cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Whether you are transferring a single drive, a team or an entire organization, Movebot's cloud migration tool has been built to make your Dropbox migration simple - learn all about it here.

Dropbox installs & integrations

Connect your tools and content together with help from the Dropbox Community. Join a discussion or post a question of your own to get started.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Android App Passcode

Android App Passcode

nuno
Explorer | Level 3

Hello,

 

I keep some of my important files in my Dropbox.

 

Today I decided to install Dropbox, to see how easy it is to someone access all my Dropbox files, if my phone happened to be stolen.

 

I see that Dropbox did not ask for my Dropbox login. I could simply log in by using Google Account.

 


I appreciate very much that you have the Passcode functionality on your Android app. I set up a Passcode to protect the access.

 

However, I tested what could a potential thief do -- I tried to uninstall the app and install it again. And there you go - it did not ask for the Passcode that I had set up previously.

 

This totally defeats the purpose of a Passcode function, as it takes just a few seconds to bypass it.

 

Is there anything that could be done to make Passcode a server-saved feature, so that I can actually protect my files a bit more?

 

Thank you,
Nuno

1 Accepted Solution

Accepted Solutions

Re: Android App Passcode

Maple
Dropboxer
Hi nuno,

Let's say you have your google auth info saved on your phone and have disabled google auth sign in for your Dropbox account. You can do a reset password on the account and be able to sign in from the email that gets send to that account, which you can access because you have saved the google auth info.

If you do not want your "main" google account associated with your Dropbox account because you use your main account for the playstore, you should use another email for your Dropbox account. You can change the email associated with your account here:

https://www.dropbox.com/help/account/change-email

------------------------------
iOS Engineer @ Dropbox

View solution in original post

16 Replies 16

Re: Android App Passcode

Mark
Super User II
You've missed one major thing here Nuno.

When you uninstalling and reinstalling Dropbox you automatically remove all access to Dropbox, so, you would need to relog in to Dropbox to access any files on the cloud.

Note, this may be different if files have downloaded and are in different caches (e.g. other applications).

 


:penguin::penguin: - :penguin: - :penguin: - :penguin:


Heart Did this post help you? If so please mark it for some Kudos below. 


:white_check_mark: Did this post fix your issue/answer your question? If so please press the 'Accept as Solution' button to help others find it.


:arrows_counterclockwise: Did this post not resolve your issue? If so please give us some more information so we can try and help - please remember we cannot see over your shoulder so be as descriptive as possible! 


 

Re: Android App Passcode

nuno
Explorer | Level 3

Hello,

Thank you for your reply.

However, like I said, access to Dropbox after installing is as easy as just clicking the "Sign in with Google" button.

If it required Dropbox password, I wouldn't really be concerned.

Regards,
Nuno

Re: Android App Passcode

Mark
Super User II
So that is something on the phone which is remembering that information - as that is the phone which is presenting that information to Dropbox, not Dropbox itself knowing it. The phone has had its security by-stepped by whatever step told the phone it could remember the google sign in credentials (note I imagine it would also be possible to sign in at www.dropbox.com/home on the phone as well then even without the app). That is, sadly, not Dropbox's fault - security on the phone has been sidestepped.

The only other thing I can think of would be removing the google link if the phone was stolen at www.dropbox.com/account

 


:penguin::penguin: - :penguin: - :penguin: - :penguin:


Heart Did this post help you? If so please mark it for some Kudos below. 


:white_check_mark: Did this post fix your issue/answer your question? If so please press the 'Accept as Solution' button to help others find it.


:arrows_counterclockwise: Did this post not resolve your issue? If so please give us some more information so we can try and help - please remember we cannot see over your shoulder so be as descriptive as possible! 


 

Re: Android App Passcode

nuno
Explorer | Level 3

I never connected Dropbox with Google before. This was a test I made, to see how easy it is to steal my Dropbox account if someone had my phone. I removed the link to Google in my Dropbox account settings and then did the same test. Again, easily accessed my files again.

Yes, I do have Google account linked to the phone, and I would like to keep it.


