Dropbox hack blocked by Apple in Sierra
With the release of the latest version of the Mac operating system, 10.12 macOS Sierra, it’s pleasing to see that Apple have fixed a bug I reported against El Capitan in October of last year, and wrote about on this blog here and here.
The TCC.db is now under SIP, which means hacking the Accessibility preferences is no longer possible.
The bug basically allowed anyone to circumvent the authorisation warning to place an app in the list of Accessibility apps in System Preferences > Security & Privacy. It still required sudo, but an app (Dropbox being the most high profile offender) that got your admin credentials in other ways could insert itself into Accessibility and make it almost impossible for the user to remove.
Users can still alter Accessibility in the normal way (through Sys prefs GUI), but trying to hack the SQL database via Terminal now returns:
Error: attempt to write a readonly database.
Looking at xattr in Terminal for /Library/Application\ Support/com.apple.TCC confirms this with the reply:
com.apple.rootless: TCC
Hopefully, this fix will be ported to EC as well. At the moment, it’s still possible to run this hack in OS X 10.11.6.
🙂
Posted on September 20, 2016, in 10.12 and tagged Dropbox. Bookmark the permalink. 14 Comments.
applehelpwriter.wordpress.com 
Thanks for your articles on this topic Phil. Dropbox is finally responding with some real information:
https://www.dropbox.com/help/9266#accessibility
I welcome these changes, and I hate to sound churlish, but I still don’t trust Dropbox. Why not? Because they were forced into these changes in part by Apple putting TCC under SIP and in part by the reaction on Twitter and elsewhere to my posts.
After ignoring this problem for a long time (first reported on their own forums I think in July 2015 and casually brushed aside), the fact that they have just now responded in the last month after the “twitter storm” erupted tells me that they decided to drop the cookies only after getting their hand caught in the jar.
Consequently, do I trust them not to go raiding other tasty morsels in the kitchen if they think no one will notice? Nah, not based on this behaviour. The cheating husband will always promise not to do it again after getting caught, but in reality he just learns to get better at concealing his unfaithful behaviour.
Agreed.
I find it helps to remember that many software companies have always done what they think it right, because their software is the most important thing. Windows is rampant with this sort of abuse. Office for Mac has no uninstaller, the instructions are to manually remove files from all over the system. Everyone and their dog running background processes checking for updates to their own apps. More significant examples escape my mind for now, but it’s rife. Dropbox, Java, Adobe Flash, whatever the software they do what ever they want. Chrome’s heavy resource usage.
Anyway this is one advantage I suppose if an increasingly locked down system, gradually forces responsible software. As long as I can keep legacy systems around for emulation I don’t mind.
To get rid of asking permission to Accessibility – open Dropbox settings and switch option ‘Dropbox badge’ to ‘Never show’. After that Dropbox will no longer bother you with dialogs on every start.
After reading your posts about Dropbox I decided to get rid of Dropbox altogether and just use iCloud Drive instead. So, I followed all the steps to delete Dropbox on drop-dropbox, found from your post ‘discovering how Dropbox hacks your mac‘, and I’ve now updated to macOS Sierra.
Before I updated to Sierra I found a folder that is in my ~/Library called ‘iCloud~com~getdropbox~Dropbox’ see image here and I tried to delete it but it would return moments later. You’ll notice from the image that this folder lives in my iCloud Drive. Now that I’ve updated to macOS Sierra the folder is still there but it can’t be trashed anymore “because an unexpected error occurred (error code -50)”. Has Dropbox permanently installed a backdoor to my Mac and has anyone else come across this or it just a glitch?
Do you have Dropbox on an iOS device, or another mac linked to the same iCloud account?
I did have Dropbox on my iPad. I’ve now deleted it and I’ve deleted the Dropbox App from iTunes too. I’ve also rebooted my mac and iPad, but the ‘iCloud~com~getdropbox~Dropbox’ folder is still showing up in my ~/Library folder.
After the update (of both the system and the app), Dropbox now asks you explicitly to give it access to Accessibility. They are not giving up, it seems.
Personally, I’m fine with that. That’s precisely what they should have been doing all along. I’d feel more inclined to trust Dropbox, however, if they were also doing that on El Capitan, where Apple haven’t enforced the change.
Could drop box be demanding this access to enable photo upload? Auto photo upload is the most stupid annoying thing ever, I’ve seen many client machines where they’ve got two copies of all their photos and are paying for Dropbox storage unnecessarily because they clicked through on this prompt.
Anyway, this is fascinating. Thanks for reporting it to Apple.
What features are we giving up in Dropbox if we deny this access? I’m curious because I want to keep my computer secure but I depend on Dropbox.
But some applications do need this access, right. For example, I am seeing Default Folder X in the same place, and that makes sense to me, I think. Thanks.
No app needs this access except the apple apis for managing accessibility access, which can still do so through SIP. There is a public interface for requesting this access which Dropbox bypassed, and instead installed a rootkit to directly modify the database even if you tried to revoke its accessibility access.
Maybe I will reinstall DropBox after testing this out. Good on you for raising the awareness.