Archive for March 11, 2011

Friday, March 11, 2011 [Tweets] [Favorites]

Dropbox Mobile Less Secure Than Desktop

Mike Cardwell found that, even though Dropbox’s FAQ said:

All transmission of file data and metadata occurs over an encrypted channel (SSL).

the metadata was, in fact, not encrypted from the Android and iPhone clients. Indeed, for mobile clients:

some limited file metadata (name of file, etc) are transmitted over HTTP for performance reasons.

This should either be changed or clearly disclosed and made a preference. The FAQ has since been changed to say:

All transmission of file data occurs over an encrypted channel (SSL).

Although, presumably, metadata from desktop clients is still encrypted, it would be nice to have this spelled out clearly.

The Dropbox API seems to use https, so it looks as though third-party clients, such as the iPhone text editors I compared, are not affected.

Update (2011-03-14): Here’s the Votebox thread for this issue.