VPN Articles and News

Dropbox Patches Critical Android Security Bug

Thursday, July 30th, 2015

Dropbox, the leading provider of cloud storage, personal cloud and file synchronization services; has patched a critical security flaw which could have allowed cyber criminals to steal files and data stored by the users. The San Francisco based company said that the bug affected only the Android ecosystem and allowed attackers to access data through compromised third party apps. The flaw was first discovered by Or Peles and Roee Hay, security researchers working at IBM, who then passed the information to the cloud company for remedial action.

Dropbox is one of the most popular cloud hosting service providers in the world with a user base of more than 300 million users. The service is really popular among mobile users as well and its Android app has been installed on more than 100 million devices. As such, any security glitch found to be affecting the service threatens to snowball into a major security breach that could wipe out the private data of millions of people.

Announcing the bug through its developer blog, Dropbox said that the newly discovered flaw was found to affect Android Sync/Datastore and Core SDKs released by the company. These kits provide access to Dropbox APIs and allow developers to create third party services capable of communicating with the cloud service. As per the company, the flaw was discovered and patched few months ago but it could still affect apps that are using older versions of the SDKs. The company has urged all third party developers to upgrade to Core Android SDK version 1.6.3 or Sync/ Datastore Android SDK version 3.1.2 to ensure that their apps do not get affected by the vulnerability.

In addition to providing the above information, Dropbox also explained how the flaw could have affected Android users if it was not patched on time. Stressing that it’s native app, Dropbox for Android; was not affected by the glitch and was not even needed for the vulnerability to work, the company said that the flaw propagated through malicious third party apps installed on users’ devices. In addition to installing a malicious app, users needed to visit a webpage in order to link the app with the device owner’s Dropbox account which would then have allowed hackers to steal any newly added data to the account.

Dropbox said that there was no evidence that the glitch was exploited by criminals to access user data. The company also added that since every app works in a different way, many apps weren’t affected by the glitch at all or needed additional factors for the vulnerability to work. The cloud provider also said that there was no way the vulnerability could have been used to access existing files on users’ Dropbox accounts that were uploaded through the company’s native app.

While Dropbox was quick to patch the Android vulnerability, the whole episode raises questions about the security of the whole service. This is not the first time when the Dropbox service was compromised by hackers. Late last year, the service was used for an elaborate phishing attack and even Edward Snowden had raised concerns about the encryption used by the service. Let’s hope that the company learns from these incidents and starts working towards making its service a lot more secure.

July 30, 2015

Leave a Reply

Your email address will not be published. Required fields are marked *

5 + 6 =