Dropbox, Androids, And Security

dropbox

Previously:
Sync Files With Dropbox
Dropbox for iPad, Android

Almost everyone should take a look at Dropbox, the service that syncs folders and files among your computers and mobile devices. If you have more than one computer (home/office/notebook) and you haven’t started using it yet, then go read about it and get started! I’m going to highlight a security issue but that shouldn’t discourage you from using it for all the things it does so well – just keep an eye on all of your tools with security and privacy in mind.

Dropbox has released apps that allow iPhones, iPads and Android devices to connect to your Dropbox folders and display the files and folders you have stored there. When you click on a file, Dropbox downloads the file and displays it to you with the appropriate phone app. It’s simple and elegant, like everything else about Dropbox, and designed to meet the needs of most people without adding an overwhelming variety of choices. Great, right?

Last month I put the Dropbox app on my Android phone and clicked to see some files. Bang! There they were. Word and PDF files looked great and I could zoom in and out to see all the details. I experimented with some tricks to upload photos and a few other things. Everything worked smoothly and quickly. I was impressed.

Right up until I had a moment that made me break out into a sweat at how close a call I was having with security. I literally dropped the phone when I had the “ah ha!” moment.

I’m using Dropbox to sync a lot of folders. Photos. Internet favorites. Documents.

And one folder named “Client Info.” A separate document for each client. It has every password, every remote access method, every license key. Administrator passwords. User names and passwords. Router passwords.

And all I had to do was touch the file name on my phone and bang, all that information was displayed.

Oh. My. God.

The loss of the phone would potentially have compromised everything for every one of my clients.

The Dropbox app isn’t designed to let you conceal or password protect folders. I looked into different ways to handle that but the best one was – get Dropbox off that phone, right now.

I work with a lot of law firms. Dropbox can be a tremendously useful tool for lawyers who want to work on client files at home or on a notebook while they’re travelling – but they will have no defense if they blow a client’s privilege when they misplace their smartphone.

There are two tips to keep in mind if you have sensitive files in Dropbox but you want the convenience of having access to those files from your smartphone or iPad.

  1. You can leave the Dropbox app installed on the phone but unlink it from your Dropbox account until you need it.  It can be unlinked from the Settings menu on the phone or from the Dropbox web site. You’ll have to put in the email address and password each time you want to use it, and you’ll have to remember to unlink it when you’re done. It’s a pain but it’s possible.
  2. If you lose your phone, immediately get to a computer where you can move every sensitive file out of your Dropbox. They will then also disappear from every linked Dropbox device, including the lost phone. Or, you can unlink the phone from the Dropbox web site, which I think would also be sufficient to block access.

The Dropbox team is actively developing the mobile apps and I would guess that within a few months we will have an optional feature to require entry of a PIN before Dropbox will run on our smartphones and iPads. For the moment, I’ve uninstalled it from the phone and left it on the computers, where I use it every day.