cancel
Showing results for 
Search instead for 
Did you mean: 

MacOS X Security - Is it normal to allow Dropbox.app "to control your computer"?

SOLVED
13,760 Views
6 Comments
19 Kudos
Highlighted
Level 1

MacOS X Security - Is it normal to allow Dropbox.app "to control your computer"?

I examined “MacOS System Preferences > Security & Privacy > Privacy > Accessibility” yesterday, and I saw Dropbox.app listed under "Allow the apps below to control your computer", with its checkbox selected.

Since I had no idea when or how Dropbox.app got this permission, I immediately deselected the checkbox to disable the permission.

My questions are:

  1. Do you have any idea how Dropbox.app got permission to control my computer?
  2. Does it make any difference whether this permission is selected?
  3. From what I’ve said above, and in the notes below, does it sound as if there might have been a security breach involving Dropbox.app?
  4. Do you suggest that I take further steps to investigate this issue?

Additional Notes:

  1. I have been using Dropbox on MacOS X for more than one year. [Current versions: Dropbox 3.6.8, OS X 10.10.4]

  2. Dropbox.app is set to “Allow incoming connections” in “MacOS System Preferences > Security & Privacy > Firewall > Firewall Options..."

  3. I examined the MacOS Security & Privacy because I received the following Chrome Security Message when I tried to browse to https://www.dropbox.com/ while connected to an open public Wifi hotspot yesterday:
    --------------------- Begin Chrome Security Message ---------------------
    Your Connection is not private
    Attackers might be trying to steal your information from www.dropbox.com (for example, passwords, messages, or credit cards).
    www.dropbox.com normally uses encryption to protect your information. When Chrome tried to connect to www.dropbox.com this time, the website sent back unusual and incorrect credentials. Either an attacker is trying to pretend to be www.dropbox.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chrome stopped the connection before any data was exchanged.
    You cannot visit www.dropbox.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
    ERR_CERT_COMMON_NAME_INVALID
    --------------------- End Chrome Security Message ---------------------

  4. A discussion on the internet said that this Chrome Security Message occurring on open public Wi-Fi hotspot might be due to: either (a) an web notification from the hotspot management system; or (b) a Man-in-the-middle attack!!.

  5. While I was connected to the open public Wi-Fi hotspot, ’nslookup www.dropbox.com’ resolved to 146.112.61.106, which is registered by OpenDNS in Vancouver, BC. (OpenDNS seems to provide security filter services for this open public Wifi hotspot.

  6. When I got back on my normal private internet connection, ’nslookup www.dropbox.com’ resolved to 108.160.172.200, 108.160.172.232, which are registered by Dropbox, Inc.

1 Accepted solution

Accepted Solutions
Solution
Super User

Re: MacOS X Security - Is it normal to allow Dropbox.app "to control your computer"?

Hello Gene, I was sufficiently intrigued to pose the question directly to Dropbox Support.

 

Ticket #3172481: DB: Dropbox app listed under "Allow the apps below to control your computer".

I'm sure there's a perfectly reasonable explanation why Dropbox needs permission to control Mac computers, I'd just quite like to know what it is.

 

Here is the reply, make of it what you will.

 

Thank you for writing in regarding the security of your account information. I can certainly understand you wanting to ensure the security of data you have entrusted to Dropbox. I will be happy to explain the measures taken by Dropbox to ensure the security of everyone's account.

Permission to control the computer is just another way of saying that there are certain system permissions Dropbox needs to function, and many of those permissions are to establish secure connections in order to protect the data contained within your Dropbox folders.

Operating system permissions prevent files from being viewed or edited by unauthorized logins. Permissions can be set any number of ways and can be restored manually through a fairly simple process.

Another possible cause of issues with Dropbox arise when conflicts exist between your local network sharing or folder redirection preferences setup in folders or files within your Dropbox. Similar effects can also happen when your Dropbox folder or its system files are located in a mounted network drive or a remote location (like roaming profiles) since this could cause Dropbox to not have constant access or permissions to operate in those locations. This is especially an issue if other people in the network could be accessing the same data. For these reasons, I'd suggest that you ensure that your setup does not include any of the above scenarios.

Additional permissions my be required when syncing mobile devices, particularly when photos or photo albums are involved. Since there is a great deal of personally identifying information stored in the metadata for a photo file (yes, people can find you if they know how to decrypt this metadata), some of the additional permissions required for our Carousel app, for example, include:

iOS

-Contacts
-Photos
-Camera
-Notifications
-Background App Refresh
-Use Cellular Data

Android

-In-app purchases
-Device & app history
-Identity
-Contacts/Calendar
-Photos/Media/Files
-Camera/Microphone
-Wi-Fi connection information
-Device ID & call information

Facebook does not offer a large amount of granularity or retroactive permissions control, so we need to request all the permissions we need or even may need in the future.

