IBM Researchers Discover Malicious ‘DroppedIn Exploit’ In Dropbox For Android SDK
IBM's X-Force Application Security Research Team has discovered a severe bug that plagues the Dropbox SDK on Android, which apps can use to interact with the cloud storage service. Dubbed 'DroppedIn', unauthorized apps have been able to access a rogue Dropbox account, potentially allowing an attacker to grab data off of your device for their later perusal.
The bug affects SDK version 1.5.4 through 1.6.1, and has been fixed as of 1.6.2. As serious as this bug is, it's nice to know that Dropbox wasted no time in fixing it. Security Intelligence notes that Dropbox responded to IBM's email about the bug within six minutes, and it confirmed the vulnerability within 24 hours. Finally, it patched the bug and rolled out a new version of the API a mere four days later. I am thinking that Microsoft might want to start taking after Dropbox when it comes to issuing these fixes!
Unfortunately, the SDK isn't a component that a user can update themselves; it needs to be updated by the developer of the app that implements it. But that said, if you happen to have the official Dropbox app installed - even if it's never been opened - it renders this bug useless, as at that point, any Dropbox interaction will require that app and proper authentication to function.
According to app-tracking site AppBrain, an impressive 0.31% of the apps it tracks use the Dropbox API. Nowadays, even some games make use of the API for sharing of certain game data, and a game emulator I use actually allows you to save your progress straight to a Dropbox account (extremely useful when you move from device to device).
While the prospect of what this bug could allow is a little scary, there's actually been no proof up to this point that it's been exploited by anyone. IBM, and its research team, could have prevented the opposite from being true. Still, if you use any Android apps that utilize Dropbox and you don't have the official Dropbox app installed, you'd do well to make sure that those apps are up-to-date.
I should note, though, that chances are good that you're already protected well from this bug. While the bug was fixed in API version 1.6.2, 1.6.3 came out in the second week of January. IBM clearly wanted to wait a little bit before exposing this bug, to make sure everyone would be safe. Good guy, IBM.