Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Dropbox Android SDK Flaw Exposes Mobile Users to Attack: IBM

IBM researchers discovered a flaw in Dropbox’s Android SDK which can leave mobile users vulnerable to attack.

IBM researchers discovered a flaw in Dropbox’s Android SDK which can leave mobile users vulnerable to attack.

The issue was not in the Dropbox service or the mobile app itself, but rather in the company’s SDK that third-party developers include to let users easily connect to their Dropbox files, Michael Montecillo, director of security intelligence at IBM Security, told SecurityWeek.

The vulnerability (CVE-2014-8889) was present in the SDK versions 1.5.4 through 1.5.1.

The vulnerability, dubbed DroppedIn by IBM researchers, would allow an attacker to connect mobile apps using the SDK to a Dropbox account under their control, IBM Security researcher Roee Hay wrote in an overview on the Security Intelligence blog. This way, attackers could easily transfer out the data harvested from the mobile device. “This may allow the attacker to steal sensitive information and inject malicious data into apps,” Hay said.

Dropbox updated its Android Core and Sync/Datastore SDKs four days after researchers reported the vulnerability. Even after the flaw was patched, IBM and Dropbox delayed publicizing the vulnerability in order to give other app developers time to update their apps.

IBM researchers discovered that 41 of the top 500 applications on Google Play had used the broken Dropbox Android SDK, including Microsoft Mobile Office, 1Password, and several productivity and photo editing/sharing tools, said Montecillo. Microsoft and AgileBits, the company behind 1Password, have already updated their apps to use the latest SDK, Hay said.

Dropbox claimed that despite the seriousness of the issue, the scope was very limited.

“There are no reports or evidence to indicate the vulnerability was ever used to access user data,” Dropbox’s Devdatta Akhawe wrote in a blog post. “Every app works differently, so many apps using the affected SDKs weren’t vulnerable at all or required additional factors to exploit.”

Just three-quarters of the apps using the broken SDK were actually vulnerable to DroppedIn. For the attack to actually work, the user has to have an affected app installed and not have the Dropbox app installed. The last bit is critical since the issue was in how the SDK used the OAuth protocol to link apps to user accounts.

The attacker can then trick the user into visiting a malicious website on the Android browser or to install a malicious application. If successful, then the attacker could save information collected from the app to a Dropbox account without the victim ever knowing.

This vulnerability couldn’t give attackers access to any existing files previously saved in a user’s account. As stated previously, users with the Dropbox app installed on their devices were never vulnerable. The vulnerability is not one where the attacker could download malware directly onto the device, Hay told SecurityWeek. “It’s very unlikely that it will just execute that data,” said Hay.

Most Android threats come from apps found on third-party app stores and not vetted by Google Play, but DroppedIn shows how even legitimate apps can be vulnerable if a component used by the developer has a flaw. Developers are strongly encouraged to update their apps in order to ensure the issue is fully resolved. Additionally, users should always ensure they are running updated versions of apps installed on their mobile devices.

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.