Hacker News new | past | comments | ask | show | jobs | submit login

Hi HN — Ben from Dropbox here on the desktop client team. Wanted to clarify a few things —

- Clearly we need to do a better job communicating about Dropbox’s OS integration. We ask for permissions once but don’t describe what we’re doing or why. We’ll fix that.

- We only ask for privileges we actively use -- but unfortunately some of the permissions aren’t as granular as we would like.

- We use accessibility APIs for the Dropbox badge (Office integrations) and other integrations (finding windows & other UI interactions).

- We use elevated access for where the built-in FS APIs come up short. We've been working with Apple to eliminate this dependency and we should have what we need soon.

- We never see or store your admin password. The dialog box you see is a native OS X API (i.e. made by Apple).

- We check and set privileges on startup — the intent was to make sure Dropbox is functioning properly, works across OS updates, etc. The intent was never to frustrate people or override their choices.

We’re all jumping on this. We’ll do a better job here and we’re sorry for any anger, frustration or confusion we’ve caused.

> - We never see or store your admin password. The dialog box you see is a native OS X API (i.e. made by Apple).

To clarify for others: In /Library/DropboxHelperTools, you'll find a folder for each user full of setuid tools which run as root and do various privileged things. I assume that the client is presenting the normal OS X "ask for elevated access" UI and then using that elevated access to configure and install these. (I don't work for Dropbox or anything; I've just been poking around.)

> - We use accessibility APIs for the Dropbox badge (Office integrations) and other integrations (finding windows & other UI interactions).

@newhouseb, I don't have Office, so I've turned off the badge. Is Dropbox now going to leave my accessibility permissions the way I set them? Or is it going to reactivate a permission behind my back that it no longer even needs?

I understand the desire to make your features "just work", but circumventing the user's privacy controls to do that is never acceptable. Especially accessibility, which is basically a general warrant to snoop on everything the user does. You wouldn't be on my system anymore if my work didn't require Dropbox. You're going to lose a lot of trust over this, and it won't even be half of what you deserve.

And it's not even in your interest in the long term. This fiasco has probably made it more likely that Apple will further lock down the accessibility APIs, possibly even making them unavailable without an Apple-issued, potentially App Store-only entitlement. Since Dropbox can't really do its job when it's locked in a sandbox, I really don't think that's what you guys want to happen.

Teams like yours are why we can't have nice things.

(P.S. plz respect NSFileCoordinator this isn't Tiger anymore kthxbai)

> @newhouseb, I don't have Office, so I've turned off the badge. Is Dropbox now going to leave my accessibility permissions the way I set them? Or is it going to reactivate a permission behind my back that it no longer even needs?

Yep, we’re going to fix this so that if you uncheck it, we leave it unchecked.

> This fiasco has probably made it more likely that Apple will further lock down the accessibility APIs, possibly even making them unavailable without an Apple-issued, potentially App Store-only entitlement.

As alluded to elsewhere in this thread, this is already happening in macOS 10.12. We’ll be switching to the same approach that Steam (among others) do to request accessibility.

Honestly, after the last year and a half, anything that wants root access, that is not open source, is out. Now, being open source does not make that automatically safe but it is a step in the right direction. Dropbox, MS Office, etc, are closed source tools that puts too much at stake.

Granted my team is small, but we just uninstalled dropbox today. Going to use the web interface and look for another solution in the meantime.

I'd love to hear what you find. My research has shown that Dropbox is mostly the only sync service supported in mobile apps. iCloud is next. After that it's very rare to see any other integration.

I'd love to see Box or someone else encourage popular apps to support their sync platforms, but I doubt it will happen. I blame Apple for not supporting easy 3rd party integrations.

I have no idea what Dropbox actually is or does (I'm FOSS-only, at home and at work), I've only heard of it, so I may be way off the mark.

With that said, on the assumption that it is a way to exchange files between computers and/or share with other users, it would seem to be the case that ownCloud (nextCloud) fits the bill. You can host it yourself (as I do) or use a third party to host it for you. I have been using it for a number of years and I'm entirely happy with it.

