Security bug resolved in the Dropbox SDKs for Android

A few months ago, we patched a minor security vulnerability in our Android Core and Sync/Datastore SDKs. While most popular apps have already updated their Android SDKs, we’d like to ask all our Android developers to update their apps to use Core API Android SDK v1.6.3 or Sync/Datastore Android SDK v3.1.2.

For users to be affected by this vulnerability, they would’ve needed to:

  • Use an affected app on an Android device
  • Not have the Dropbox for Android app installed, and
  • Visit a specially-crafted malicious page with their Android web browser targeting that app, or have a malicious app installed on their phone

An attacker could then link their Dropbox account to a vulnerable third-party app on the victim’s device. This would then allow the attacker to capture new data a user saved to Dropbox via the vulnerable app.

Every app works differently, so many apps using the affected SDKs weren’t vulnerable at all or required additional factors to exploit. This vulnerability couldn’t give attackers access to any existing files in a user’s account, and users with the Dropbox app installed on their devices were never vulnerable. There are no reports or evidence to indicate the vulnerability was ever used to access user data.

We want to thank Roee Hay and Or Peles at IBM for discovering and responsibly disclosing this vulnerability. We take user security and privacy very seriously, and we continue to work closely with security researchers to keep our users safe.

If you have any questions or concerns please don’t hesitate to reach out.