I want to reiterate the point that all these steps are taken in order to prevent access to your data, not to facilitate access to your data. Dropbox takes great pride in being a company worth of the trust of our users, and we would never ask you to allow us access with the intent of violating that trust.

I hope this helps clarify our account security measures regarding permissions. Thank you so much for using Dropbox, and please let me know if there's anything else I can help with.

 

6 Replies
Solution
Super User

Re: MacOS X Security - Is it normal to allow Dropbox.app "to control your computer"?

Hello Gene, I was sufficiently intrigued to pose the question directly to Dropbox Support.

 

Ticket #3172481: DB: Dropbox app listed under "Allow the apps below to control your computer".

I'm sure there's a perfectly reasonable explanation why Dropbox needs permission to control Mac computers, I'd just quite like to know what it is.

 

Here is the reply, make of it what you will.

 

Thank you for writing in regarding the security of your account information. I can certainly understand you wanting to ensure the security of data you have entrusted to Dropbox. I will be happy to explain the measures taken by Dropbox to ensure the security of everyone's account.

Permission to control the computer is just another way of saying that there are certain system permissions Dropbox needs to function, and many of those permissions are to establish secure connections in order to protect the data contained within your Dropbox folders.

Operating system permissions prevent files from being viewed or edited by unauthorized logins. Permissions can be set any number of ways and can be restored manually through a fairly simple process.

Another possible cause of issues with Dropbox arise when conflicts exist between your local network sharing or folder redirection preferences setup in folders or files within your Dropbox. Similar effects can also happen when your Dropbox folder or its system files are located in a mounted network drive or a remote location (like roaming profiles) since this could cause Dropbox to not have constant access or permissions to operate in those locations. This is especially an issue if other people in the network could be accessing the same data. For these reasons, I'd suggest that you ensure that your setup does not include any of the above scenarios.

Additional permissions my be required when syncing mobile devices, particularly when photos or photo albums are involved. Since there is a great deal of personally identifying information stored in the metadata for a photo file (yes, people can find you if they know how to decrypt this metadata), some of the additional permissions required for our Carousel app, for example, include:

iOS

-Contacts
-Photos
-Camera
-Notifications
-Background App Refresh
-Use Cellular Data

Android

-In-app purchases
-Device & app history
-Identity
-Contacts/Calendar
-Photos/Media/Files
-Camera/Microphone
-Wi-Fi connection information
-Device ID & call information

Facebook does not offer a large amount of granularity or retroactive permissions control, so we need to request all the permissions we need or even may need in the future.

I want to reiterate the point that all these steps are taken in order to prevent access to your data, not to facilitate access to your data. Dropbox takes great pride in being a company worth of the trust of our users, and we would never ask you to allow us access with the intent of violating that trust.

I hope this helps clarify our account security measures regarding permissions. Thank you so much for using Dropbox, and please let me know if there's anything else I can help with.

 

Level 1

Re: MacOS X Security - Is it normal to allow Dropbox.app "to control your computer"?

Thank you for checking Robert. Their response seems to confirm that this permission setting is normal for DropBox on MacOS. I am wondering whether you saw this permission setting on your Mac as well?

BTW: I'm also curious whether MacOS informed me about this permissiin setting when I first  installed DropBox (smilar to notifications when apps are installed on Android.). It was over a year ago and I just don't remember. And my curiousity is not sufficient for me to want to take the time to try a fresh reinstall.

Re: MacOS X Security - Is it normal to allow Dropbox.app "to control your computer"?

Thanks Robert. I was looking into the same setting today when I was setting up access to another application on my system - the Dropbox app was enabled to control my computer.

Gene, I don't recall the installation process request this permission explicitly but I do remember I had to enter password in order to have Dropbox installed. I guess that is the part where the Dropbox app is trying to acquire the permission?

Level 1

Re: MacOS X Security - Is it normal to allow Dropbox.app "to control your computer"?

Curious, as we can ourselves authorize OS X to give an app access to our information as needed. For example, we can authorize Dropbox access to our photos (if we were to use dropbox as a photo back-up)- why the need to give up access across the board as opposed to an as needed basis?

There are apps that require this level of access because they actually perform tasks that require control of the OS- Alfred, Parallels etc. which is easier to understand. Dropbox is the first cloud service (that I've encountered) that requires this level of access. It's hard for me to grasp why giving up OS level access to data that Dropbox doesn't need for our use, makes our data safer?

Syncing data for example seems to work fine without the permissions checked. What am I missing?

I'm not trying to be combative; just hoping to get a better understanding. Thanks much.

 

Level 1

Re: MacOS X Security - Is it normal to allow Dropbox.app "to control your computer"?

I've only learned of this issue recently, some six months after the last post in this thread.  Does anyone know if Dropbox has addressed this issue in any way other than the non-answer answer above?  This is a potentially serious security vulnerability.  I'd be very sorry to learn it has gone unaddressed for this long.

Super User II

Re: MacOS X Security - Is it normal to allow Dropbox.app "to control your computer"?