Also, depending on your use scenario, another possible option may be https://www.stackfield.com/ a German end-to-end encrypted storage company. I believe there are others offering similar services.

Seafile (https://www.seafile.com) and ownCloud (https://owncloud.org) both are open source and have mobile apps. Worth checking!

for synching between devices I use BT-Sync, now Sync.. closed source but reliable as a background daemon not needing intervention

box.com as well. We have free accounts, hipaa/gov grade encryption and security, and lots of collaboration options. :)

Have you tried StorageMadeEasy.com ? Connects to dropbox and other clouds too.

But it isn't open source.

I switched from Dropbox to Mega a few years ago and they now have mobile apps, sync clients for multiple operating systems and decent browser extensions in addition to a more generous storage allowance. There is also the added benefit of encryption. So far I remain impressed with their service.

I switched from Dropbox to Mega


FWIW Kim Dotcom, the founder of Mega, has distanced himself from it, saying the company had "suffered from a hostile takeover by a Chinese investor who is wanted in China for fraud"[1]

So yeah, don't trust Dropbox. Instead trust some shady Chinese characters. Can you name one of them? In comparison, note that Ben Newhouse, a Dropbox employee, is actually posting in this discussion.

There is also the added benefit of encryption

Without full source code to said encryption, all you have to go on is "trust us".

Forced to choose between the two, I know who I'd trust, and it wouldn't be Mega. YMMV.

[1] https://en.wikipedia.org/wiki/Mega_(service)

Luckily, there's third party clients that are open source for Mega.

And they're actually usable.

> Instead trust some shady Chinese characters.

What does Chinese have to do with this?

Mac OS X is a mostly closed source operating system so I don't understand why you are drawing the line with third parties.

Apple has shown itself to be trustworthy.

Dropbox has done the opposite.

I suspect many would like to run something more open than OS X/macOS, but because of the alternatives, it's just not viable for business purposes not to, according to what their needs are. I know that is the situation for me.

Try SyncThing. It's cross-platform (written in Go), fast and secure (BitTorrent Sync style, but open-source).

I use it, but there's no iOS solution so I can't use it for a number of things.

BT-Sync is the original of syncthing with iOS-support but considered bad because its closed source and comercial

I like it though

I don't use BT Sync because if I'm on my local university network they block BitTorrent. It's not a big deal since I've graduated, but I still go there and use the library and meet with people so it would be inconvenient.

I should say, Ben, thank you for coming out in public and sharing your team's perspective. Your users are angry—and I think rightly so—but it does help that we are being told why it was done, that it was merely poor judgement rather than deliberate misbehavior, and that you are working to make the Dropbox client a more responsible citizen. Is it as good as not having done it in the first place? No. But it's much better than radio silence.

Wow, it's stunning that an app would install anything suid root.

Admittedly I'm not a Mac guy, but that can't be common practice.

And then the response isn't "we're going to stop endangering our users with this dangerous practice", it's "we're going to stop doing this one particular thing that happened to be called out this time".

> that can't be common practice.

It's not. It's very unusual.

> more likely that Apple will further lock down the accessibility APIs, possibly even making them unavailable without an Apple-issued, potentially App Store-only entitlement.

Please feel free to duplicate my radar! Accessibility and Productivity/Utility app developers would love a Sandbox entitlement.

rdar://13570189 - Sandbox entitlement for Accessibility API to allow apps for the disabled

The Accessibility toolkit has always been off limits to Sandboxed apps, and no entitlement exists. This seems unlikely to change. It's unfortunate, as this keeps many good and useful apps out of the Mac App Store.

Is it worth adding that to OpenRadar?


I don't really see the point of taking a sandbox and then explicitly granting an app inside the privilege to step out of it.

I don't really see the point of banning Accessibility apps that can't be sandboxed but then allowing those same apps to be distributed outside the Mac App Store. Unless you're banning them from macOS entirely, why not allow these potentially "dangerous" apps to operate underneath the additional Reviews and Guidelines of the App Store?

