[habosa]

I've worked with the unofficial Snapchat API a lot, and I've had the same thoughts. Basically Snapchat used AES ECB encryption with a symmetric key hardcoded into their binary. That's not a good idea, but its also better than nothing. Their api requests are all sent with a generated key parameter that takes 3 steps to make but really boils down to security by obscurity.

Snapchat made these security decisions long before anyone had any interest in "cracking" the app, and now I imagine they are looking for a way to get rid of this legacy code without breaking the millions of installed clients out there. It's an interesting problem and for now I'm having fun hacking on the API. If you're a Java person, check out my JavaSnap library which lets you send and receive Snaps.