Dropbox Reverse Engineering an Omen for Software Industry
The risks of relying on the cloud have been discussed at length, but security researchers are about to add a new danger that users will soon have to worry about: Reverse engineering the software directly.
Wed, August 28, 2013
PC World — The risks of relying on the cloud have been discussed at length, but security researchers are about to add a new danger that users will soon have to worry about: Reverse engineering the software directly.
In a new paper, "Looking inside the (Drop) box" [PDF], security pros Dhiru Kholia and PrzemysBaw Wegrzyn outline in painstaking detail the steps they took to successfully decode the program that makes up the Dropbox user client, essentially opening it (and their would-be victims' accounts) up for direct attack.
Reverse engineering is not a malicious attack, per se, but is rather a long-standing technique used to take a peek under the hood of any high-tech product, typically a piece of hardware. Reverse engineering of software has become more popular in recent years, as well, with original developers and reverse engineers continually one-upping each other in an attempt to protect their code or to expose it, respectively.
On the developer side, various terms are used to describe this. Applications that the developers are attempting to protect are called hardened or obfuscated. These techniques are used when a developer doesn't want to open his code base for analysis, review, attack, or (more to the point) outright copying by others. (This is the antithesis of open source programming.)
But in many cases, these attempts to protect software become counterproductive, and the more popular a hardened/obfuscated piece of software becomes, the more likely it is to earn the attention of hackers. For a good example of this, consider the decades-long attack-and-patch war that Microsoft has endured with hackers targeting virtually all of its products.
But a vast piece of software like Microsoft Office isn't nearly as ripe a target for reverse engineering today as the relatively compact Dropbox client, and the potential gains for an attacker are arguably far greater for the latter anyway. Why? Because reverse engineering the Dropbox client means you can access your victims' data from afar, opening the door to see what 100 million users who upload a billion files to the service every day are doing. What digital treasures await the hacker who manages to kick that door open?
Dropbox does not publish its source code, and its API has no documentation. Nonetheless, Kholia and Wegrzyn describe a variety of techniques used to pull the curtain aside and circumvent hardening and other security systems, and they seem to have been overwhelmingly successful. (Feel free to read the paper directly to see the technical details of how they did it.)