Because an app being on the App Store creates an expectation that cannot be met without the sandbox.

Without the source code and large amounts of resources it is not possible to determine whether an app is malicious or not. The only way would be for Apple to trust that developers actually do what they say they do. The unfortunate reality is that they cannot be trusted. I don't blame Apple for not taking that responsibility. Unfortunately that means the responsibility ends up with the user who cannot make the determination either. Such is life.

Many app stores (even for smartphone) have sandboxes where you can grant additional privileges. Of course the user (who else) has to decide whether they trust the app or not. But I'd be happier trusting a sandboxed Dropbox, especially because it couldn't have hidden its use of Accessibility.

Not from Dropbox but when you remove an app from accessibility permissions OS X will make you manually enable it again.

mikewhy: The article states that it re-adds itself to the list automatically the next time you log in, without asking for permission again. There's no option to keep it permanently disabled.

You could delete all of their suid helper binaries.

Can you also tell us why Dropbox eats lots of CPU cycles anytime there is any filesystem activity?

If I unzip a large archive in /tmp, Dropbox is eating 60% of my CPU.

If I open the new Xcode for the first time (and the system verifies all the signatures) Dropbox is eating 100% of one CPU.

It really seems like the Dropbox client is monitoring the entire filesystem (all FSEvents) instead of just the dropbox syncing folders, and doing it relatively inefficiently at that.

At this point if I'm doing anything filesystem intensive I close Dropbox first.


It started with my laptop running incredibly slow. A bit of digging showed dropbox saturating an entire cpu core despite no recent changes being made to my dropbox folder. What was happening at the time is a lot of disk activity on a folder that Dropbox should know nothing about. I'm not 100% sure but it also seems to me that Dropbox is monitoring all FSEvents on my machine and doing something with them.

I've been a paying Dropbox user for several years, but this has tipped me over the edge. The only way to regain my trust at this point is providing an official explanation of what's going on, with technical details. I'm paying for a service to keep my files safe and sync them across devices, nothing more, nothing less. Now that I got the impression that Dropbox is doing something outside of that envelope, even if that impression is wrong, my money is going to go elsewhere, probably to a competitor.

I feel bad for contributing to the hijacking of this thread, but I simply have to pitch in: please do something about the abysmal performance of Dropbox. We have what are practically supercomputers on our desks, and Dropbox has problems dealing with hundreds or low thousands of files. It is something you need to work on.

As to the original article, I think you have a lot of explaining to do and a lot to clean up. Too much has been swept under the rug.

Just checked this myself on a MacPro. You can see the DropBox process kick in with CPU usage while opening big apps like Photoshop or Xcode. Not a lot on this MacPro (~3%), but it's always in time with an app opening. Oddly there's no corresponding disk access associated with the Dropbox process when looking at it on the Disk tab of Activity Monitor.

Would definitely like an explanation of what's going on here.

Could this be a consequence of the built in FS APIs coming up short, as Ben put it, and forcing DropBox to do things in less efficient ways to work around the limitations?

Doesn't Apple literally have a sync solution on this platform, likely using these same APIs? FSEvents powers a lot of core functionality on macOS so it's surprising to hear it just doesn't meet Dropboxes needs.

It's cool they are moving into the kernel soon anyway, just install their kext...

Is Apple's sync reliable though? There was an episode of MacBreak Weekly last week where both Adam Engst & Andy Ihnatko urged people not to enable the new Sierra sync system, and talked about instances of data loss caused by Apple's various sync features. The segment begins here:


I thought it was common knowledge that Apple's own sync (nevermind the APIs they provide to third parties) was terribly unreliable. Even long-time Mac developers like Panic & Omni developed their own sync services because the Apple ones were so unreliable.

That and what I take to be the iCloud / System Indexing daemon's (like `mdfind`) kill my battery life. The other's reports of poor Dropbox performance baffles me a bit as it never seems to give me issues, but iCloud/Google Drive both have both had big performance penalties on 3 various macs I've tried them on.

