News  Android

DroppedIn: It's bad because it's in the SDK

A serious weakness in the Dropbox SDK for Android has been uncovered by IBM's X-Force Application Security Research Team. It's not a virus directly, but rather a security hole in the SDK for Dropbox, which is the Software Development Kit other legitimate software developers use to write apps. In other words, this hole is carried through into the apps which make use of it, and that means some big names including Microsoft Office Mobile have been affected.

Dropbox has announced it has already fixed this weakness, but of course this means all the other developers which used the compromised SDK must rebuild their apps using it, upload their fixed versions and urge their users to upgrade to them. They did stress that merely using the vulnerable SDK wasn't sufficient, the developer also had to use its OAuth/Sync functions.

Users private files are uploaded to the attackers Dropbox

Whilst the vulnerability is serious, at its worst it still can't give an attacker access to the full DropBox account. That's because only data the app itself uploads is compromised, for example files to another DropBox account, such as the attackers.

IBM have released a video showing how the exploit works:

Dropbox has advised users of an immediate fix: install the official dropbox app itself, which manages the functions the 3rd party apps used when built from the afrfected SDK. This will close the security hole, after which all the updated apps which have been affected should then be installed.

Dropbox has advised developers the versions of the SDK affected are from 1.5.4 through to 1.6.1. Versions from 1.6.2 onwards are fixed.

Here's the official announcement from Dropbox: Developer blog