Dropbox recently came under fire for a security issue with it’s mobile app and it is worth taking a closer look at.
The problem: unencrypted metadata
When you use the Dropbox mobile app on your smartphone, it transmits your metadata in the clear. Translation: when you look at a file on your Dropbox mobile app, the name of the file is visible and can be read by someone who happens to sniff out the transmission. The content of the file, however, is not visible.
Allegedly, in addition to the name, a snooper could also find out the modify time, size and whether the file is a directory or a file.
The risk seems remote, but it is very real
First of all, this risk requires someone to be snooping around and capturing data from your smart phone. Second, it requires that you have to be using your Dropbox app and accessing a file that has a filename that reveals something. The likelihood of both of those happening is low. That said, it is still a possibility, and potentially damaging.
Take the scenario to the next step. You are sitting outside court, reviewing your client’s affidavit on your Dropbox mobile app. Opposing counsel already has that document (in all likelihood). A data snooper would only see something like “March 5 Client Aff.”
The way this becomes an issue is if somehow your file name reveals something you do not want to disclose or something you have to hold in confidence. For example, you interviewed a witness and named your file “Notes from pcall with NAME.” Or if you represent a company that is in talks to buy another company, and named the file “Purchase agreement for COMPANY X.”
How to eliminate the risk
The easiest solution is to not use the Dropbox mobile app—delete it from your smart phone. The risk is minimal—there are easier ways to hack data—but it is still a risk. You can also be more careful about what you name your files. Or, purposefully avoid opening any file that reveals information in the file name when you are on the move.
Dropbox has said they are reevaluting how metadata is transferred, so the issue may get a fix in the near future.