That's also my experience - I tried using OneDrive & Bitcasa at various times, and found they used far more battery than Dropbox ever did. I'd consider switching from Dropbox, but the competitors seem inferior to me (and Dropbox has more universal support).

I can't fathom why you think them being a kext is a good thing. I refuse to use anything anymore that needs that, every app that needs that inevitably is a source of something breaking in OS X

Was complete sarcasm

What do they need different from what time machine uses?

Time Machine needs to be able to ask which files changed when it is preparing to backup. Dropbox needs to be notified when a file changes so it can sync.

Have you checked the version of the Dropbox client you're running? The auto-updater broke and silently failed many months ago (n=5 Macs) and I found a number of problems like that one had already been fixed but effectively never shipped.

(Support was prompt but basically “let us know if it happens again”)

I started to see this really happen when backing up. When Arq is doing some work, Dropbox is slamming the CPU. I checked with the Arq team and they said during the time I was monitoring it, there's no way they would be touching the Dropbox folder, so it really did seem like some kind of global intercept was going on and was killing the box. I guess this is as good a way as any to raise this -- Dropbox team, test with Arq!

Same problem. When working with or moving files in folders other than the dropbox folder, I still find the dropbox application taking up large amounts of CPU. Dropbox also, in the last few months, has been messing up my spotlight database and causing mdworker and fontd to use all available cpu.

Then I start getting console messages like this: mds (Error) FMW: WE ARE DROPPING FMW EVENTS!

All disappears after disabling Dropbox (and rebuilding caches and the spotlight database)

Behaviour seen on multiple macs I own.

I uninstalled the desktop client because of this exact issue. I just drag/drop via the web interface now. Might not work for some people, but it suits me fine.

Just uninstalled too. I was only using it for syncing 1password data and this pushed me to just switch to a 1pass account

1password has had iCloud syncing for a while now, and in my experience, it's been very reliable.

If you think they are so nefarious a company, why do you trust them with your files?

Didn't say they were nefarious—just that their software hogs resources at times when it has no business doing so (i.e., when I'm not reading from or writing to my Dropbox folder).

As important as this question is for usability, it seems off the original post's topic of Dropbox circumventing accessibility prompts.

Same problem here. My 3 year-old i5 Retina MacBook Pro is often slow because Dropbox uses 100 % of one CPU. And it gets hot too …

I noticed a lot of disk activity once and fired up Process Monitor (on Windows). Dropbox.exe was going through literally all the files on my computer. That was when I uninstalled it forever.

Yeah, I'm more curious as to why Dropbox corrupted a few of my PDFs. Has been happening for years for a variety of people.

If you see this happen, please write in to our support team; we take data integrity issues very seriously.

Also I should probably mention that we keep 1 month of version history for free users and even more history for paid users, so if the corruption is recent you should be able to undo it yourself. But please report either way.

(Full disclosure: I work for Dropbox).

I'm a huge fan of Dropbox and I pay a monthly fee. I probably don't need to as my data needs aren't huge, but you guys are frankly the first people I've used that did this sort of thing properly and I believe you are worth paying a subscription fee to.

I'll log a ticket :-) might need to reproduce the issue first. Pretty awesome that you have employees who respond to posts on HN incidentally, that automatically increases my loyalty to a company several notches!

It's very strange that after I remove Dropbox from the accessibility list you think it's ok to add it back in again. That's the reason I'll be closing my account.

Absolutely. I dropped Dropbox some time back, when it became obvious that they didn't respect the user's wishes at all.

This has been a long-standing thing with them - some years back there was some stink about the forced Dropbox branding in the Finder (which we now see is related to this). Many people (including me) found it rude that it insists on adding useless widgets, badging icons and inserting crap in the Finder sidebar. For whatever reason, Dropbox (the corporation) apparently believes that junk to be important enough to their business to disregard what the owner of the machine wants, and now we see the lengths they go through to force themselves on the user.

