A backdoor to a building in Portland, Oregon — James Duncan Davidson
Earlier today, I saw a very concerning tweet from Steve Streza about how Dropbox has been doing funky stuff inside of OS X/macOS. Not for nefarious purposes, mind you. Almost certainly not. Furthermore, it doesn’t look like they are storing a copy of your password, as some reports have said—and which would be really, really bad. No, they’ve simply been installing things in a way that let’s them retain root privileges so that they don’t have to bug you again when they want to change things up later.
In other words, they effectively backdoor your system so that they don’t have to ask again if they can add or change things later on.
After all, every time they ask permission, not only do they annoy the user, they let them consider saying no, which is always bad for numbers in a company driven by the almighty gods of daily, weekly, and monthly active usage.
Regardless of the user experience argument of keeping things simple so that the user doesn’t have to make more decisions, there are two big problems with the way that Dropbox does this:
- It’s a violation of trust. Dropbox didn’t ask for the ability to modify my system again in new and novel ways without asking me.
- It’s an additional attack vector for bad actors to exploit. There are enough of these as it is.
Furthermore. Dropbox is moving functionality into a kernel extension as part of Project Infinite. It’s pretty cool stuff—heck, I want it now!—except for the part where they’ll install a kext without asking or telling you. Regardless of whether or not you want a closed source kernel extension running in your system—and you very well might to get the benefits of an infinite cloud based filesystem—it’s shitty to put one in on the sly.
It’s like instead of giving your plumber a key for the week to work on your kitchen, you give them permanent access so that they can add some toilets and another kitchen later when they feel like it, even if you didn’t ask.
So, how do they do it? Phil Stokes shows part of how it’s done.
Is it legit or not? Ben from Dropbox gives their rationale on Hacker News.
Should you drop Dropbox on their ass for this?
Maybe. Maybe not. I’m not the one to tell you whether the utility of Dropbox is worth the risk. Dropbox has been damn useful for a long time. Then again, there are alternatives. You’ll need to make up your own mind on this.
Personally, I’m going to give life without Dropbox on my system a go. I’ll keep it for the cloud based file sharing, but will spend at least a few weeks without the nifty magic auto-sync bits. After that, I’ll re-evaluate.
If you want to get rid of Dropbox, how do you do it?
Quitting and deleting it used to work and is well documented, but it no longer does the trick. Instead, you’ll get a lovely dialog box telling you that it can’t be deleted because some of its extensions are in use. Dropbox’s help center provides the essential extra step: You have to unlink your Dropbox account first before you quit and uninstall Dropbox. So that means:
- Unlink your account in Dropbox preferences
- Quit Dropbox
But wait! Before you go further, you’ll also want to get rid of the helpers. To do that, you’ll need to drop to the command line and—very carefully, that sudo part is messing around with fire—execute the following:
$ sudo rm -rf /Library/DropboxHelperTools
You were careful with that sudo, right? Good. Now, you may or may not have the kernel extension installed. I didn’t, and here’s how I checked:
$ ls /Library/Extensions/Dropbox.kextls: /Library/Extensions/Dropbox.kext: No such file or directory
If you do have the kext installed, you can nuke it—again, being careful with the sudo—like this:
$ sudo rm -rf /Library/Extensions/Dropbox.kext
Next, you’ll also want to clean up some stuff from your System Preferences:
- Remove the Dropbox login item from your user account
- Remove Dropbox from the Accessibility Privacy list
Now, you’re ready to delete the Dropbox app and purge your trash. Then reboot and check. That should do it.
Of course, this is probably not the only way to do it, but it’s the order I finally hit on to get Dropbox off my system. Your mileage may vary. Good luck and godspeed.