Or Peles and I have recently discovered a vulnerability in the Dropbox SDK for Android. This vulnerability may enable theft of sensitive information from apps that use the vulnerable Dropbox SDK both locally by malwareand also remotely by using drive-by exploitation techniques.

We had privately reported the issue to the Dropbox team which soon provided a fix with version 1.6.2 of the SDK. I would like to personally thank Devdatta Akhawe of Dropbox for the outstanding way in which he handled this security issue.

A video demo of the exploit we developed against 1Password (now patched), a password-management app that uses the Dropbox SDK, is available here

More details are available at:

1. Blog post: http://ibm.co/1Hosb02
2. Whitepaper: http://bit.ly/1BqEwjo