Saturday, August 20, 2011

Dropbox for Android security bypass vulnerability

A security issue has been reported in Dropbox for Android, which can be exploited by malicious people to bypass certain security restrictions, according to Tyrone Erasmus of MWR InfoSecurity.


Android applications can communicate with each other through the exporting of program features, also known as IPC endpoints. This is defined in the AndroidManifest.xml file which is part of all installable application packages.

Any feature of an Android application can be exported, meaning that other applications can access these features and interact with the application across the sandbox. In some cases this can pose a security risk to the application exporting its features.

The issue with the Dropbox application is that the exported content provider can be leveraged by a malicious application to upload a file from the device to the linked Dropbox account without interaction from the user. It is also possible to upload the Dropbox settings and content databases using this same technique.

The settings database includes the email address, access secret and access key that could be used to access the user's Dropbox account. These files are stored in the application's data storage area which should not be accessible to any other application on the device.

However, because Dropbox is being leveraged to upload these files, that restriction is bypassed. These sensitive files can be placed in the user's Public directory, which allows them to be downloaded by anyone over the internet that has a link to these individual files.

It could also be possible for an attacker to iterate through Dropbox accounts looking for these sensitive files which have been compromised.

Workaround: Uninstall the application or update to the latest version of the Dropbox application from the Android Market.

Solution: The vulnerability was fixed in version 1.1.4.

No comments:

Post a Comment