PSA: Security of Folder Downloader for Dropbox

I received this inquiry via email:

Could this app leak my Dropbox password? With the recent news that 6.9million Dropbox passwords have been stolen, I am now wondering how secure this app is.

I think it’s better to repost my answer here, with some additional information for semi-technical people.

The app does not know your password at all, because it uses the official Dropbox app or website to delegate authentication. This method generates a token associated with your account that can be used and accessed only by this app.

That said, an hypothetical attacker could steal the application’s secret key to trick Dropbox into thinking the he is using the app, but then he would have to also steal the token issued to each individual user, and that is obviously impossible as the tokens are stored solely on user’s devices, and Android itself prevents other apps from accessing that kind of data. If the phone is rooted, or is connected via USB in debug mode, then the token becomes accessible, but in that case the attacker would have your device in his hands, which becomes your primary problem.

Moreover, the app does not communicate with anything on the internet except Dropbox. Obviously, this a promise on my side – a gentlemen’s agreement, if you like – but any tech person could verify that with a network sniffer.

A few suggestions to keep your data safe:

  • check apps connected to your Dropbox account and revoke those you don’t need (this is done in the Dropbox’s settings)
  • change the Dropbox password often
  • last but not least, enable two-factor authentication, which makes a password leak ineffective by all practical means (unless the attacker has your phone).

Hope this is a sufficient explanation.

Google vs Everyone Else

Yep. Another Android-related post.

Devices may only be distributed if all Google Applications […] are pre-installed on the Device.

The parties will create an open environment for the Devices by making all Android Products and Android Application Programming Interfaces available and open on the Devices and will take no action to limit or restrict the Android platform.

Via Ars Technica.

The contradictions within Google’s idea of open are many. Android is as open as Google allows it to be, but that might not necessarily be a bad thing to keep it going in a consistent direction.

The UX Collective Culture

When you design a UX, you try to guide the user through your machine’s interface in the most obvious and predictable way.

Most UX/UI must make assumptions on what the user knows and what she doesn’t know. It’s a tradeoff between beginners and experts.

There are, however, different levels of preexisting knowledge you can expect within the same UX. Take a mouse. You don’t teach the user how to use a mouse, you expect her to be able. You take a collective experience with mice as granted. You must however consider that your user might not know how to, say, enter a formula in a spreadsheet.

Mobile is driving a whole new set of interaction paradigms, and UX on mobile is very specific (for many reasons and because of several constraints).

Even on mobile, however, there are things you don’t teach anymore to the user. Touch interactions are considered well-understood. We could argue there is a collective knowledge, a collective experience of touch interactions.

It is true. The problem is, while the vast majority of mobile/smartphone users can make use of touch interactions, others cannot, because they’ve never been exposed to them.

This causes as a vicious circle because many of those users will find touch interactions strange, and cumbersome, not because they are, but because your UX assumes they already know the basics, cutting away hints/suggestions. That will make adoption of touch interactions always difficult for beginners.

A perfect example is standard Android navigation patterns.

Google Play
Do you know how to pull out the “sidebar” thing?

If there’s no tutorial, how is the user supposed to know what she should do to open the sidebar menu (or whatever it’s called)?

All that said, I think what is happening in the mobile field is just fine. Given the numbers involved, annoying the majority of users to benefit the minority would not be very smart.

Google vs Samsung, Nexus Edition

Excellent Ars Technica article: Google’s iron grip on Android: Controlling open source by any means necessary.

I’m reading this the day after I ordered a Nexus 5. Not that it would have made much of a difference… but still a very interesting read. Besides, it made me change my mind on some aspects I already discussed in the past.

Android went from zero percent of the smartphone market to owning nearly 80 percent of it. Android has arguably won the smartphone wars, but “Android winning” and “Google winning” are not necessarily the same thing.

Since Android has become a mobile powerhouse though, Google has decided it needs more control over the public source code.

[…] that would mean you’d be moving Android’s SMS functionality to a closed source app. Once Google does make the switch, I predict that in one or two Android versions, you’ll see the SMS app disappear as a default app

[Play Services] is a huge weapon in the fight against Android forks. [It] is a closed source app owned by Google and licensed as part of the Google Apps package. Any feature you see move from “normal” Android to Google Play Services is also moving from open source to closed source. This app pulls off the neat trick of not only enticing users with exclusive, closed source features, but locking in third-party developers with Google’s proprietary APIs as well.

Google Cloud Messaging (GCM) is the easiest way to do push notifications on Android, but you’ll never see it on AOSP [Android Open Source Project].

There are now two methods to get location: the good, low power, closed source Google way, and the crappy, battery expensive, open source way.

To sum it up, Google is slowly abandoning pieces of the open source Android it continues to promote, while moving key, unreplaceable functionality into closed source proprietary apps and services. AOSP is becoming a sort of a mobile OS platform that’s pretty useless on its own (very much like the Linux kernel) but with only one widespread distribution: Google’s.

To me – and to the average consumer, and even developer – this is isn’t bad news, quite the opposite. It means Android is something worth investing in.

Bill Gates would be proud.
– Me, right now.

Google is indeed breaking its own promise of a “free” (as in “not owned by anyone in particular”) Android ecosystem. The point everyone seems to miss is, an ecosystem works if it has a stable common platform at its base. If Samsung part of the ecosystem tries to run away with the money, someone else has will try to stop it.

You might argue that Google had tight control on Android since the very beginning, and none of these arguments is new. That’s true. The Open Handset Alliance is sort of a joke and surely is not an “alliance”. Stronghold comes to mind. The problem is, Google is probably the only one in OHA that knows how to build awesome web software.