I used to simply consider Dropbox rude enough to make me not want to use it. Now that I see the company is actively going out of their way to break the intended function of security-related OS components, I now consider Dropbox malware and will begin warning others about the company.

badging icons and inserting crap in the Finder sidebar

Their branding strategy is really annoying. I pay 10 Euro per month for Dropbox Pro, but they have Dropbox Business ads plastered all over the web interface.

For what it's worth I find the finder icons and sidebar additions to be nice touch, but I guess it would be nice to be able to disable that. The office integration on the other hand is beyond useless. The Dropbox badge mostly gets in the way of being able to scroll trough my documents and I have never used it for anything.

You can disable the Finder integration in the preferences, same for the badge.

Most programs don't consider that you might try to explicitly revoke permissions. It's a very understandable bug/behavior. I think it's worth giving them a chance to amend that code.

It didn't even ask for permission the first time.

Why would you even do that? What nefarious and yet undiscovered things did you think DropBox was likely to do specifically with the accessibility permission?

Permission systems in general seem like a solution without a problem to me. Nobody but a minority of people very concerned about theoretical security problems wanted them on platforms that didn't have them, almost nobody cares what permissions programs use on platforms that have them now, and people get along perfectly fine and with less inconvenience shoved in their face running programs without permissions systems aside from a simple admin rights/no admin rights today on Windows and Linux.

What if Dropbox has an exploit they're unaware of. Someone finds a whole in Dropbox and boom, now they have accessibility access.

Even if you trust the software vendor, security concerns can cascade.

This got downvoted and I'd like to know why. This was one of my first thoughts as well while reading the article: what if Dropbox gets hacked? Their client apparently has access to everything.

What if the hack pushes a rogue client? Or one CDN endpoint serves a malicious update? Or a little bit of code is sneaked into the development process? Or an employee gets sour? Or a million other things that you hope never happen. There is a reason we don't run apache/nginx/any networked service as root. (You don't, right?)

> and people get along perfectly fine and with less inconvenience shoved in their face running programs without permissions systems aside from a simple admin rights/no admin rights [...]

...For values of "perfectly fine" that include millions of malware slaves on the net, hundreds of millions of stolen passwords, targeted 0 days attacking human rights workers, file-encryptor extortion apps, etc. etc. etc.

> What nefarious and yet undiscovered things

If they're undiscovered, how am I supposed to list them?

As far as discovered things, the permission allows Dropbox to sniff the keyboard and interact with any other application as the user. Add that to unrestricted filesystem access, and the right question to ask is what nefarious things Dropbox can't do.

I prefer to know what the apps I install are going to be doing. To this end, OS-enforced permissions for using various services are a godsend. No program should need "admin" rights. And I should be able to know and control what each app I run can and cannot do. This seems utterly obvious to me. Even if most people dont' care, the tools should be there. There've been more than enough cases where apps have collected information they shouldn't have, whether intentionally or lazily. It baffles me that anyone could seriously make the argument you seem to be making.

Right, they have all your files already, so there's clearly some level of trust.

> they have all your files already

Hell no they don't? They have some shared folders between classmates and a few encrypted archives for personal backups.

1. Dropbox asks for root

2. Dropbox does not use sandboxing (at least, the one I have doesn't)

So, they do.

There is a difference between having all my files and being able to access all my files via a client.

1) My files are not on their service and thus not available at their discretion; they would first have to be uploaded.

2) With that logic all applications "have" all my files, but you bet I'd find it weird if I caught Libreoffice uploading files of interest to a service of theirs.

That said, I do see your point. Most desktop applications (as opposed to mobile apps) are capable of a lot more than they need to, and even many popular mobile apps are. I just wouldn't say I implicitly trust them with all of my files.

> 2) With that logic all applications "have" all my files, but you bet I'd find it weird if I caught Libreoffice uploading files of interest to a service of theirs.

On macOS this is not true though, for well-behaved document-based apps! Sandboxing prevents access to anything you haven't explicitly granted access to. I don't know if Libreoffice implements it correctly, though.

