IBM uncovers critical Dropbox SDK for Android vulnerability

Dropbox for Android
Dropbox for Android

Android app developers are being urged to update their Dropbox SDK to the latest version after IBM's team of application security researchers found a severe vulnerability that has the potential to affect a large number of files.

The IBM X-Force Application Security Research Team discovered the vulnerability in Dropbox SDK for Android versions 1.5.4 and above, and it meant an attacker could connect applications on any Android device to a Dropbox account they controlled.

Dropbox was quick to act and, according to IBM, issued a patch within four days of being told of the problem by IBM's team of researchers.

The vulnerability was born out of the authorization mechanism used in the Dropbox SDK for Android and had the potential to scupper any app using it. That includes Microsoft Office Mobile, which reportedly hosts some a number of files on Dropbox for its Android users, and AgileBits 1Password.

Dropbox later told TechRadar that the vulnerability only affects files that have been newly saved through the third-party apps and at no time have previously saved files been compromised in Dropbox accounts.

How to protect yourself

Attackers were able to insert an arbitrary access token into the Dropbox SDK in the nonce verification stage thus bypassing that particular protection. This left a gap in the SDK's armor that was able to be exploited to give attackers access to the nonce on their own servers.

Both companies are imploring developers to update to the latest patched version of the SDK immediately (v1.6.3 or Sync/Datastore Android ADK v3.1.2) and for end users installing the Dropbox for Android app will make the vulnerability impossible to exploit.

Via: ZDNet