Friday, March 11, 2011

Dropbox Mobile Less Secure Than Desktop

Mike Cardwell found that, even though Dropbox’s FAQ said:

All transmission of file data and metadata occurs over an encrypted channel (SSL).

the metadata was, in fact, not encrypted from the Android and iPhone clients. Indeed, for mobile clients:

some limited file metadata (name of file, etc) are transmitted over HTTP for performance reasons.

This should either be changed or clearly disclosed and made a preference. The FAQ has since been changed to say:

All transmission of file data occurs over an encrypted channel (SSL).

Although, presumably, metadata from desktop clients is still encrypted, it would be nice to have this spelled out clearly.

The Dropbox API seems to use https, so it looks as though third-party clients, such as the iPhone text editors I compared, are not affected.

Update (2011-03-14): Here’s the Votebox thread for this issue.

1 Comment RSS · Twitter

[...] fact that you can still access your data after resetting your password. However, this is another instance of Dropbox not communicating well, with the result being that most people think it works better [...]

Leave a Comment