I know some of the people who read this blog use Dropbox. Those of you who don’t, should look it up; it’s a really simple cross platform app for syncing files between machines, sharing files and folders with other people, or simply providing near real-time automatic online backups with revision control.
Out of curiosity, I fired up tcpdump on my router to have a look at the traffic my Android phone’s Dropbox client was transferring during usage. To my surprise, I noticed that all file metadata was sent in the clear.
On https://www.dropbox.com/help/27 it clearly states:
"All transmission of file data and metadata occurs over an encrypted channel (SSL)." (This has changed. See update at the end of the post)
Well, not when using the Android mobile client it isn’t. The metadata is most definitely sent in the clear. I have an “Invoices” folder which contains PDFs of invoices that I have sent out to my clients. If somebody happens to be sniffing the network traffic when I view this folder from my phone, they’ll get a list of all my clients (from the filenames), along with approximate dates I worked for them (from the last modified timestamp). That wouldn’t be the end of the World, but I consider that information to be reasonably private, and I’m sure other people use Dropbox for data that is considerably more private.
I contacted Dropbox and asked for comment. Their response was as follows:
Hi, The information in the help center is in relation to the Dropbox desktop and website and doesn't apply to the mobile interface. I'm sorry that this isn't more clearly defined. I will discuss this further with our mobile team to see if we can offer the option of total transmission encryption on the phone and update this document to reflect the current status of metadata transmission. Best, Todd
A reasonable response? Maybe… Except that, since they replied, I’ve done some searching and found a thread on their forum which discusses this issue. Apparently they’ve already known about it for at least four to five months. It would have been nice if they’d mentioned this in their response to me, rather than pretending it’s a new issue.
If they’re purposefully sending metadata via http instead of https for performance reasons, or for battery life, I don’t buy it. Not until I see figures proving that there is a significant saving. Even if there is a performance/battery life cost, it’s worth taking the hit. How can they claim to take security seriously if they’re willing to throw encryption out of the window for a small performance boost, in direct contradiction of what their official security page states? Are they going to start encrypting file metadata? From their response to me, and from comments in their forum post, I’ve no idea… Should they? Of course! Please join me in putting pressure on them to do so.
If you want to prevent these sort of leaks, you can use a third party encryption product like TrueCrypt to secure the individual file metadata along with the actual file data. The only problem with this, is that you wont be able to access your files using the mobile Dropbox client anymore. Not unless you find some way to decrypt them on your phone.
I’d like to use AeroFS in place of Dropbox. It sounds similar but more flexible and more secure. The only trouble is, they’re lacking mobile clients at the moment. They’re also still in “alpha/beta” mode and require invites to join up. Worth keeping an eye on though.
I received a comment from Dropbox regarding this blog post:
Hi Mike, Thank you for the blog coverage of this issue. This has been a topic of ongoing discussion for our mobile developers and the preference of speed over security when it comes to file metadata on mobile may change in the future. Best, Todd
So yeah. This is a speed vs security issue. Also, on their security page, they have modified the sentence where it says they encrypt file data and metadata such that it now only states that they encrypt file data. No mention of the fact that the mobile client doesn’t encrypt metadata though. Feels slightly dishonest to me.