Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
Beginning on or after April 13, the Dropbox API will require that calls use TLS 1.2 or greater. Traffic using TLS 1.0 or 1.1 will be rejected.
The latest Dropbox SDKs will select TLS 1.2 when available in the environment, but versions over two years old may require an update. In particular, users of the Dropbox Java SDK should update to v3.1.1 (released June, 2019) or later & Dropbox Python SDK should update to v8.4.1 (released November, 2017) or later.
TLS 1.2 has been the default on major mobile & desktop operating systems since 2014. Developers whose application may be run in older or unusual environments should investigate to ensure compatibility.
Please ensure your apps use TLS 1.2 when connecting to the Dropbox API.
We are currently using the following version in the Android apps.
We will update to the required version. But development, testing and user update will take much more than 1 month left. We ask Dropbox to give us more time to comply.
Thanks for the consideration.
I received an e-mail from Dropbox warning that "your app(s) TuneLab Tuning Files have recently made calls to the Dropbox API using a deprecated TLS protocol version." I thought we had updated both our iOS and Android versions over a year ago. I suppose it is possible that some users of our apps have not updated in all that time, but I would like to know if there is any test I could run to see whether or not the latest versions of my apps are using the deprecated protocol. My inspection of the Android code shows the external library of com.dropbox.core:dropbox-core-sdk:3.1.5, which should be OK. And the iOS code uses cocopods and references ObjectiveDropboxOfficial and a README.MD that says "The Official Dropbox Objective-C SDK for integrating with Dropbox [API v2] " which should be OK too. The source files are dated 11/3/2020. So that should be OK too. But I don't trust this as proof that my apps are not using the deprecated protocol. So how can I run a test to know for sure? Is there a way I can simulate April 13th now? Or monitor traffic? The e-mail I got from Dropbox has got me worried.
I would second that request of a simple test for peace of mind.
I also got that email, but my apps have should have been using compliant versions of the SDK for many years...
@Eric Z.6 Thanks for sharing this feedback. At this time I am unfortunately not able to offer extensions for this change, but I’m sending this feedback along to the team.
For reference, we did send earlier advance notices about this change by email last year, but it sounds like those did not make it to you. For instance, perhaps they were caught by a spam filter. Please make sure that the email address on the account that owns your API app(s) is correct and can receive email. Additionally, make sure you haven't unsubscribed from "API announcements".
@Robert S.138 @Mark R.5 If you’ve already updated your app, this traffic may be coming from users still on an old version of your app. You may want to notify your users to update to the latest version of the app. We don't have a way to simulate the change, but I'll pass this along as a feature request. I can't promise if or when that might be implemented though. If you'd like additional help verifying this, feel free to open an API ticket from the account that owns the app(s) in question and we may be able to offer some help.
We have received the mail regarding to this issue, stating that:
"We’re reaching out because your app(s) ... have recently made calls to the Dropbox API using a deprecated TLS protocol version."
We would like to confirm the following:
1. Does that mean our app did make calls using a deprecated TLS protocol version so that we received this mail? Or, is this just a notification regardless of whether our app communicates with deprecated TLS protocol version?
By testing with our app, it seems that the latest version of our app uses the TLS 1.2 and 1.3 protocol version. If receiving this mail is a proof of using deprected TLS protocol version by our app, then the only possible reason may originate from some of our customers who still uses older version of our app, which may be kind of wierd. Also, do you have any recommended way to test on which TLS version our app is really using?
2. We are using the curl library to send API to dropbox with the setting of CURL_SSLVERSION_TLSv1. Under this setting, although it seems that we will use the TLS 1.2 or 1.3 (depending on the version of curl library), in case we may still send with TLS 1.0/1.1, we would like to know after the deprecation of TLS 1.0/1.1 on April 13, will the request be fallback to use TLS 1.2 or 1.3 automatically? Also, is there any approach to test this situation?
Look forward to your reply, thank you!
Can you at least confirm that the following is sufficient for avoiding the deprecated protocols:
In the Android version of our app, the build.gradle file under the app folder contains:
. . . .
. . . .
and in the iOS version of our app, all the files in all the subdirectories of:
have a file date of 11/3/2020.
If it is not sufficient, tell me what else I could check.
@DreamingDev 1. If you received that email it means your app sent some amount of TLS 1.0 or 1.1 traffic to the Dropbox API recently. If you’ve already updated your app, this traffic is likely coming from users still on an old version of your app. We don't have a way to simulate the change, but I'll pass this along as a feature request. I can't promise if or when that might be implemented though.
2. I can't provide support for specific third party network clients as they're not made by Dropbox, but in general yes, network clients should automatically use the best available and compatible protocol version. As above, I can't offer a way to test this ahead of time, but you may be able to enable some logging on your network client to check the protocol version being used.
@Robert S.138 Yes, Java SDK v3.1.5 is sufficient. And likewise a version of the Objective-C SDK from late 2020 would also be sufficient.
If you need more help you can view your support options (expected response time for a ticket is 24 hours), or contact us on Twitter or Facebook.
For more info on available support options, see this article.
If you found the answer to your question, please 'like' the post to say thanks to the user!