And before someone says that this is not feasible for a Dropbox-like application: OneDrive is distributed via the App Store (with its sandboxing requirements).

There's been some downvotes (thanks for the constructive feedback /s), but I'd agree that this is a better way to put it. Anything that asks for root has 100% access at that moment, and possibly in future. It's easy to forget with all the "training" that `sudo`and confirmation dialogs provide, but true. Heck, if you install something (and by install I mean allow itself to integrate into the system, as opposed to say a script), you have to trust something. Either you trust the issuer, the package maintainers, or yourself (after you've checked 100% of the source code and compile it), but there's trust at some point.

They only have (well should only have) access to the files I share on Dropbox, which is pretty much just music files, so if someone steals those files, I won't be too upset.

At this point you need to follow up with convincing technical details of why Dropbox needs the circumvention to counter the accusation and rebuild the damaged trust.

The reason for needing Accessibility API listed in your response is pretty vague, especially for those Mac users not having Microsoft products tainting their systems.

I've deleted Dropbox from my Mac for now. I'm not installing it back till there's reasonable explanation and remedies.

> why Dropbox needs the circumvention

I'm not affiliated with Dropbox, but compare the UX of Dropbox (type in your admin-password and that's it) with the one of Steam (opens the System preferences and forces you to make manual changes). Both need to be allowed accessibility access for one feature or another, but only one of them provides convincing UX.

For us power users, the "official" way is better, sure, but what's the percentage of power-users compared to normal users who actually enjoy the office intrgration and other things made possible by the accessibility API?

I would be happiest if it didn't do the dirty thing and also didn't offer office integration. Maybe that's the change they need to make. But if they insist on doing the things that need accessibility, then the current solution is so much more convenient than the steam dance.

Doing it is only part of of it. Doing it behind users back without a message or warning, or a even an article on their website is the biggest problem.

I agree with you general sentiment, but would Word or Excel really "taint" your system?


Vs. Apple? That seems thin...

Fanboys be blind to the hypocrisy and all that jazz...

Not everyone shares your same sense of morality.

I can't stand the `~/Documents/"Microsoft User Data"` folder, but that's what I get any time I open an Office app.

"We use elevated access for where the built-in FS APIs come up short."

One wonders what Dropbox would say if someone decided to obtain elevated access on their servers by surreptitious means because Dropbox's API "came up short".[1]

[1] https://www.dropboxforum.com/hc/en-us/community/posts/204550...

I really wish there was some type of option to go "I really don't want all that fancy crap; give me the version that works via standard APIs"

That is the web UI.

> We use elevated access for where the built-in FS APIs come up short.

Can you please provide an example of such shortcomings and accessibility APIs that are better?

Setting the icon of a folder. Seriously. That's what they are using it for.

> The intent was never to frustrate people or override their choices

When you designed an agent that specifically overrides the user's choice to turn off Accessibility rights for Dropbox, frustrating that attempt, I suspect that was intentional.

Note: not excusing Dropbox, but understanding how they reached here.

Bob (who less technically savvy) installs Dropbox for use with Office. Chuck (someone more technical than Bob) removes Dropbox from the accessibility list. Chuck has now broken Bob’s Dropbox, and Bob (being less technically savvy) blames Dropbox resulting in another ongoing thread about broken Dropbox.

I completely understand how Dropbox reached this point, and purely from a technical support point of view, how it is justified. There are probably better ways for them to have done this (still have the “hack”, but only insert it if Office applications are detected to be installed; have an option that can turn it off even if Office is installed, but warn about it and make it “easy” to turn back on).

In the long run, the best way to demonstrate that your software is trustworthy is to release the source code for your client software under an open source license.

Regardless of the password issue, if you are legitimately working with Apple to get the granular access to implement the useful features you want, why would you in the meantime subvert Apple security mechanisms (by using a sql vulnerability - this already more than qualifies you as malware IMO) to sneak the features in rather than asking the user to grant the accessibility permission?? No, this is more than a "my bad," this is deceit and violating.

