IBM: DroppedIn: Remotely Exploitable Vulnerability in the Dropbox SDK for Android

ATN-300InsightaaS: Research shows that cloud is the most important issue on the IT agenda for 2015, followed closely by mobility; and it also shows that storage is a key workload in the cloud. It makes sense, then, that cloud as a mobile storage platform is central to both corporate infrastructure and to mobile apps, and that security teams will need to allocate attention to protecting data that is deposited on the cloud via mobile devices.

This security exercise became both more urgent and more complex with IBM's discovery of a vulnerability - "DroppedIn" - in the Dropbox SDK for Android. This doesn't necessarily users who rely on Dropbox directly; instead, it hits at users who use Dropbox via apps that embed Dropbox for cloud storage. This is not a trivial issue: today's featured post quotes AppBrain as saying that .31% of all Android apps, and 1.4% of the top 500 apps (including Microsoft Office Mobile), use the Dropbox SDK. It should be noted that the vulnerability isn't present in all apps using the Dropbox SDK: it applies to apps "using a Dropbox SDK Version 1.5.4 through 1.6.1," but the vulnerability was resolved in Dropbox SDK for Android v1.6.2. However, it is widespread. IBM tested 41 apps, and found that 31 (76%) use a vulnerable version of the SDK.

There are hardened versions of Dropbox available for corporate users (InsightaaS wrote about one, Dell's Data Protection and Encryption – Cloud Edition, last year), but this kind of app-based vulnerability makes the threat more diffuse and more problematic to isolate and address. Vendors like Microsoft are issuing updates to resolve the issue, but app vendor responses are likely to be uneven in both timing and quality. In the short term, it's important for corporate security teams and VARs serving SMB clients to evaluate mobile apps that are connected to corporate systems and diffuse potential problems.

The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim’s knowledge or authorization. This is a serious flaw in the authentication mechanism within any Android app using a Dropbox SDK Version 1.5.4 through 1.6.1 (note: this vulnerability was resolved in Dropbox SDK for Android v1.6.2). The vulnerability can be exploited in two ways, using a malicious app installed on the user’s device or remotely using drive-by techniques. It cannot, however, be exploited if the Dropbox app is installed on the device (it does not even need to be configured, just installed).

Upon discovery of the vulnerability, the IBM team privately disclosed the issue to Dropbox. The response from Dropbox to this security threat was particularly noteworthy as they acknowledged receipt of the disclosure within a mere six minutes, confirmed the vulnerability within 24 hours, and released a patch within just four days. This undoubtedly shows the company’s commitment to security, this was one of the fastest response times the IBM Security team has seen in its long history of vulnerability research.

With a patch solution available, it is highly recommended that developers update their Dropbox SDK library. Additionally, end users (device owners) must update their apps that rely on the SDK and are also encouraged to install the Dropbox app, which makes it impossible to exploit the vulnerability; this is because the vulnerable SDK code is not invoked when the local Dropbox app is installed.

The following blog post gives a high-level overview of the vulnerability leveraging a proof-of-concept exploit the IBM X-Force team developed. The full details of CVE-2014-8889 and the DroppedIn exploit are available via this white paper.


It is no secret that the world is now storing private personal and business data in the cloud. In order to access this data, providers such as photo-sharing services or general-purpose storage services, are expected to be accessible not only by the user, but also by apps that leverage that data to enhance the user experience. In an effort to ease the development lifecycle and encourage an ecosystem of reliant solutions, cloud services often provide a framework, or rather a Software Development Kit (SDK) that apps can utilize. The Dropbox SDK for Android is such a framework, providing Android apps with a simple way to interface with Dropbox.

These frameworks can be very appealing for app developers since they provide a simple client-side Application Programming Interface (API). From a security perspective, however, the frameworks themselves provide an extremely attractive attack surface since the vulnerability of the framework could potentially affect numerous applications that use it...

Read the entire post on the IBM Security Intelligence website: Link