My latest contribution to InfoQ

In the last couple of months, I have been contributing to InfoQ as a News Editor for the Mobile topic. Although this might not look like the most elegant behaviour, I will link here some of my writing for them. here you have my last one:

Android 4.1.1 Vulnerable to Reverse Heartbleed

Google announced last week that Android 4.1.1 is susceptible to the Heartbleed OpenSSL bug. While Android 4.1.1 is, according to Google, the only Android version vulnerable to Heartbleed, it remains in use in millions of smartphones and tablets. Android 4.1.1 devices have been shown to leak significant amount of data…





A bug in the Dropbox app for iOS?

Try this:

  1. launch your Dropbox app on the iPhone/iPad and log in;
  2. go to your computer and browse to the Dropbox settings to change your account password;
  3. go back to your iPhone/iPad and… surprise, you are still allowed to browse through your documents…

So, if you loose your iPhone, no need to rush to change your account password to protect your files from undesired access. This will not do nothing.

The only protection you have is the 4 digits passcode that you can set in the Dropbox app.

Is this enough security for sensitive information?

I suspect this issue is common to many systems using oAuth or other similar long-lived access token mechanisms. But why should it be hard to invalidate all tokens associated to an account when the account password is changed?