed round the corner and hidden from the operating system and other apps.
Hickman first sent some photos via Snapchat and then, using AccessData’s Forensic Toolkit version 4.0.2.33, checked to see if they remained on the device. He found the files with the simple suffix .nomedia appended. This, explains Paul Ducklin in NakedSecurity, “is a standard Android marker that says, ‘Other apps should ignore this file. Do not index it, thumbnail it, add it to any galleries, or whatnot. Leave it to me’.”
Apps that obey the Android rules will do that. Forensic apps that do not obey the rules will not. “AccessData’s Forensic Toolkit recognized the .nomedia extension that was appended to the end of the file name and ignored it, displaying the images,” wrote Hickman.
The question now is whether this is an issue. Snapchat thinks not. It responded with its own blog: “if you’ve ever tried to recover lost data after accidentally deleting a drive or maybe watched an episode of CSI, you might know that with the right forensic tools, it’s sometimes possible to retrieve data after it has been deleted. So… you know… keep that in mind before putting any state secrets in your selfies :)” Larry Magid, writing in Forbes agrees that it is a non-issue: “The main reason I’m not worried about kids use of Snapchat is because the vast majority of them are smart when it comes to their use of apps and social technology.”
The reality is that it is notoriously difficult to remove data from mobile devices simply because of the way data is stored using the ‘wear leveling’ technique. Since mobile devices are so regularly recycled for newer versions, this means that Snapchat photos that users believe no longer exist may be passed on to unknown third parties, and could be retrieved with forensic software. Ducklin suggests that if Snapchat cannot guarantee removal of these photos, it should consider ‘shredding’ them with encryption. “Encrypt each image delivered to X's device with a random key, and keep the key on the Snapchat server until X requests to view the image. That way, the key and the decrypted image only ever need to exist in memory on X's device, and thus implicitly 'disappear' once viewed.”
Whatever happens, however, users should be clear that Snapchat photos are not currently deleted; they are merely ‘hidden’.