How Dropbox Hacks Your Mac

Hi HN — Ben from Dropbox here on the desktop client team. Wanted to clarify a few things —<p>- Clearly we need to do a better job communicating about Dropbox’s OS integration. We ask for permissions once but don’t describe what we’re doing or why. We’ll fix that.<p>- We only ask for privileges we actively use -- but unfortunately some of the permissions aren’t as granular as we would like.<p>- We use accessibility APIs for the Dropbox badge (Office integrations) and other integrations (finding windows &amp; other UI interactions).<p>- We use elevated access for where the built-in FS APIs come up short. We&#x27;ve been working with Apple to eliminate this dependency and we should have what we need soon.<p>- We never see or store your admin password. The dialog box you see is a native OS X API (i.e. made by Apple).<p>- We check and set privileges on startup — the intent was to make sure Dropbox is functioning properly, works across OS updates, etc. The intent was never to frustrate people or override their choices.<p>We’re all jumping on this. We’ll do a better job here and we’re sorry for any anger, frustration or confusion we’ve caused.

Just wanted to give the author a shoutout for being awesome. This article is published with an AMP version[0] too, which is pretty unusual for smaller blogging sites.<p>AMP articles are so much easier on my eyes (and the author can&#x27;t include their own javascript on an AMP page, so there is less bloat). I wish all bloggers started to publish AMP pages.<p>[0] - <a href="http:&#x2F;&#x2F;applehelpwriter.com&#x2F;2016&#x2F;08&#x2F;29&#x2F;discovering-how-dropbox-hacks-your-mac&#x2F;amp&#x2F;" rel="nofollow">http:&#x2F;&#x2F;applehelpwriter.com&#x2F;2016&#x2F;08&#x2F;29&#x2F;discovering-how-dropbo...</a>

I work Syncplicity, a Dropbox competitor and investigated building a feature that is similar to the Dropbox badge. (We call it the App Tab. Basically, it&#x27;s UI that tacks onto Office that tells you that someone else is editing the same document.)<p>We&#x27;ve had requests for this feature for years. I can&#x27;t stress how much customers request this feature; it&#x27;s put a lot of egg on our face that Dropbox beat us to it.<p>In order to do this on Mac, we&#x27;d need to register ourselves as an accessibility client. I don&#x27;t remember the details about registering ourselves, but from what I remember, it doesn&#x27;t require hacking into OSX.<p>We&#x27;ve had to hack into OSX in the past: Adding menu items and icons to Windows Explorer is supported via well-documented Microsoft APIs. It wasn&#x27;t until about 2014 that Apple supported this, prior to that, we had to reverse-engineer Finder. We didn&#x27;t get OSX APIs to do this until we hired a contractor with &quot;connections&quot; to Apple he petitioned his connections to provide an API. I know that Dropbox, Google Drive, Box, and an open-source project called Liferay-Nativity all performed the same hack.<p>Based on my Syncplicity experience is that, what happens in these cases, is that a product manager gets so focused on the pixels that he&#x2F;she is completely blind to the practical implementations. There&#x27;s probably a bit of &quot;I told you so&quot; coming from some of Dropbox&#x27;s engineers now.

It looks like in 10.12 Apple has added TCC.db to SIP, so this will no longer work — Dropbox will, hopefully, actually be forced to request accessibility access like they&#x27;re supposed to. I&#x27;m sure they&#x27;ll still demand your admin password via a dialog that tries super hard to look like a system one to use for whatever other more or less nefarious purposes. Would be nice if there was an alternative that actually syncs as reliably and performantly, but in my testing that&#x27;s very much not the case.<p>I appreciate the trend of Apple forcing Dropbox to stop doing dumb shit, though. (Previously, of course, the SIMBL-style Finder hacking)

Non-clickbait title: &quot;How Dropbox uses the root access that you give it during installation to give itself Accessibility authorization without triggering the usual popup&quot;.

