Dropbox announced yesterday that it has fixed a security flaw, discovered by the IBM XForce research tea, which could potentially be used with compromised third-party apps to access data saved on Android devices.
A blog on the company website states that no data already stored on Dropbox was ever vulnerable nor is there any evidence that the vulnerability was ever used to access user data.
IBM notified Dropbox last December that there was a flaw in the SDK provided to third party apps makers that work with its Android app, dubbed DroppedIn by IBM's researchers who detail their discovery in a blog post. Attackers were potentially able to connect to applications on mobile devices relyin gon the SDK to a Dropbox account they control so they can download files into/from the victim's vulnerable apps to the attacker's Dropbox account.
IBM informed SCMagazineUK.com via email that: "The biggest app that uses the Dropbox SDK is Microsoft Office Mobile which has been downloaded more than 10 million times. Additionally, password manager AgileBits 1Password (100,000 downloads) and many productivity and photo editing / sharing tools use the SDK."
Dropbox has updated its Android SDK and vendors including Microsoft and Agilebits have also updated their apps with the new SDK. Dropbox and IBM Security is encouraging app developers to update all applications using the SDK. To be secure, end users also need to apply the patches on their mobile device. Dropbox confirms that it fixed the vulnerability, and it is now reminding any developers using the old version that they should to update. Android app developers are also asked to update their core API Android SDK v1.6.3 or Sync/Datastore Android SDK v3.1.2.