I want to state this once again. If it’s not Google, it would be Samsung. The difference is, Google “sells” web-based services, Samsung sells hardware, from oil tankers to smart watches (funny how things change in just 6 months!). The focus is much different – not necessarily worse or better, just different. Personally, for how I use my phone, the manufacturer is mostly irrelevant* and as long as a few key features are provided I only care about the software it runs. That means, Google gets to control the ecosystem.

If you think more about it, you “google” stuff on the web. You don’t “samsung” it. You use Gmail, and Google Maps. Google is everywhere in our daily routine (and yes, Google probably knows who you are, where you live, what you like, what is your sexual orientation… but that’s another story). Samsung isn’t, and will hardly every be. So, on the one hand, Samsung is trying to become a bit like Google, by building competing components, like their proprietary app store. On the other hand, Samsung is trying, with arguably good results, to disguise Google’s software as its own, or to trick the user to believe it’s always Samsung’s merit. Trust me, I’ve seen this with my very own eyes: most people do not know that a Galaxy S3 or S4 runs Android.

But, it’s an arms race, and Samsung cannot win it, simply because it’s not Google.

Nexus 5

The next step for Google is getting rid of OEMs. Selling Nexus devices directly through Google Play, even in secondary markets like Italy, puts Google at a vantage point: distributing only and exactly what it thinks fits its (long-term) vision. So far they kept a very low profile, without pompous announcements – the Nexus 5 release was announced by a meager post on Google’s official blog – to avoid upsetting anyone, but we can clearly picture Google slowly kicking away all OEMs from the Android ecosystem, and becoming the sole “owner” of it all. It would make a lot of sense, under many aspects – compatibility, price, device fragmentation – but would remove the only differentiation between Android and iOS and Windows Phone: choice. You still get to pick your platform, but within those platforms choice and competition is, or will soon be, very limited. Again, nothing new, but it’s not quite what we all have in mind when we think about Android.

I don’t have any hard data, and I doubt Google will release any, but selling devices on Google Play seem to work pretty well. If I had ordered my Nexus 5 on October 31st, I’d have had to wait 1 week for delivery. I ordered it less than 24 hours later, on November 1st, and I got to wait 2 weeks, meaning stock is already running low. Of course this might actually mean there simply are very few items in stock. Should that be the case I’d doubt Google’s sanity, but I believe it’s rather the opposite: orders are flowing in fast**.

The last 3 Nexus devices, Nexus 4, Nexus 5, and 2013 Nexus 7, are built by LG and Asus. We still don’t get to see any Motorola Nexus device, although the recently released Moto X is unsurprisingly close to the Nexus vision: “stock” Android with very few customizations. I predict the next Nexus phone will be Motorola, and that will mark the end of the current Android ecosystem. Very much like Apple wanted to “go termonuclear” on Android, Google is going termonuclear on Samsung. Google is keeping a low profile, and slowly digging a tunnel under Samsung’s feet and removing key components from AOSP. Sooner or later, that tunnel will collapse.

* OK, that’s not entirely true, and that’s another reason why I don’t particularly like Samsung: they build crappy stuff.

** On a side note, white Nexus 5s are selling slower than black ones.

Samsung Is Killing Google’s Android

About a year ago I asked myself whether Android was dead. The answer is, a year later, probably not.

The trend we all can see is that Google is simply losing control over the Android ecosystem. If you ask them, they’d probably answer that control is not the point, and it’s probably not very far from the truth. After all, Android is just a means to sell more ads.

Samsung seems the maker that is getting the most out of Android, and that’s confirmed by Apple’s lawsuits. Samsung is slowly replacing the Android brand with its own. As someone already noticed a year ago, Android is just an item in a bullet list of features, probably below many others. Need proof? Go to Samsung’s website, find the minisite dedicated to S4 and search for ‘android’.

Samsung Galaxy S4

Samsung, you will notice, markets Samsung.

Samsung’s marketing folks carefully avoid mentioning Android and Google. They’re so good at it that they don’t even have to include it in footer copyright disclaimers.

What is Google doing to keep Android under its own wing? Nothing. Google releases Nexus devices every now and then but such devices, while being generally a bit more affordable than others, are not innovative. They’re average. Let me state this differently. Samsung phones are terrible. They barely stick together in one piece. Build quality is awful. Still they cost like an iPhone – or more. But at least Samsung is trying to innovate on the software side, with arguably mediocre results of course, but they’re at least trying. That’s why Samsung’s Android smartphones sell like candy. I still prefer Nexus, because I prefer a “pure Google experience”, but people are not me, and are buying Galaxy phones. Truckloads of Galaxy phones in fact.

Now, how is a Nexus 4 different from a Galaxy Nexus? Just negligible details. Faster hardware surely, and a different and probably better case, but nothing more. I just hope the rumored X Phone will be groundbreaking, otherwise Google will put the last nail in its own Android-branded coffin. Probably we’ll have more details at the next Google I/O conference in three weeks.

At any rate, Samsung is slowly, subtly pushing Google out of its own ecosystem. Samsung already has an app store for Android phones (I didn’t even know about it until today, but still). How long until they just quit delivering phones with Google Play? How long until they fork Android? How long until they start filing lawsuits against Google?

Now, it’s obviously more complex than that – Samsung and Google surely have agreements in place, and Samsung currently cannot afford to dump Google. Samsung needs Android, and Android/Google needs Samsung. But that’s today. What about tomorrow? I see Google is extremely weak as they stand now.

If you look at the big picture, it’s even scarier. Samsung produces all kinds of consumer electronics, but also medical equipment, chemicals, and… oil tankers. With 5x Google’s revenue, Samsung has immense firepower. They already are in most households with TVs, microwave ovens, and what-not, and in most pockets with phones and tablets.

What I see in my mind is Google gingerly playing with Android, and Samsung snatching it from the hands. “This is mine now. GTFO.”