Dropbox is a hugely popular service. Back in March, it claimed to have 500 million registered users around the world, that’s half a billion, or half the number of iPhones sold worldwide. Even for those with ready access to other cloud storage, it is the most commonly-preferred means of sending documents and other files, other than by email.
Like so many of the best products, Dropbox just gets on with the job quietly and without making a fuss. It supports strong encryption, and does all the right things as far as security and privacy are concerned.
Then last month, more than ten percent of its users – in fact 68 million in all – from back in 2012 had their Dropbox credentials made available to others, following their theft in 2012. Thankfully their passwords are protected (hashed and salted, so almost impossible to crack), and the theft appears to have been by an employee rather than an external hacker. Whether Dropbox’s original response was sufficient at that time is another issue.
Even more seriously, Phil Stokes at applehelpwriter.com has carried out research into how Dropbox works on OS X, and raised concerns in his first and second articles providing full details. Since then, Dropbox has responded with its side of the story.
The issues raised over Dropbox software centre on Accessibility features, which Apple primarily provides in OS X to support enhancements to give control over Macs to alternative systems, such as those offered in the Accessibility pane. If you look at the list of those apps which you have apparently given permission “to control your computer”, by opening the Security & Privacy pane, selecting the Privacy tab, and then the Accessibility item on the left, you’ll probably be surprised to see apps listed – to which you have handed control – to which you don’t recall giving such powers.
Normally, when you install an app which requests Accessibility features like these, it displays a dialog in which it asks for your permission to use “accessibility features”. Now you may vaguely remember doing so, among the many other things that happened during their installation.
But you won’t remember Dropbox asking this question, however happily you might have agreed to it, because it obtains rights of control without asking explicitly for them, as OS X requires it to. The consequence of this is that, once installed, you cannot rescind its control. If you try to do so in the Security & Privacy pane, by selecting the Dropbox item and clicking on the – button below, it will add itself back to the list without asking your permission to do so.
As Phil Stokes has discovered, Dropbox does this by hacking its way into the internal database which contains information about which apps are permitted to use Accessibility features. Instead of being open and telling you what it is up to, Dropbox obtains your approval by deception, telling you during installation “Please enter your computer password for Dropbox to work properly. Type your password to allow this.”
Dropbox’s official account as to why this is necessary claims that its dialog “is used to give Dropbox additional permissions to your computer, which enables certain Dropbox features, including: better-quality syncing”, “automatic app updates”, and “other user-interface (UI) interactions”.
In fact, this has nothing to do with “permissions”, as the term is used by everyone else, at least. The Accessibility features which Dropbox acquires by deception are not about accessing files using permissions, but everything about controlling your Mac, its user interface, and other apps running on it. And once it has gained access to them through the deceptive dialog, it does everything it can to avoid losing that control.
That said, there is no evidence that Dropbox does anything malicious, nor could it be readily subverted by normal malware to do so. The Dropbox app is not malware, nor does it behave as such.
If you use Dropbox, you should instead be asking yourself why its developers should find it necessary to exploit an arcane hack around OS X in order to obtain control over your Mac, rather than being upfront, doing what every other app does, asking explicitly for your permission to do so, and giving you control through OS X’s official support, the Security & Privacy pane.
Conspiracy theorists could have a field day with this; it might be that law enforcement and security agencies have requested Dropbox’s support to use this in order to gain access to Macs, given the power of the features which it opens up. As Condoleezza Rice (who before becoming US Secretary of State was George W Bush’s National Security Advisor) is a member of the Board of Directors of Dropbox, it is also interesting to look at how Dropbox responds to requests for data in its Transparency Report.
It would have been interesting to know whether the UK Home Secretary uses the new powers they will soon be given in the IP Bill to try to take advantage of the Dropbox app’s features – but all such requests would inevitably be made under a blanket of complete secrecy, so we’ll never be allowed to know.
Help is at hand, though, if you feel that Dropbox should not be doing such things to your Mac. In less than ten days time, you will be able to upgrade to macOS Sierra, which puts the database hacked by Dropbox within the protection of SIP, so that no app can perpetrate this sort of interface abuse. It will be interesting to see how Dropbox responds.