Your workflow is unique 👨‍💻 -  tell us how you use Dropbox here.

Forum Discussion

Ted F.7's avatar
Ted F.7
New member | Level 1
9 years ago

Access Tokens, Fiddler, Security

Hi, Someone uses Fiddler to get my access token which is normally hidden from our apps users. Don't they now have access to my Dropbox through the API?  I read some of the other posts about this ...
API
Richard P.'s avatar
Richard P.
Icon for Super User alumni rankSuper User alumni
9 years ago

So it appears that my initial concern is moot. Agreed?

I can decompile your app, or attach a debugger at run time, and sniff the key that way.

With a temporary untrusted certificate, Fiddler can decode some SSL but from what I see, you can make it so your stream cannot be decoded this way and I was unable to use this technique to view, say an upload of files, the plain text.

With a temporary, untrusted certificate, Fiddler can decode *all* SSL unless the app is specifically looking for a pinned certificate.  Which means you need to do a lot more in your app than simply opening a connection.

See the following thread for info on cert pinning, and what certs to pin and what not to pin.

https://www.dropboxforum.com/hc/en-us/community/posts/203833895-Dropbox-Certificate-Chain-for-Certificate-Pinning-single-or-multiple-chains-

But pinning still doesnt get you around my first point.

About Dropbox API Support and Feedback

Node avatar for Dropbox API Support and Feedback
Get help with the Dropbox API from fellow developers and experts.

The Dropbox Community team is active from Monday to Friday. We try to respond to you as soon as we can, usually within 2 hours.

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X, Facebook or Instagram.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!