We're making changes to the Community, so you may have received some notifications - thanks for your patience and welcome back. Learn more here.
Forum Discussion
Access Tokens, Fiddler, Security
Hi,
Someone uses Fiddler to get my access token which is normally hidden from our apps users. Don't they now have access to my Dropbox through the API?
I read some of the other posts about this ...
Richard P.
Super User alumni
Super User alumniDon't they now have access to my Dropbox through the API?
Yup.
I read some of the other posts about this subject and it appears to not be a major concern.
Is that really the case?
If the API is used as intended, its not really a major concern - the *intention* is that people connect to their own Dropbox accounts in your app, not you connecting other people to yours. Yeah, it does work that way round, but you then get these issues where you are exposing tokens which were never supposed to be exposed to a non-trusted party (as in the 'intended' use, both you and the user trust each other - but in your use, you dont trust the user).
Am I missing something? I want to present a Dropbox based solution to my team for a project and I don't know if this is going to fly. My company is pretty tight about security.
If security is a concern, then you can always do your own API and hook into Dropbox from the server - then the client never sees your token. But I'm guessing you want to avoid this, hence looking at Dropbox in the first place.
You could always set your app to have "folder" permissions rather than "account" permissions, but it still doesnt mitigate the issue if users shouldn't have access to everything in the shared folder.
