Dropbox Says it Must do a Better Job Communicating OS Integration and Permissions
Dropbox has faced several concerns about its integration of its desktop client on Mac OS X. The company has been asked to more clearly communicate how the integration happens and how the permissions are requested.
In a statement to TechCrunch, Dropbox admitted that it must do a better job in communicating how it integrates with various operating systems and how it asks for permissions. Dropbox’s Ben Newhouse said:
“Clearly we need to do a better job communicating about Dropbox’s OS integration. We ask for permissions once but don’t describe what we’re doing or why. We’ll fix that.”
Concerns about the desktop client have been circulated on Twitter and HackerNews, with one user describes the OS X security “hack” by Dropbox as “using a sql attack on the tcc database to circumvent Apple’s authorization policy.”
A Twitter user showed that Dropbox’s desktop client uses a non-official OS X security dialogue box in order to get users to hand over their admin passwords, which allows the client to gain root access to the system. In a statement, Newhouse said:
“We only ask for privileges we actively use — but unfortunately some of the permissions aren’t as granular as we would like. We use accessibility APIs for the Dropbox badge (Office integrations) and other integrations (finding windows & other UI interactions).
We use elevated access for where the built-in FS APIs come up short. We’ve been working with Apple to eliminate this dependency and we should have what we need soon.
We never see or store your admin password. The dialog box you see is a native OS X API (i.e. made by Apple).”
Newhouse said that the desktop client requires the permissions to check and set application and folder privileges on startup, in addition to verify the application is working properly. The response from Dropbox as to why it needs admin privileges is very vague and I would like to see more technical details in their response. I’d like to believe that Dropbox does have a valid technical reason for requesting this level of access.
The company has apologized for the frustration and confusion that it has caused and promises to do a better job in the future.
If you are a Mac client user and you are not convinced about Dropbox’s response, a post from AppleHelpWriter has shown how to remove Dropbox from OS X’s Accessibility preferences.