Posted 10. October 2013. by Miroslav Kovac in Internet Security

How Safe is Dropbox?

How safe is Dropbox
How safe is Dropbox

During the last year, cloud services like Dropbox attracted many people and organizations because of financial and management advantages of this technology. This new technology attracted hackers to try to get in possession of private data of Dropbox users.


Dropbox Review

Dropbox is a free and extremely easy-to-use tool for sharing files, photos, and videos, and syncing them among your devices. You can also use Dropbox to back up files and access them from other computers and devices (including smartphones and tablets), with dedicated apps for each device you own running Android, Mac Linux, Blackberry or iOS platform.

Dropbox is especially good for backing up your files online, although the biggest barriers to this are the size of your backups. You get 2GB free with Dropbox, or you can choose 100GB, 200GB, or 500GB with a monthly fee. There are also business plans that start at 1TB for five users. You’ll just have to make sure that the files you want backed up live in the Dropbox folder.

Dropbox also has the ability to share files with others. And, if your computer melts down, you can restore all your files from the Dropbox website.


Is Dropbox safe to use?

The move on hosted services like Dropbox storage site raises questions about what cloud users can and should do to keep their information and data secure and compliant.

Cloud security drew attention in 2012 with Dropbox’s admission that usernames and passwords stolen from other websites had been used to sign into a small number of its accounts .

A Dropbox employee had used the same password for all his accounts, including his work account with access to sensitive data . When that password was stolen elsewhere, the attacker discovered
that it could be used against Dropbox .

This was a powerful reminder that users should rely on different passwords for each secure site and service.

Cloud authentication problems are not strange to Dropbox, having accidentally removed all password protection from all Dropbox users’ files in 2011 for nearly four hours.

Also, VentureBeat reported that the Dropbox  iOS app was storing user login credentials in unencrypted text files—where they would be visible to anyone who had physical access to the phone.

Is Dropbox safe to use

Is Dropbox safe to use?

Dropbox has since improved security by introducing optional two-factor authentication,  but its problems raise broader issues .

In May 2012, the Fraunhofer Institute for Secure Information Technology reported on vulnerabilities associated with registration, login, encryption, and shared data access on seven cloud storage sites.

It’s worth noting that Dropbox and some other sites already encrypt data in storage and transit, but this only protects data that has not been accessed using a legitimate user ID and password . Data stored on public cloud systems is subject to the surveillance and interception laws of any of the jurisdictions in which those cloud systems have servers .

Two factor authentication in Dropbox

Two factor authentication in Dropbox

Dropbox’s difficulties have called greater attention to cloud security in general . With public cloud services and infrastructure beyond the control of the IT organization, how should companies approach security and compliance?

Two-factor (or multi-factor) authentication is a must . But is it enough?

What Encryption does Dropbox use?

Dropbox claims that:

At Dropbox, the security of your data is our highest priority. We have a dedicated security team using the best tools and engineering practices available to build and maintain Dropbox, and you can rest assured that we’ve implemented multiple levels of security to protect and back up your files. You can also take advantage of two-step verification, a login authentication feature which you can enable to add another layer of security to your account.

When it comes to encryption methods Dropbox use, they state that:

  • Dropbox uses modern encryption methods to both transfer and store your data.
  • Secure Sockets Layer (SSL) and AES-256 bit encryption.
  • Dropbox website and client software are constantly being hardened to enhance security and protect against attacks.
  • Two-step verification is available for an extra layer of security at login. You can choose to receive security codes by text message or via any Time-Based One-Time Password (TOTP) apps, such as those listed here.
  • Public files are only viewable by people who have a link to the file(s).

Dropbox uses Amazon’s Simple Storage Service (S3) for storage, which has a robust security policy of its own. You can find more information on Amazon’s data security from the S3 site or, read more about how Dropbox and Amazon securely stores data.

In his interview for TechRepublic with ChenLi Wong, Business Operations at Dropbox, Michael Kassner asked very interesting question regarding third-party encryption applications:

Kassner: There is a third party application called SecretSync that encrypts files before they are transferred to Dropbox. Would you recommend it for people that would like additional security? Would TrueCrypt be another option?

Dropbox: Yes, we have always recommended third-party encryption solutions for advanced users who are comfortable managing their own encryption keys. TrueCrypt has been the most popular option to date, but other solutions include EncFS, SecretSync, and BoxCryptor.

It’s important to understand that user-managed encryption has tradeoffs. First, many people publicly share photos and documents through Dropbox, and this will not possible if those files are encrypted before being placed in Dropbox. Second, if they lose the password or encryption key to the files they encrypted themselves, those files are lost forever.”

How to Secure your Dropbox account?

Popular cloud storage service Dropbox, jad a history of security problems, ranging from compromised accounts to allowing access to every Dropbox account without requiring password.

When and if you decide to use cloud services like Dropbox, the following three basic steps can help you protect your data:

  1. Apply web-based policies using URL filtering, controlling access to public cloud storage websites and preventing users from browsing to sites you’ve declared off-limits.
  2. Use application controls to block or allow particular applications, either for the entire company or for specific group.
  3. Automatically encrypt files before they are uploaded to the cloud from any managed endpoint . An encryption solution allows users to choose their preferred cloud storage services, because the files are always encrypted and the keys are always your own . And because encryption takes place on the client before any data is synchronized, you have full control of the safety of your data . You won’t have to worry if the security of your cloud storage provider is breached . Central keys give authorized users or groups access to files and keep these files encrypted for everyone else . Should your web key go missing for some reason—maybe the user simply forgot the password—the security officer inside the enterprise would have access to the keys in order to make sure
    the correct people have access to that file.

I found a great article on HowtoGeek which is describing some of the ways to secure your Dropbox account:

  • Enable Two-Step Verification - With two-step verification enabled, you’ll have to enter both your password and a security code from your mobile phone whenever you sign into the Dropbox website or add a new device to your account. Even if someone else knows your Dropbox password, they won’t be able to log In without the time-sensitive code from your phone.
  • Unlink devices you don’t use and view web sessions
  • Get email notifications - Ensure email notifications are enabled so you’ll receive emails when new devices and apps connect to your account.
  • Manage linked Applications – Third-party apps often require full access to your Dropbox account, and the app retains access even if you stop using it. If the app itself is compromised or starts behaving maliciously in the future, it will be able to do damage.
  • Don’t reuse your passwords – You should use a unique password for your Dropbox account, one that you haven’t used for any other services.
  • Encrypt your Dropbox files – To protect yourself and ensure your sensitive files remain secure, you can encrypt the files you store in your Dropbox account. To access the encrypted files, you’ll need to know the encryption password – anyone without the encryption key will only see random, jumbled nonsense data.

Miroslav Kovac

Miroslav Kovac is lead auditor for Information Security Management Systems with more than 10 years experience in security and computer networks. Currently, working as sales and marketing manager at one of the biggest and most reputable software distributor in Serbia.