Reverse engineering client Dropbox

Until recently, there were doubts about the possibility of reverse engineering of highly obfuscated applications written in Python. A recent reverse engineering by two programmers of the Dropbox client has proven that this is possible.



In February of this year at Mobile World Congress, CEO Drew Houston happily reported that Dropbox, a well-known data storage service, has surpassed the 100 million users mark, and these 100 million users upload over a million files to Dropbox servers every day. Two years ago, Dropbox had only 25 million users and far less downloads per day.



Why did I mention all this? The success of Dropbox did not come without overcoming a few problematic moments, and it looks like the service team will now have a new headache - and all because of Dhiru Kholia and Przemysław Węgrzyn.

Looking under the hood

In their report " Inside Look (Drop) box ", Dhiru and Przemysław go straight to the point:

“We describe methods for bypassing Dropbox two-factor authentication and for stealing Dropbox accounts. In addition, the basic principles of intercepting data transmitted via SSL using code injection techniques and Monkey-Patching are provided.

Dhiru and Przemysław achieved a similar result due to the reverse engineering of the Dropbox client. It would seem that this is not surprising, but only if one does not take into account the main thing - the uniqueness of their work is that they managed to figure out how to do reverse engineering of an obfuscated application in Python.

')

The client consists of a modified Python interpreter, performing obfuscated Python bytecode. However, Dropbox is a proprietary platform whose source codes are closed to customers, and moreover, even the API used by the customer is not documented anywhere. Therefore, all past attempts to reverse engineering were not crowned with particular success. At the same time, Dhiru and Przemysław not only managed to achieve noticeable results, but also go beyond the scope of a single application, which the report hints at:

“The described techniques can be used for reversing other closed applications in Python”

Effects

Researchers have managed to unlock many secrets of Dropbox. First, they began to study the registration process, login and the function of "Launch Dropbox Website" to steal an account. Then they managed to find out the following:

• How to intercept SSL traffic from Dropbox servers
• How to bypass two-factor Dropbox authentication
• How to create an open-source Dropbox client

The report explains in some detail how programmers successfully gained access to the victim’s account and files. It is mentioned that from version to version, the developers of Dropbox complicated the client's security protection, so different attacks were used to hack different versions of Dropbox.



The authors of the study hope that the conducted engineering will force the developers of Dropbox to make the possibility of its repetition at times more complicated. At the same time, they make it clear that there is not much point in the closed code:

At the same time, it is not clear to us why Dropbox makes such efforts to make reversing impossible. Most of their “secret ingredients” are still stored on the server side, which is already well protected. We are not sure that anti-reversal measures are of some benefit to both users and Dropbox.

According to other experts, the document contains step-by-step instructions for “unpacking” the source code of the Dropbox client, which the company clearly did not want. Now, many will be able to take this source code and use it for their own purposes. Another thing is that we don’t know if someone has done this before, then using the resulting reversal for their own purposes.