Uh, nope. You've just ensured Dropbox will never be installed again on any of my machines or devices. Ever. You fuck up like this, you never earn that trust back.

>We never see or store your admin password. The dialog box you see is a native OS X API (i.e. made by Apple).

If that's the case, How is it that the accessibility preferences are changed without root authorization?

Once you type your password into the Apple dialog, you grant Dropbox root access. That's the purpose of this dialog in all cases.

Per the original article, even root doesn't automatically have permission to modify the system.preferences.accessibility list.

I think you're wrong. It's a bit vague with all the unfamiliar systems (I have no experience with OS X), but root is mentioned in a few places:

> "The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false"

So the agent does not (by default) make an exception for applications running with uid 0. It does not say anything about modifying a certain file, it's just about the agent (if I understand it correctly).

> "In other words, if allow-root isn’t explicitly set, the default is that even a process with root user privileges does not have the right to perform that operation. Since that’s not specified in the default shown above, then even root couldn’t add Dropbox to the list of apps in Accessibility preferences."

Same thing again. Agent won't allow, but file permissions are not mentioned.

> "Root wasn’t allowed to override Accessibility, and authenticate was on, so it couldn’t be this way that Dropbox was hacking my mac."

Same again.

And that's all places where root is mentioned. Later on, however, sudo is used:

> "To insert an app in the list, you grab it’s bundle identifier (in the case of Dropbox, that’s com.getdropbox.dropbox), and issue:

> sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db “REPLACE INTO access VALUES(‘kTCCServiceAccessibility’,’com.getdropbox.dropbox’,0,1,1,NULL, NULL);”"

So sudo, which makes a command run as root, can modify that database.

And as far as I know this makes sense, because at least in Linux file permissions are simply not checked when uid is 0 (root user). Darwin/BSD might differ, but my unix family tree knowledge doesn't go that far.

Also, how else could Dropbox do it? As mentioned in the article, one of the helper applications contains an SQL statement (see the part about running "strings"), so it does seem to be directly modifying that database.

Agree. I now see the agent it installs is suid root.

Office Integrations: Worthless for a huge swath of users who don't have Office. Also undesirable for a large group of users who have Office but have no use for the integration.

Other Integrations: Too vague to justify what is potentially a large security threat. You've really got to do better than that.

The dialog box you see is a native OS X API (i.e. made by Apple).

Which API are you using that allows you to circumvent the OS X Accessibility Permissions control dialog? Or do you mean you're simply asking for administrative permissions in order to write directly to TCC.db? And in that case, what mechanism are you using to circumvent the permissions structure to permit you to rewrite to TCC.db without re-requesting the user's permission?

The Accessibility Permissions dialogue doesn't just show up. You as a developer can control when it is shown (using AXIsProcessTrustedWithOptions).

It would be awesome to have it not use accessibility APIs. I'm going to be following the instructions to revoke those rights.

I still don't understand how this allows for accessibility circumvention dialog.

If I understood correctly, using the root permission granted by the user when the prompt for the password comes up, they hack the database containing the accessibility settings, and add themselves to the list.

>but unfortunately some of the permissions aren’t as granular as we would like.

Nice euphemism for "catch all" permissions...

I'm not really concerned about Dropbox's intentions, or even the accessibility integration. What worries me is:

- There are numerous setuid binaries without any documentation or source code available. These have the potential to breed nasty zero-day privilege escalation exploits, possibly worse.

- Dropbox goes out of its way to obfuscate its Python bytecode. This doesn't prevent intellectual property theft: there will always be people capable of reverse engineering it (e.g., https://github.com/rumpeltux/dropboxdec). The only effect that it has is to significantly decrease the security of the application: technical users can't easily review the inner workings without a substantial time investment. Hackers, on the other hand, have massive profits to gain from reverse engineering something as popular as Dropbox, and won't hesitate to do so. This represents a lack of regard for security on Dropbox's part, indicating that they favor intellectual property protection over the security of their customers. When I buy a car, I can open it up, check the brakes, and be sure I'm not going to crash into a tree. I expect to be able to do the same with the software on my computer.

