Dropbox app permissions too wide

digitalex
digitalex
Community Member

I just installed and wanted to sync with Dropbox, but 1p is requesting full access to my Dropbox. This is unacceptable to me, and I'm sure for lots of others. The dropbox API (https://www.dropbox.com/developers/reference/devguide) seems to support several other access types, all of which are more restrictive. There surely must be a way to use one of those instead?

Comments

  • powellcb
    powellcb
    Community Member

    Concur. I accepted this access level for purposes of the beta, but it should be addressed before 1.0.

  • Hi! While this documentation was written with iOS in mind, the same concept applies to 1Password for Android. I think you'll find some answers on why we need to request full access to Dropbox. Please take a look through it, and let us know if you have any other questions.

  • RichardPayne
    RichardPayne
    Community Member

    Surely now is the time to offer a choice during setup, use the old format or use a proper sandboxed setup.

  • Perhaps we can have something like this for our power users. I'll pass on these details to our developers, thank you for your input.

  • cjoy
    cjoy
    Community Member

    Please do.
    For an app that is fundamentaly about security, I find it very disconcerting that this legacy issue has not yet been resolved.
    There is absolutely no reason why a sandboxed "/Apps/1Password" directory should not be the default for new Dropbox sync setups, with the option to copy over existing profiles and switch permissions for legacy users. This should be the "default" by now and certainly not a "power user" feature.

  • @cjoy‌ I can certainly understand your concerns about granting full access of your Dropbox to any app and the same principles would also apply to us. Ideally, we would only request app folder permissions at first and then allow the user to escalate those permissions to full access if they needed to look outside the /Apps/1Password directory for their vault. This would address the concern that you have while also provided legacy support to our existing customers. Unfortunately, it is not as simple as that.

    Accessing the Dropbox API requires the use of a Dropbox API key, which is issued to us by Dropbox. The API key is bound to a fixed permission level that cannot be changed later. This means that we cannot provide an option to our users to increase the scope of the permission when needed, as it is not something that can be requested on the fly. It also means that we can't lower the permission level required without changing to a new API key (which would break sync for all of our existing Android users).

    This is not to say that we are not considering how we might transition to an app folder permission. Rather I'm saying that it is something that requires careful consideration in order to avoid negatively affecting our customers. I hope this explanation helps!

  • RichardPayne
    RichardPayne
    Community Member

    Will Dropbox issue two keys to you, one full and one restricted which you can switch between?

  • That is something that we have previously considered, however Dropbox's official policy is:

    If you build multiple apps, use one and exactly one key for each app you make.

  • RichardPayne
    RichardPayne
    Community Member

    Do you have the ability to mailshot your user base? If so then maybe consider mailing everyone to explain that in a couple of months the access levels will be changed and the they need to have moved their vault into the app folder by then.

    You're going to have to bite the bullet at some point or it will never change. Surely it's better to do it sooner rather than later given that the Android app has only been out a couple of months. It will be harder after a couple of years' worth of new users have configured it badly.

    Granted, this will generate an increase in support requests, but if you have a detailed FAQ prepared in advanced then it shouldn't be too horrible. Maybe leave it until after the iOS/OSX chaos has calmed down though. ;)

  • Timing is everything. Well, maybe not everything, but it can sure have a big impact. As such, this is something that we have to consider carefully. Thank you for the suggestions!

  • Holst
    Holst
    Community Member

    Hi everyone,

    At least I found an explanation to why you need access to my entire Dropbox. Thank you.
    I was specifically looking for an answer to this as it is something that makes me consider other options as a user.

    It raises concern that you have unnecessary access to all boring my excel files and that's something that I want to keep separated from other app access...

    I hope a solution will get high priority.

    (Except from the above, I really think the app looks great!)

  • Thank you for your feedback @Holst‌. I will definitely pass on your comments to our dev team.

This discussion has been closed.