14 DAY TRIAL // A couple of security researchers have successfully reverse engineered the Dropbox client code, making it possible to hijack it and its connection to the Dropbox servers in several ways.
The researchers, Dhiru Kholia and Przemyslaw Wegrzyn, have showcased several methods through which the Dropbox client could be used to gain access to an account and its credentials.
Dropbox builds its client apps in Python, the same programing language it uses for its server side code, which is highly obfuscated to prevent reverse engineering.
Despite the difficulties, the researchers were able to extract the pure Python bytecode used by much of the app, making it possible to both replicate all of the app’s functionality as well as intercept communications with the server.
Because it uses Python, once the unobfuscated code is extracted, you end up with essentially the source code of the app.
This made it possible to not only study its inner workings and come up with attack methods, but also to implement an open source cross-platform Dropbox client.
In fact, the methods the authors used to "unfreeze" the Dropbox code could be used to reverse engineer other Python apps as well.
"Our work uses various code injection techniques and monkey-patching to intercept SSL data in Dropbox client," the researchers explain in their paper [PDF].
"Additionally, we show how to bypass Dropbox’s two factor authentication and gain access to user’s data," they added.
All of these methods rely on access to the machine running the Dropbox client so, while they may be interesting for researchers, they may not be particularly useful to those actually up to no good. If attackers have access to your computer they already have all your Dropbox files.
More interestingly though, the work has made it possible to write a full-fledged open source Dropbox client. In fact, the authors are hoping someone will do just that.
"Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client," they write.
Of course, there's no guarantee that Dropbox will ever allow open source clients to connect and that it won't change things, like API calls, periodically just to break these unofficial clients.