macOS Sierra Addresses Dropbox Security Concerns by Explicitly Asking for Accessibility User Permission

Tuesday September 20, 2016 2:32 PM PDT by Joe Rossignol
Following Dropbox-related security concerns that surfaced earlier this month, developer Phil Stokes has confirmed that macOS Sierra now explicitly requires apps to ask for user permission to access Accessibility (via Daring Fireball). Users can give access to an app, or click "not now" to deny the request.

dropbox-accessibility-permission
Concerns were raised after it was demonstrated that Dropbox appears in System Preferences > Security & Privacy under Accessibility, despite the fact that users were never prompted to grant access to the features. More details can be found in our previous coverage and in a Dropbox support document.
Let’s assume for the sake of argument that Dropbox never does any evil on your computer. It remains the fact that the Dropbox process has that ability. And that means, if Dropbox itself has a bug in it, it’s possible an attacker could take control of your computer by hijacking flaws in Dropbox’s code. Of course, that’s entirely theoretical, but all security risks are until someone exploits them. The essence of good computer security and indeed the very reason why OSX has these kinds of safeguards in place to begin with is that apps should not have permissions greater than those that they need to do their job.
At the time, Dropbox said it was working with Apple to reduce its dependence on elevated access in macOS Sierra, and would respect when people disable the app's Accessibility permissions, but now a much-needed safeguard exists regardless.

In a new blog post, Dropbox still recommends that Mac users running macOS Sierra update their Accessibility permissions, if needed, to ensure smooth syncing and access to certain features of the cloud storage service.
Advanced Dropbox collaboration features, such as the badge, require Accessibility permissions. You’ll be prompted to grant these permissions when you install the Dropbox desktop app on macOS Sierra. To do so, follow the instructions on screen. The same will apply for older versions of OS X in the coming weeks. For more information on Dropbox Mac permissions, visit our help center.
macOS Sierra was publicly released today as a free update on the Mac App Store.

Tags: Dropbox, security, accessibility
21 comments


Top Rated Comments

(View all)
Avatar
dragje
34 months ago

Drop-who?

However in all seriousness, I abandoned Dropbox ages ago and migrated to Google Drive and have never looked back.

Dropbox are "ok" no doubt but lack so many features and compared to Google are seriously slow. My file transfers since switching to Google Drive have more than tripled!



I'll never move my documents to Google Drive which enables the company to look inside within each document for commercial exploitation usage. For the same very reason I rarely using Google as a search engine, simply because I truly hate the so called targeting adds, as if I'm considdered to be a f*beep*ing monkey that would be interested in camera's for weeks just because I was searching for one at one given day. Google makes sure that all the adds on websites, in one way or the other, has something to do with camera's.

I'll regret the day that I might not care about this any longer, that I'm willingly stop using my brains and surrender myself entirely to commercial exploitation and accept that I've become a slave for a company by providing them personal information about myself and by agreeing that "to think yourself" is something one should not do. For the same reason I don't make use of facebook, delete apps that requires a facebook and/or a Google account and doesn't enable me to login besides these options.

I grew up in the world where the internet became big. And I'm really became fascinated with the phenomenon called the internet. And I should because it delivers also so much good. But I've never been able to understand why people willingly give away all of their private information, especially knowing that there is no such thing as: 'I've nothing to hide'
Rating: 7 Votes
Avatar
simonmet
34 months ago

I came here to say the same thing. No matter which box you click: "Not Now", "Learn More", or obviously the third one, it puts itself in Accessibility.

My response was to remove Dropbox from my computer.


This is an OS X behaviour and unrelated to Dropbox. OS X is putting it there and this I believe is nothing new. The problem before was that Dropbox seemingly exploited loopholes or weakness in OS X to enable those privileges without asking.

It also replicates behaviour in iOS. If you deny an app permission to send you notifications or have access to your location the app still appears in the relevent settings so you can subsequently enable the permissions later if you so choose without having to delete and reinstall the app.

So it's entirely appropriate and normal that OS X puts it there.
Rating: 5 Votes
Avatar
sesnir
34 months ago

I chose "Not Now" and Dropbox still jumped into Accessibility—though unchecked. My question is, how does it get in there?


I came here to say the same thing. No matter which box you click: "Not Now", "Learn More", or obviously the third one, it puts itself in Accessibility.

My response was to remove Dropbox from my computer.
Rating: 2 Votes
Avatar
Pakaku
34 months ago

I chose "Not Now" and Dropbox still jumped into Accessibility—though unchecked. My question is, how does it get in there?

Sounds like the OS itself just keeps a history of whatever has attempted to ask for permission, and anything the user denied permission for is just left there unticked.
Rating: 2 Votes
Avatar
Michaelgtrusa
34 months ago
Well done Apple.
Rating: 2 Votes
Avatar
Mac Fly (film)
34 months ago
OK. I unlinked Dropbox from my Mac. I then AppZapper-Uninstalled it. I emptied trash. Re-downloaded the app. Denied System Preference access to Security and Privacy, and additionally chose "Not Now" in this new option.

And yet, yes it remains unchecked, but how did it jump in here to the Security and Privacy pane in System Preference again? Am I missing something? As if they're default "enable finder integration" crap wasn't offensive enough. Is it that corporations are just inherently untrustworthy.

Rating: 1 Votes
Avatar
smacrumon
34 months ago

Drop-who?

However in all seriousness, I abandoned Dropbox ages ago and migrated to Google Drive and have never looked back.

Dropbox are "ok" no doubt but lack so many features and compared to Google are seriously slow. My file transfers since switching to Google Drive have more than tripled!

And I guess you're happy for Google to peruse your files on a daily basis.
[doublepost=1474429813][/doublepost]This is really interesting. Who would have thought MacOS could be circumvented like this? I certainly didn't. Yep post those permission warnings just like iOS vigilantly does.
Rating: 1 Votes
Avatar
jonnysods
34 months ago

You must be dealing with a small number of file types?

I've had trouble getting Google Drive to sync Mac "packages". These behave like a regular file, but are actually special folders. OmniGraffle is an example of an app that I use frequently which defaults to saving package-based files. These do not sync into Google Drive, but work just fine with Dropbox, though. OmniGraffle does offer a "flat-file" format, too, for times when that's more desirable. However, I still things these would not work with Google Drive (correct me if I'm wrong). I think Google Drive can only sync file types that it's aware of, such as Word documents and raster images. Can it handle Photoshop and Illustrator files? Files from lesser-known apps?


I tried to use google drive and found it to be slow and cumbersome. I had to go back to Dropbox because GD couldn't handle the transfers and quantity. It would crash frequently etc.
Rating: 1 Votes
[ Read All Comments ]