One of the downsides of broad integration is the breadth a vulnerability can reach – today IBM researchers publicly acknowledged a vulnerability that affects any app that uses Dropbox SDK versions 1.5.4 through 1.6.1 on Android mobile platforms. This vulnerability has been known since December of 2014.
Reported on SecurityIntelligence.com:
“Out of the 41 apps we examined as part of our initial research that use the Dropbox SDK for Android, 31 apps (76 percent) used a vulnerable version of the SDK. It is worth noting that the rest of the apps were vulnerable to a much simpler attack that has the same consequences but had been fixed by Dropbox in the SDK version 1.5.4, this older attack vector was notable in that it could not be prevented by installing the Dropbox app.”
According to ZDNet, Microsoft Office Mobile App is one of the biggest users of the SDK – storing 35 billion documents on Dropbox.
The SDK is used by other applications that integrate with Dropbox to store files. The problem is knowing whether your app has been updated with the patched SDK. If you’re not sure, it might be wise to remove any apps that integrate with Dropbox until the app developer has confirmed the app has been patched with the updated SDK.