Dropbox - access to subfolder only

[vovodroid]

Currently plugin asks permission to the whole Dropbox account. From security reasons it would be much better to get permission to subfolder only, e.g. "KeeAnywhere".

[Kyrodan]

@vovodroid:
Please describe, what is the concrete security advantage with the folder method?

I see that both options are possible via Dropbox-API (https://www.dropbox.com/developers/reference/developer-guide#app-permissions).

I see some glitches:

• Requirement of more documentation and/or more configuration options. Both lead to more complexity which I don't really want. The plugin simply should work (even for novices).
• The folder name is not configurable, so it's always the plugins name (in this case "KeeAnywhere")
• Can other Apps (with full permission) access this folder? Thsi is needed for sharing with other (mobile) Apps like KeePass2Android. What if KeePass2Android also only allows access to "his" folder in future?

[vovodroid]

what is the concrete security advantage with the folder method

Assuming some malware attacked computer and stole DropBox auth tokens it will get access to whole DropBox account.

and/or more configuration options

I guess hardcoded name can be used to keep it simple.

Can other Apps (with full permission) access this folder

I believe it can.

[Kyrodan]

I see your point but I'm unsure about that. Currently I'm not willing to change something short-term: I won't restrict the plugin in this point. Maybe we find a better solution. I leave this issue open to collect some more opinions on that.

Here are my thoughts:
Isn't it a very theoretical scenario? Beneath the Auth Token you also need the App Key to get it to work (to be fair: the app key is not a real secret). And: your password database is maybe a more interesting target than your "other documents"? Wouldn't it be easyer to steal the Dropbox Client Auth Token than the token from this plugin? Wouldn't it be easyer to hack KeePass itself? Do you really store secrets like "other documents" unsecured (without any other encryption) in a cloud storage provider?

For me, cloud storage providers should be considered unsecure by default and the user is responsive for additionally protecting his data.

Btw: I can't change the app permission in Dropbox Developer Center at this time ... I need to create a new App Key (or revoke the current one).

[vovodroid]

your password database is maybe a more interesting target than your "other documents"

Sure. But it's not stored on computer.
And if computer is stolen, thief can extract DropBox credentials (and there is option to store them in KeePass xml file), and nevertheless a more bit of security never harms )

[namtab00]

+1 for App folder permissions only

[Kyrodan]

Hi @vovodroid, @namtab00, @0Derece,

I'd like to solve this by creating a "new" Provider "Dropbox-Secure" (URL-Schema "dropboxs") with folder permission only. This means I created a second App in Dropbox - one with full permission and one with app folder permission.

You can now register a new account either "Dropbox" or "Dropbox-Secure" (or mix both if you like).
See screenshot:

What do you think? Does this solve this issue for you all?

[Kyrodan]

Try it youself with a preview (unstable) of KeeAnywhere 1.2.0:
https://dl.dropboxusercontent.com/u/68134839/KeeAnywhere-1.2.0-unstable.plgx
https://dl.dropboxusercontent.com/u/68134839/KeeAnywhere-1.2.0-unstable.zip

[vovodroid]

What do you think?

I think it's great, working like a charm!

What about other providers, like Google Drive? Does it have the same issue?

[Kyrodan]

I haven't checked other providers so far. I just wanted to check out,
whether this idea is a suitable and accepted solution.

Vovodroid notifications@github.com schrieb am Mo., 20. Juni 2016, 16:28:

What do you think?
I think it's great, working like a charm!

What about other providers, like Google Drive? Does it have the same issue?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#24 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AAVraitO2oeB67in7iEYPLFiwsOqIggzks5qNqOmgaJpZM4HulKL
.

[vovodroid]

whether this idea is a suitable and accepted solution.

Sure it is!

[onuruslu]

What do you think? Does this solve this issue for you all?

Thank you @Kyrodan... It's perfect...

[Kyrodan]

Checked this for the other providers:

• OneDrive: seems to be possible und usable. But the used library lacks this feature. Have another issue open to swap the library with the official one from Microsoft, see Replace currently used OneDrive client with the official one #2. Details can be found here: https://dev.onedrive.com/misc/appfolder.htm
• Google Drive: is possible, but not usable: files could not be accessed by the user itself and files get deleted, if app is unliked from account. It's better used for config files etc. than data. See details here: https://developers.google.com/drive/v3/web/appdata?hl=de
• hubIC: doesn't seems to be possible.

[Kyrodan]

@vovodroid @namtab00 @0Derece,

I renamed "Dropbox-Secure" to "Dropbox-Restricted". I think this is a more intuitive name. You all need to re-add your accounts in final 1.2.0.