- launch your Dropbox app on the iPhone/iPad and log in;
- go to your computer and browse to the Dropbox settings to change your account password;
- go back to your iPhone/iPad and… surprise, you are still allowed to browse through your documents…
So, if you loose your iPhone, no need to rush to change your account password to protect your files from undesired access. This will not do nothing.
The only protection you have is the 4 digits passcode that you can set in the Dropbox app.
Is this enough security for sensitive information?
I suspect this issue is common to many systems using oAuth or other similar long-lived access token mechanisms. But why should it be hard to invalidate all tokens associated to an account when the account password is changed?