An authorization-bypass security vulnerability has been discovered in Dropbox’s app for the Android platform, which can be exploited to bypass Android’s sandbox security model, according to a researcher at MWR InfoSecurities.
According to Tyrone Erasmus of MWR InfoSecurities, Android applications communicate with each other by exporting program features known as IPC endpoints defined in the AndroidManifest.xml file which is a standard part of all installable application packages.
Using these endpoints, any feature of an Android application can be exported, enabling the interaction of applications across the security sandbox. This may create a security-vulnerability for the applications whose features are being exported.
The Dropbox app for Android suffers from an issue wherein the application can be exploited using IPC endpoints to upload files from the Android device to the linked Dropbox account without the user’s knowledge. Insufficient security permissions set in the AndroidManifest.xml of the Dropbox application is the stated cause for this flaw. The content provider which is used by the application to control the flow of files to and from the linked Dropbox account is exported implicitly and made available to other applications.
The Dropbox content database can be uploaded and the Dropbox settings database, which includes the email addresses, access keys to a Dropbox user account can be leveraged using the same exploit. This data is ostensibly stored in the application’s data storage area and should not be available to other applications.
However, since the features of the Dropbox application are available through the exported content provider in the application, a malicious application can bypass these restrictions. These files can then be uploaded to the user’s public Dropbox directory making it accessible to anyone over the internet.
The solution recommended by MWR InfoSecurities is to uninstall the Dropbox application from the Android device and update it to the latest version of Dropbox. The vulnerability affects versions 1.1.3 and lower and has been fixed by the Dropbox team in version 1.1.4 of the app.
More information on the technical aspects of the exploit can be found on the MWR site (pdf), including a basic exploit for this vulnerability, provided as a proof of concept.