Is it possible to download files from my app folder (Dropbox) to my app without linking an account? If so, how would I do that?
[Cross-linking for reference: https://stackoverflow.com/questions/34603685/how-to-download-files-to-app-from-app-folder-without-li... ]
Based on the additional information you posted in your StackOverflow question, it sounds like you just want your app to connect to your own Dropbox account, as opposed to the accounts of your end-users.
The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. However, it is technically possible to connect to just one account. The SDKs don't offer explicit support for it and we don't recommend doing so, for various technical and security reasons.
However if you did want to go this route, instead of kicking off the authorization flow, you would use an existing access token for your account and app. (Just be careful not to revoke it, e.g. via https://www.dropbox.com/account/security .) Also, note that while embedding an access token isn't great, you definitely shouldn't embed your username and password.
For reference, here are some other similar questions on StackOverflow where I've posted answers:
Thank you so much! I looked through your previous answers and I think I got it. I'll try implementing it when I get home. I saw that you cited security concerns. I would of course only be downloading non-personal PDFs and Word documents. (Informational packets and forms)
There wouldn't be any problem getting my app approved to the App Store would there? Also, are there any alternate solutions that would allow me to check each file individually in a folder and only download it if it has been updated?
My goal is to check every file in the folder and decide whether or not download it without explicitly knowing what the file is. (So I can add and remove files from the folder if needed) That's why I was straying away from explicit share links.
No problem. To elaborate a bit on the security concerns, note that client-side applications can't keep secrets, meaning that any access token stored in a distributed app could be extracted directly, or sniffed in transit. That means that a malicious user could get the access token, and use it to access the Dropbox API directly, bypassing any access controls your app attempted to enforce. They could even replace the files with other data, or revoke the access token entirely, breaking the integration for all of your users.
Anyway, I can't speak to any concerns with getting your app on the App Store. You'd have to refer to Apple for that.
Using the API would certainly be a useful way to download files and watch for when they change. As an alternative, you could use the etag header value returned on shared links, but that's not officially documented.
There are any number of ways obfuscate or encrypt it, but it's impossible to actually protect a secret in a client-side application. (E.g., if you encrypt it, the encryption key eventually needs to be on the device too, and so can be similarly stolen, etc.) No matter what, an attacker could extract the secret from the app. Or, even if the access token is encrypted at rest, they could just perform a man in the middle attack and pull the access token out as it goes over the network when making actual API calls.
The access token secret is not the same thing as the app secret.
If you're using OAuth 1, the access token secret is the "oauth_token_secret" returned by /oauth/access_token.
If you're using OAuth 2, the access token is just one string, and doesn't have a separate "secret" portion.
The way we work is changing. Share and discover new ways to work smarter with Dropbox in our community.Sound good? Let's get started.
For more info on available support options, see this article.
If you found the answer to your question, please 'like' the post to say thanks to the user!