I have given Dropbox access to my files, admins rights, and ability to run in the kernel. I&#x27;m not freaking out about the Accessibility API.<p>setuid binaries:<p><pre><code> $ tree -p &#x2F;Library&#x2F;DropboxHelperTools&#x2F; &#x2F;Library&#x2F;DropboxHelperTools&#x2F; ├── [-r-s--x--x] DropboxHelperInstaller └── [drwxr-xr-x] Dropbox_u501 ├── [-r-s--x--x] dbaccessperm ├── [-r-s--x--x] dbfseventsd └── [-r-s--x--x] dbkextd </code></pre> kernel extension:<p><pre><code> $ kextstat -b com.getdropbox.dropbox.kext Index Refs Address Size Wired Name (Version) UUID &lt;Linked Against&gt; 163 0 0xffffff7f835b5000 0x6000 0x6000 com.getdropbox.dropbox.kext (1.7.5)</code></pre>

Great article, but poor conclusion. He finds that Dropbox is untrustworthy, a finding that likely surprises no one, and reaches for iCloud as the solution. Why move into another walled garden driven by corporate interests? OwnCloud or a similar self hosted solution would be better. I just use NFS and a dead simple storage server to make ~&#x2F;shared available on all of my machines.

Dropbox circumventing security restrictions (albeit for legit reasons) is particularly worrying because they have board members who support warrentless surveillance.<p>In my mind Dropbox became a company not worth supporting when Rice joined Dropbox&#x27;s board (<a href="http:&#x2F;&#x2F;www.drop-dropbox.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.drop-dropbox.com&#x2F;</a>). Personally, with a board member who advocates warrentless surveillance it seems unlikely that we share similar views on the security of my data, and I wont be using their service.

Dropbox trying to find ways to push the platform is a good thing not a bad thing.<p>If anything Apple have put so many restrictions on OSX and isn&#x27;t pushing for much innovation on their side to allow people to build ever more powerful apps.<p>I understand general security concerns but I don&#x27;t understand the critique of a company like Dropbox. They are doing the user er service not a disservice by finding a balance between pushing the platform forward while still taking your security concerns into account.<p>I would personally be more concerned with the fact that Apple haven&#x27;t done anything fundamental for the osx platform in quite a while which is the exact opposite of what they have done for iOS.

The fact that any application can spoof the os password prompt makes me wonder why they don&#x27;t have a prominent feature to show the prompt is from the OS. On windows there is the secure desktop with the dimming effect.

One thing to note: For non-sandboxed apps like Dropbox, the Accessibility API permissions don&#x27;t really decrease security by a lot (in my opinion).<p>Most bad things can be done without the Accessibility API, e.g. apps can act as key loggers, take screenshots, encrypt all files your user can access, upload arbitrary things (unless you have a firewall enabled), synthesize mouse &amp; keyboard events etc.<p>The Accessibility API makes some of those things easier, but if someone really wanted to attack you, he wouldn&#x27;t need the Accessibility API.<p>For sandboxed apps the situation is quite different, because the Accessibility API would allow those apps to break out of the sandbox.<p>But of course Dropbox should have asked the user...

For what it&#x27;s worth, I posted on the Dropbox support forum asking them to explain. This seems to be the only way to contact them: <a href="https:&#x2F;&#x2F;www.dropboxforum.com&#x2F;hc&#x2F;en-us&#x2F;community&#x2F;posts&#x2F;208945183--Dropbox-s-dirty-little-security-hack-" rel="nofollow">https:&#x2F;&#x2F;www.dropboxforum.com&#x2F;hc&#x2F;en-us&#x2F;community&#x2F;posts&#x2F;208945...</a>

I&#x27;m using the same techniques for my apps to enable accessibility access (which is needed for window management), although I&#x27;m asking users for confirmation before doing so.<p>It&#x27;s kind of hacky, but the standard Apple way (click the tiny lock icon on the bottom left, find the app in the list, click the checkbox) is way to cumbersome for users.<p>Why not displaying a simple yes&#x2F;no popup similar to the &quot;allow access to contacts &#x2F; calendar items&quot; dialog?

I&#x27;ve recently started using Syncthing to synchronize files between different machines. I&#x27;m super impressed at the quality of the application, its stability, and the documentation. Syncthing is written in go and open source. <a href="https:&#x2F;&#x2F;syncthing.net&#x2F;" rel="nofollow">https:&#x2F;&#x2F;syncthing.net&#x2F;</a>

I don&#x27;t really understand the conclusion here. So the scenario is you trust dropbox with your files, and you trust them with a kernel blob implementing the filesystem, but you don&#x27;t trust them to silently have accessibility rights?

If Dropbox app can do this, other apps can too!<p>I wonder if this will get to Apple&#x27;s attention to &quot;fix&quot; it?

