Dropbox Android SDK Flaw Exposes Mobile Users to Attack: IBM

IBM researchers discovered a flaw in Dropbox's Android SDK which can leave mobile users vulnerable to attack.

The issue was not in the Dropbox service or the mobile app itself, but rather in the company's SDK that third-party developers include to let users easily connect to their Dropbox files, Michael Montecillo, director of security intelligence at IBM Security, told SecurityWeek.

The vulnerability (CVE-2014-8889) was present in the SDK versions 1.5.4 through 1.5.1.

The vulnerability, dubbed DroppedIn by IBM researchers, would allow an attacker to connect mobile apps using the SDK to a Dropbox account under their control, IBM Security researcher Roee Hay wrote in an overview on the Security Intelligence blog. This way, attackers could easily transfer out the data harvested from the mobile device. "This may allow the attacker to steal sensitive information and inject malicious data into apps," Hay said.

Dropbox updated its Android Core and Sync/Datastore SDKs four days after researchers reported the vulnerability. Even after the flaw was patched, IBM and Dropbox delayed publicizing the vulnerability in order to give other app developers time to update their apps.

For me details see 

[source] http://www.securityweek.com/dropbox-android-sdk-flaw-exposes-mobile-users-attack-ibm