It looks like DropboxHelperInstaller can be used to extract an arbitrary tarball as root into /Library/DropboxHelperTools, preserving permissions. It takes two arguments: the first is a number (doesn't seem to matter--maybe PPID for callback?) and the second is the bath to the GZIP'd tarball. It seems to require that the tarball have an RSA signature appended to the end, but there are signs that the check may be less than ideal and possible to circumvent.

Output from extracting a Dropbox-signed tarball (in this case, DropboxHelperInstall's own tarball):

    crypto error while Verifying Signature: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1)
    crypto error while Verifying Signature: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT)
    mkdir '/Library/DropboxHelperTools' 0755 -> 17
    extracting ./._DropboxHelperInstaller
    extracting DropboxHelperInstaller
Output from attempt to extract a third-party tarball:

    missing magic number
    unable to read_digest
    couldn't verify signature
    <failure> -1
Output from attempt to extract a third-party tarball with the signature copied from a Dropbox tarball:

    crypto error while Verifying Signature: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1)
    crypto error while Verifying Signature: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT)
    crypto error while Verifying Signature: bad signature (in rsa routines:INT_RSA_VERIFY)
    couldn't verify signature
    <failure> -1
It's probably worth reverse engineering DropboxHelperInstaller to ensure that the signature check can't be evaded. Even then, I'm not sure I like the idea of anyone with Dropbox's private key being able to install arbitrary setuid binaries on my machine. Given recent events, it's quite possible the private key has already been stolen.

That office integration is a PITA, is there anyway to disable it?

On a Mac: Click Dropbox Icon in the menubar -> Options (gear in bottom right) -> General -> set Dropbox badge to "Never Show"

Now a malware can target your scripts and get a free ride to all your system yay.


Off topic: can you help me understand why when a file is locked (e.g. Outlook accessing .PST file) this causes Dropbox to peg the CPU to 100%.

I've opened multiple bug reports over the years and support dismisses my finding.

This makes Dropbox un-usable for me. I literally have to run Dropbox as "paused" 90% of the time and only "unpause" Dropbox when I close Outlook.

>We never see or store your admin password. The dialog box you see is a native OS X API (i.e. made by Apple).

Is it a native OS X dialog API, or native OS X authentication API? I could make a password prompt myself, and call that "being official Win32 API".

Can you show me the class where you invoke it, so I can judge for myself?

It's a standard OS X authentication API. The overview of the authorization stuff is discussed in:


If you look under "Authorization Services Tasks" you'll see there's details about calling a privileged installer.

You are really just digging the hole deeper at this point. This needs a mea maxima culpa.

Apple really should kick you from the App Store and blacklist dropbox as malware.

I don't think Dropbox is listed on the App Store (I doubt it meets the sandboxing restrictions)

I meant the IOS App Store, not the Mac App Store. But this does highlight why Mac App Store app restrictions exist.

Re blacklisting, I'm referring to Apple's Xprotect (https://www.intego.com/mac-security-blog/topic/xprotect/).

Upgrading your privileges is against sandboxing rules, so no it can't be sandboxed.

> We only ask for privileges we actively use -- but unfortunately some of the permissions aren’t as granular as we would like.

And as for the rest of the privileges, we just take them without asking. Who knows, someone might refuse!

I removed the Dropbox app from my iPad when they started to require a active GPS to upload files. [about two years ago] If you disallow GPS for that app, it disallows you to upload files. Stupid decisions!?

wat. I just checked, I have Location Services set to 'Never' on Dropbox and it uploads files fine.

It was about two years ago. I removed the app, never looked back. But recently came across a news that Dropbox got hacked and all passwords were captured and leaked. At the same time I received an email from them, not mentioning that (as far as I remember) but what they mentioned they will delete my account if I don't login in the next x weeks. It seems Dropbox had its peak, and it's going down-hill from there -except they do an IPO or find a someone to sell (maybe they already do just that).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact