8

As a mobile developer, I'm looking for a solution that allows users of my application to download multiple .zip files that will add a "modular" feel to my application. I've used the Dropbox API in another app to allow users to backup items to their account, but now I need the user to access my account.

Is there a way to authenticate the Dropbox session to my account automatically, or just connect to my Public folder without the user even noticing?

Followup Question

What are the security implications of hard-coding my access keys and app key/secret into an application? I know it is fairly simple to get the source code from an .apk, but what could someone do with that information?

Snailer
  • 3,777
  • 3
  • 35
  • 46

3 Answers3

6

It's not the intended purpose of the API, but you could authorize an access token for your app manually once, and then embed and reuse that access token programmatically in all instances of your app. (You'd need to be careful not to accidentally revoke that access token though.) There are likely security and rate limiting concerns with this method though, depending on the specifics.

Or, the other method of using the link would probably be easier. Just make the link(s) desired (and convert to direct if necessary), then download from it. (Also, Dropbox isn't a CDN of course, so be aware of bandwidth limits.)

Followup Answer

If you embed your app token and access token in an app, an attacker could potentially extract those and would then have read/write/delete access (via the API) to as much of your Dropbox as the app has access to (either app folder or full Dropbox depending on your API app), regardless of any restrictions your app itself would normally try to enforce. For this reason, you wouldn't want to use this method to store any private information, e.g., any private user-specific files.

Community
  • 1
  • 1
Greg
  • 16,359
  • 2
  • 34
  • 44
  • Thanks Greg, I actually figured it out last night. I thought there would be an easier way to get access tokens other than creating a demo app and logging in. Thanks for the link on bandwidth limits, I was wondering about that as well. Can you also shed some light on the followup question I added? – Snailer Feb 22 '13 at 21:43
  • If it's not the intended purpose of the API and have potential risk of security breach, then what could be an alternative way of doing it? Is there any service or API available for this? How about Google Drive or iCloud? I'm looking for a similar solution. Thanks. – atisman Mar 08 '13 at 02:08
  • Greg- 'It's not the intended purpose of the API, but you could authorize an access token for your app manually once, and then embed and reuse that access token programmatically in all instances of your app. (You'd need to be careful not to accidentally revoke that access token though.) '. Does this still work if at a later date I change my account password? – Ahmed Zafar Sep 03 '13 at 15:57
  • Yes, access tokens for an account are unaffected by changing the account password. (Access tokens can be revoked separately if desired via https://www.dropbox.com/account/applications ) – Greg Sep 03 '13 at 16:23
1

Some time passed, but now dropbox will let you generate public access token and use it inside your code

so yes , there is a way to allow permanent access to dropbox API. we need to generate access token from the application settings(dropbox console) and use it. Here is what dropbox says:

By generating an access token, you will be able to make API calls for your own account without going through the authorization flow. To obtain access tokens for other users, use the standard OAuth flow.

in code words :

AndroidAuthSession session = buildSession();
mApi = new DropboxAPI<AndroidAuthSession>(session);

    private AndroidAuthSession buildSession() {
        AppKeyPair appKeyPair = new AppKeyPair(APP_KEY, APP_SECRET);
        AndroidAuthSession session = new AndroidAuthSession(appKeyPair, ACCESS_TOKEN);
        // I guess then you just have to instantiate a DropboxAPI object and you're good to go without the startAuthentication()... endAuthentication() etc.
        return session;
    }

and here we go just use the mApi to do whatever you want

mhdjazmati
  • 4,152
  • 1
  • 26
  • 37
0

What are the security implications of hard-coding my access keys and app key/secret into an application?

Someone with enough motivation would eventually get your access keys.

I know it is fairly simple to get the source code from an .apk, but what could someone do with that information?

They could do whatever you can do with that information.

Jonas Czech
  • 12,018
  • 6
  • 44
  • 65