I received this inquiry via email:

Could this app leak my Dropbox password? With the recent news that 6.9million Dropbox passwords have been stolen, I am now wondering how secure this app is.

I think it’s better to repost my answer here, with some additional information for semi-technical people.

The app does not know your password at all, because it uses the official Dropbox app or website to delegate authentication. This method generates a token associated with your account that can be used and accessed only by this app.

That said, an hypothetical attacker could steal the application’s secret key to trick Dropbox into thinking the he is using the app, but then he would have to also steal the token issued to each individual user, and that is obviously impossible as the tokens are stored solely on user’s devices, and Android itself prevents other apps from accessing that kind of data. If the phone is rooted, or is connected via USB in debug mode, then the token becomes accessible, but in that case the attacker would have your device in his hands, which becomes your primary problem.

Moreover, the app does not communicate with anything on the internet except Dropbox. Obviously, this a promise on my side – a gentlemen’s agreement, if you like – but any tech person could verify that with a network sniffer.

A few suggestions to keep your data safe:

  • check apps connected to your Dropbox account and revoke those you don’t need (this is done in the Dropbox’s settings)
  • change the Dropbox password often
  • last but not least, enable two-factor authentication, which makes a password leak ineffective by all practical means (unless the attacker has your phone).

Hope this is a sufficient explanation.

Leave a Reply

Your email address will not be published. Required fields are marked *