Maybe it would be a good idea to have some setting on my Dropbox account to DISABLE logging in with Google at all, or at least require password if I use that type of login.

But yes, now you reminded me that maybe if I change my Dropbox account email, it will stop auto-connecting to my account. Yet, that shouldn't be the fix for this problem, as not everyone is willing to have a secondary email, just to use with Dropbox...

 

Yes, this is a security issue from Dropbox, to me. Passcode should be server-saved, not "app-saved", which can easily be cleared within the phone.

Re: Android App Passcode

Mark
Super User II

@nunoperalta wrote:

Yes, I do have Google account linked to the phone, and I would like to keep it.


And that there is the security issue. Not Dropbox.

 


@nunoperalta wrote:

 

Yes, this is a security issue from Dropbox, to me. Passcode should be server-saved, not "app-saved", which can easily be cleared within the phone.


I disagree. Like all banking and mobile finance apps the passcodes SHOULD be local to the device - that way if they are removed the passcode also dies with it. It also means it isnt possible to 'copy' the app between devices and keep security features in place. 


 


:penguin::penguin: - :penguin: - :penguin: - :penguin:


Heart Did this post help you? If so please mark it for some Kudos below. 


:white_check_mark: Did this post fix your issue/answer your question? If so please press the 'Accept as Solution' button to help others find it.


:arrows_counterclockwise: Did this post not resolve your issue? If so please give us some more information so we can try and help - please remember we cannot see over your shoulder so be as descriptive as possible! 


 

Re: Android App Passcode

nuno
Explorer | Level 3

Ok, so you are basically saying that the Passcode functionality is totally useless, then?

You're blaming me for having the Google account on my phone, when *it is Dropbox* who is allowing to connect with Google, when I never asked for it.

 

Simply, Dropbox is the one to blame, when it is Dropbox who caused this security hole. Quit blaming the user for having their Google account on the phone, when Google is supposed to have nothing to do with Dropbox. You are not helping here.

Re: Android App Passcode

Rich
Super User II
Make is correct here. You've told your phone to remember your Google credentials so you don't need to enter them. Then you're asking Dropbox to sign in with those credentials. If your Google credentials weren't remembered, you would be prompted to enter them before Dropbox could access your account. This is how Google designed the functionality.

I think the more important question here is, why isn't your device secured? If you lose your phone, no one would be able to get into it if it was secured. Require a passcode to unlock the device and none of this matters.

Re: Android App Passcode

Mark
Super User II
To add.... you've told your phone to remember your google credentials to speed up log ins etc. just like its doing here - so its doing exactly as its supposed to do. Security is being compromised for convenience.

The downside is that ANY program which has similar log on capabilities will have exactly the same issue.

 


:penguin::penguin: - :penguin: - :penguin: - :penguin:


Heart Did this post help you? If so please mark it for some Kudos below. 


:white_check_mark: Did this post fix your issue/answer your question? If so please press the 'Accept as Solution' button to help others find it.


:arrows_counterclockwise: Did this post not resolve your issue? If so please give us some more information so we can try and help - please remember we cannot see over your shoulder so be as descriptive as possible! 


 

Re: Android App Passcode

nuno
Explorer | Level 3

My phone is secured, yes.

 

Again, I told my phone to remember my Google account, as that's the way to login to Google Play, sync configs, etc.

The purpose is NOT to sign in faster on applications that have nothing to do with Google.

 

I did NOT tell Dropbox to accept logging in to Google account. I never linked Dropbox to Google before that login, and if I unlink Google from Dropbox, it will re-connect again with that login.


Dropbox should not auto-login to an account that was never linked to any Google account. I would understand the behavior, if I had linked to my Google account through my Account Settings, before. But that's not the case here.

So, I either would like that Dropbox always asks for my password, or at least remembers its Passcode I previously set.

 

Are you guys part of Dropbox support staff? If this is the kind of support I receive from Dropbox, I really should find some other service that respects users' security more.

Who's talking

Top contributors to this post

  • User avatar
    Mark Super User II
  • User avatar
    Maple Dropboxer
  • User avatar
    nuno Explorer | Level 3
What do Dropbox user levels mean?
Need more support?