Yesterday we told you about a security flaw in the way that popular apps like Facebook and Dropbox were handling their profile tokens on mobile devices running Android and iOS. Now, Dropbox has replied with a statement, saying that the Android version of the app does not suffer from the vulnerability and that it will update its iOS app to fix it.
Dropbox’s Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.
Security researcher Gareth Wright revealed the discovery of a flaw in the Facebook app for iOS. The simple ‘hack’ allows a user to copy a plain text file off of the device and onto another one. This effectively gives another user access to your account, profile and all on that iOS device.
We then subsequently tested the method on Dropbox and discovered that app was also vulnerable to this kind of attack. If a program was running on a public computer, or if someone had modified a public charging station to siphon off the plain-text .plist file, they could theoretically gain access to that information, whether you’re jailbroken or not.
Your phone doesn’t need to be stolen if a malicious app was installed on a public system. Wright even made such an app as a proof-of-concept, gathering over 1,000 .plist files in a week before contacting Facebook about the problem. Facebook has said that it will fix the problem in an update, and now Dropbox is taking action.
Hopefully bringing this matter to light will encourage other companies who use profile keys this way to rethink their methods. Plain text files should never be used to store this kind of information, no matter how slim the chance that someone may be able to gain enough access to the device to copy the file off. It’s a relatively simple and safe procedure to encrypt those files.