Dropbox tackles security fears surrounding its Mac app
It wants to be clearer about the permissions it needs, and promises tighter reins on security in the future.
Dropbox has already raised some eyebrows over its requests for ever-deeper access to your computer, and recent discoveries aren't helping things much. Users now claim that Dropbox's Mac app asks for overly broad permissions, swipes your password and even hacks the operating system. The cloud storage service denies the claims and is trying to allay those fears, though. Desktop app team member Ben Newhouse has responded to concerns on Hacker News with both an explanation of design decisions and a promise to improve its transparency.
The app only asks for the permissions it needs, Newhouse says. It uses the Mac's accessibility kit for certain tie-ins (such as in Office), and demands elevated access to your OS when standard programming interfaces fall short. The permissions aren't as "granular" as Dropbox would like, the developer adds. He stresses that Dropbox can't see your system's administrator password, and a privilege check on startup is only to make sure the software works consistently, especially across OS versions.
As for what the company will do to turn things around? To start, it wants to do a "better job" explaining what its software is doing and why it needs the permissions it does. Also, it's teaming with Apple to reduce that dependence on elevated access in macOS Sierra, and will respect when people disable Dropbox's accessibility permissions -- currently, it turns the permissions back on.
The service reiterated its position in a statement that you can find below.
The effort to come clean may assuage those worried Dropbox is running roughshod over your computer. However, it's not pleasing everyone. Hacker News users want the firm to more explicitly outline why it needs the permissions it does, and they're worried that the broad system-level control opens the door to malware that otherwise wouldn't be possible. It's important to stress that Dropbox's requests aren't unique -- apps like Chrome and Steam also demand accessibility permissions for features, such as Steam's screen overlay. However, that might not reassure customers who believe that Dropbox's existing approach is both unnecessary and risky.
"Dropbox, like other apps, requires additional permissions to enable certain features and integrations. The operating system on a user's device may ask them to input their password to confirm. Dropbox never sees or receives these passwords. Reports of Dropbox spoofing interfaces, or capturing system passwords are absolutely false. We realize that we can do a better job communicating how these permissions are used, and we're working on improving this."
