IBM researchers discovered a flaw in Dropbox’s Android SDK which can leave mobile users vulnerable to attack.
The issue was not in the Dropbox service or the mobile app itself, but rather in the company’s SDK that third-party developers include to let users easily connect to their Dropbox files, Michael Montecillo, director of security intelligence at IBM Security, told SecurityWeek.
The vulnerability (CVE-2014-8889) was present in the SDK versions 1.5.4 through 1.5.1.
The vulnerability, dubbed DroppedIn by IBM researchers, would allow an attacker to connect mobile apps using the SDK to a Dropbox account under their control, IBM Security researcher Roee Hay wrote in an overview on the Security Intelligence blog. This way, attackers could easily transfer out the data harvested from the mobile device. “This may allow the attacker to steal sensitive information and inject malicious data into apps,” Hay said.
Dropbox updated its Android Core and Sync/Datastore SDKs four days after researchers reported the vulnerability. Even after the flaw was patched, IBM and Dropbox delayed publicizing the vulnerability in order to give other app developers time to update their apps.
IBM researchers discovered that 41 of the top 500 applications on Google Play had used the broken Dropbox Android SDK, including Microsoft Mobile Office, 1Password, and several productivity and photo editing/sharing tools, said Montecillo. Microsoft and AgileBits, the company behind 1Password, have already updated their apps to use the latest SDK, Hay said.
Dropbox claimed that despite the seriousness of the issue, the scope was very limited.
“There are no reports or evidence to indicate the vulnerability was ever used to access user data,” Dropbox’s Devdatta Akhawe wrote in a blog post. “Every app works differently, so many apps using the affected SDKs weren’t vulnerable at all or required additional factors to exploit.”
Just three-quarters of the apps using the broken SDK were actually vulnerable to DroppedIn. For the attack to actually work, the user has to have an affected app installed and not have the Dropbox app installed. The last bit is critical since the issue was in how the SDK used the OAuth protocol to link apps to user accounts.
The attacker can then trick the user into visiting a malicious website on the Android browser or to install a malicious application. If successful, then the attacker could save information collected from the app to a Dropbox account without the victim ever knowing.
This vulnerability couldn’t give attackers access to any existing files previously saved in a user’s account. As stated previously, users with the Dropbox app installed on their devices were never vulnerable. The vulnerability is not one where the attacker could download malware directly onto the device, Hay told SecurityWeek. “It’s very unlikely that it will just execute that data,” said Hay.
Most Android threats come from apps found on third-party app stores and not vetted by Google Play, but DroppedIn shows how even legitimate apps can be vulnerable if a component used by the developer has a flaw. Developers are strongly encouraged to update their apps in order to ensure the issue is fully resolved. Additionally, users should always ensure they are running updated versions of apps installed on their mobile devices.