DroppedIn Vuln Links Victims' Androids To Attackers' DropBoxes

Researchers at IBM X-Force have discovered a vulnerability in the DropBox software development kit (SDK) for Android that allows attackers to connect a victim's Android apps to an attacker's own DropBox account. The "DroppedIn" vulnerability affects any Android app developed with the DropBox SDK versions 1.5.4 through 1.6.1.

The flaw is in the implementation of the authentication mechanism used to give the app access to DropBox. It's supposed to work like this: while the user is providing their username-password combo to log in, the SDK is generating a large random number (a cryptographic nonce) to authenticate the device to DropBox. The trouble is, the proof-of-concept exploit the researchers have created "lets attackers insert an arbitrary access token into the SDK, completely bypassing the nonce protection," as they explain.

A victim could either be tricked into downloading a malicious app or infected via drive-by download. Either way, once the device is infected, the attacker has an open path from the victim's Droid to the attacker's DropBox -- through which the attacker could steal sensitive personal data and files from the device. This access would also go in the opposite direction -- the attacker could push out their own DropBox files, including malware.

To clarify, this exploit would not be a problem for the DropBox documents a user adds from their desktop machine, just files and data residing on their Android device. 

Fortunately, DropBox has already released a patch -- just four days after they learned of the vulnerability. Plus, if the DropBox app is installed on the user's Android device, then the SDK vulnerability cannot be exploited anyway. 

The trouble, of course, is that average users who don't use the DropBox app might assume they're not vulnerable. According to IBM X-Force, 1.4 percent of the top 500 Android apps use the DropBox SDK, including Microsoft Office Mobile and Agile Bits 1Password. 

Mobile malware is a growing problem, especially for Android. In a separate report released this week, Veracode found that the average global enterprise has approximately 2,400 unsafe applications in its mobile environment.

Of the unsafe apps Veracode studied, 85 percent expose sensitive device data, 35 percent obtain or share personal information about the user, and 37 perform suspicious security actions, such as "checking to see if the device is rooted or jailbroken, allowing applications to perform superuser actions such as recording conversations, disabling anti-malware, replacing firmware or viewing cached credentials such as banking passwords."

“On average, 3 percent of apps on employee devices are malicious," says Veracode vice-president of mobile Theodora Titonis. She is a bit surprised to find that 35 percent of apps were sharing personal information of the user. “That number is increasing.”