I wonder what will happen when Apple plugs those security holes. Will Dropbox cease to run as it does now, and suddenly for instance lose important features?

I didn&#x27;t see it linked, so here&#x27;s the Stack Overflow thread that documents some of these sqlite3 hacks for enabling access for assistive devices programmatically.<p><a href="http:&#x2F;&#x2F;stackoverflow.com&#x2F;questions&#x2F;17693408&#x2F;enable-access-for-assistive-devices-programmatically-on-10-9" rel="nofollow">http:&#x2F;&#x2F;stackoverflow.com&#x2F;questions&#x2F;17693408&#x2F;enable-access-fo...</a><p>I love the first comment on the question:<p>&gt; No, there is no way to circumvent the need for visiting this screen. It is one of the operating system&#x27;s base protections. Any way that is found to circumvent this will almost certainly be patched out. – Jul 17 &#x27;13

Why does dropbox need to bring up a fake dialog? They could do the same with the system one.

My Dropbox story: after I upgraded from Mountain Lion to El Capitan, the sidebar in the Finder went buggy (no way to remove a folder from the sidebar without restarting the Finder). After I started arranging for this next command line to run at the start of every OSX session, the bug went away: `killall -9 garcon`. This garcon identifies itself in Activity Monitor as &quot;Dropbox Finder Integration&quot;.<p>Needless to say, I never asked or gave consent for Dropbox to integrate with the Finder (and sync still seems to continue to work after I disabled it).

Dropbox posted an article in their Help Center explaining what they&#x27;re doing: <a href="https:&#x2F;&#x2F;www.dropbox.com&#x2F;help&#x2F;9266" rel="nofollow">https:&#x2F;&#x2F;www.dropbox.com&#x2F;help&#x2F;9266</a><p>[Disclosure: I used to work at Dropbox.]

I noticed about 6 months ago that Dropbox was on this list and disabled it the normal way. It stayed disabled and also didn&#x27;t cause any problems using the software.<p>Now, why how did Evernote get on the list?

On the Linux side, has anybody looked at what installing Dropbox does?<p>I&#x27;m guessing it&#x27;s not going to be different from what it does on a Mac, but it would be nice to know exactly...

&quot;How Dropbox avoids prompting the user with countless confusing permissions dialogs so normal people have a greater chance of using it.&quot;

Anybody know a good OS X app to scan the file system for suid binaries? I guess I could do this with find from the shell, but a little utility app with a nice ui (and possibily some integration with a database to hide or categorize by threat level) seems like a smart thing to have on my system and run every so often.

&quot;but with the deliciously named dbaccessperm file&quot;<p>I don&#x27;t get it. What&#x27;s so delicious about &quot;dbacces&quot;?

Can anyone suggest a vetted-along-these-lines alternative (preferably open source) to Dropbox?

I wonder if Apple will thwart this hack with an update. Seems like anyone reading this will start using this hack. In the meantime a watchdog app on this hack would be nice to have and share with the world.

I don&#x27;t use OSX or apple software anymore - but I remember that using dropbox on osx always felt like it went against apple&#x27;s UX flow. I ended up getting really frustrated with it.

Speaking of alternatives, what&#x27;s wrong with Resilio sync?

This page went spam-redirect crazy on iOS. I flagged the story, but don&#x27;t see anyone else complaining...

What Dropbox are doing may actually be illegal in the UK under the Computer Misuse Act.

Ok. Now that Dropbox is shady as well as overpriced, are there any good alternatives?

Is this only on Mac, what about Windows (bypassing UAC?)

I trust Dropbox way more than Apple.

What the fuck Dropbox!<p>How do I get rid of the backdoor in &#x2F;Library&#x2F;Application\ Support&#x2F;com.apple.TCC&#x2F;TCC.db even after uninstalling Dropbox.app and rm -rf&#x27;ing ~&#x2F;.dropbox and &#x2F;Library&#x2F;DropboxHelperTools? Do I just sudo sqlite3 and delete the row? Or is there an official tool (tccutil)?<p>Edit: Crap, there&#x27;s a &#x2F;Library&#x2F;Extensions&#x2F;Dropbox.kext too now. :(

I just removed Dropbox. Web client from here on.

My computer was slow and unusable, and then I uninstalled Dropbox.

Moral: Avoid native apps if you can&#x27;t avoid using them at all.