I received this inquiry via email:

Could this app leak my Dropbox password? With the recent news that 6.9million Dropbox passwords have been stolen, I am now wondering how secure this app is.

I think it’s better to repost my answer here, with some additional information for semi-technical people.

The app does not know your password at all, because it uses the official Dropbox app or website to delegate authentication. This method generates a token associated with your account that can be used and accessed only by this app.

That said, an hypothetical attacker could steal the application’s secret key to trick Dropbox into thinking the he is using the app, but then he would have to also steal the token issued to each individual user, and that is obviously impossible as the tokens are stored solely on user’s devices, and Android itself prevents other apps from accessing that kind of data. If the phone is rooted, or is connected via USB in debug mode, then the token becomes accessible, but in that case the attacker would have your device in his hands, which becomes your primary problem.

Moreover, the app does not communicate with anything on the internet except Dropbox. Obviously, this a promise on my side – a gentlemen’s agreement, if you like – but any tech person could verify that with a network sniffer.

A few suggestions to keep your data safe:

• check apps connected to your Dropbox account and revoke those you don’t need (this is done in the Dropbox’s settings)
• change the Dropbox password often
• last but not least, enable two-factor authentication, which makes a password leak ineffective by all practical means (unless the attacker has your phone).

Hope this is a sufficient explanation.

I’ve just published a new tiny, free Android app: Silent Mode Bypass.

This app does just one thing: disabling Silent or Vibration mode when you receive a phone call from a selected list of contacts. It’s useful for emergency calls that you must be absolutely sure to receive, typically at night, while still keeping everything else silent.

It’s very lightweight and does not affect battery life. There’s a background service always running, but it only uses around 3 MB of RAM and hardly any CPU time, because it does not run any code except when it gets a phone call broadcast intent.

On a side note, I’m specializing in writing niche apps that no one except me uses… On the plus side, I don’t get many complaints from users!

There have been a few reports about stuck downloads with Folder Downloader for Dropbox, so I added some logic to better handle network read timeouts. The main problem is with Java’s FilterInputStream.read() method, which is blocking and has no timeout setting. I ended up using Eclipse’s TimeoutInputStream (see update below).

That said, such timeouts were very sporadic, although I experienced a couple myself. As you can see from these screenshots, FDfD is reliable both for both large and small files.

I tested these downloads on my Galaxy Nexus over a slowish DSL connection. The problem is that there’s no obvious way to test this kind of errors. The latest update (1.2.5), at any rate, should handle timeouts gracefully without hanging the entire background service.

Update 2012/10/19: it seems that TimeoutInputStream corrupts data. I don’t know the reason or the circumstances but for now I removed it. I decided to opt for Java’s built-in Future<T> and ExecutorService (mandatory example on Stack Overflow). Making it work is very tricky, but it looks much more stable.