Dropbox file access restrictions
320 views
Skip to first unread message
Cookie Bonanza
May 19, 2012, 11:35:18 PM5/19/12
to WikiPack
Hi, Mark.
At some point during the signup process you mention that Dropbox has
no granularity, i.e. WikiPack has to have access to ALL my dropbox
files and folders.
That appears to no longer be the case.
When I went to the Dropbox authorization page, it gave me a link to
list all apps that have access to my Dropbox account. I noticed that
iOS apps like WriteRoom and Nocs had full access, but web apps like
Calepin or Scriptogr.am only had access to the Apps folder.
You could eliminate that warning if you figure out what Calepin &
Scriptogr.am are doing, and set it up so that WikiPack's default
installation is in Dropbox/Apps/WikiPack instead of Dropbox/WikiPack,
and then only ask for authorization to access the Apps folder, instead
of the whole of Dropbox.
That would result in a better feeling of security.
I have manually moved my WikiPack folder into the Apps folder for my
own convenience, but that doesn't solve this problem.
Just a suggestion...
Thanks!
At some point during the signup process you mention that Dropbox has
no granularity, i.e. WikiPack has to have access to ALL my dropbox
files and folders.
That appears to no longer be the case.
When I went to the Dropbox authorization page, it gave me a link to
list all apps that have access to my Dropbox account. I noticed that
iOS apps like WriteRoom and Nocs had full access, but web apps like
Calepin or Scriptogr.am only had access to the Apps folder.
You could eliminate that warning if you figure out what Calepin &
Scriptogr.am are doing, and set it up so that WikiPack's default
installation is in Dropbox/Apps/WikiPack instead of Dropbox/WikiPack,
and then only ask for authorization to access the Apps folder, instead
of the whole of Dropbox.
That would result in a better feeling of security.
I have manually moved my WikiPack folder into the Apps folder for my
own convenience, but that doesn't solve this problem.
Just a suggestion...
Thanks!
Mark Beattie
May 20, 2012, 2:19:39 AM5/20/12
to wiki...@googlegroups.com
Hi, thanks for getting in touch! I could have requested "sandbox" mode when applying for the Dropbox API, but then WikiPack would be physically unable to present a directory listing of your Dropbox for those of us who want to import existing Markdown files, for example to integrate WikiPack with Trunk Notes. Many WikiPack users, myself included, setup their wikis from existing files created by Trunk Notes or other apps, so I applied for full access to enable those files to be imported easily and shared between apps without having to resort to using symlinks etc.
When we happily install yet another iOS Markdown editor and link it to Dropbox, we usually don't know or care that if it allows us to browse our files then it has full access, probably because being on our personal handheld device it feels more secure than a web application that's hosted on someone else's server, despite the risk of your data being compromised being no more or less in either case. It's really a perception issue, and a matter of gaining trust, which I'm working very hard to do by being completely open about how WikiPack uses the Dropbox API, and offering a Lite plan with no Dropbox access.
Regards,
Mark
When we happily install yet another iOS Markdown editor and link it to Dropbox, we usually don't know or care that if it allows us to browse our files then it has full access, probably because being on our personal handheld device it feels more secure than a web application that's hosted on someone else's server, despite the risk of your data being compromised being no more or less in either case. It's really a perception issue, and a matter of gaining trust, which I'm working very hard to do by being completely open about how WikiPack uses the Dropbox API, and offering a Lite plan with no Dropbox access.
Regards,
Mark
crystal...@gmail.com
Jan 1, 2013, 5:36:04 PM1/1/13
to wiki...@googlegroups.com
This seemed like a perfect idea. But there is *no way* I am giving unrestricted access to my dropbox to anyone. The access you are requesting is not the same as an app on my phone having access, in which case the authentication data stays on my device - you are asking that my dropbox credentials be stored on your server, and that you (and the people you work with, and the people running your hardware etc.) be fully trusted to maintain their security. Absolutely no way. Granularity here will be crucial for success I suspect. But otherwise, as I say, perfect idea ;).
Mark Beattie
Jan 1, 2013, 6:48:43 PM1/1/13
to wiki...@googlegroups.com
Thank you for your comments, I'm glad you can see the potential usefulness of WikiPack. To address concerns about the level of access that it has to your Dropbox folder, I plan to investigate the possibility of applying for a second Dropbox API key with sandboxed access. I don't know if Dropbox will even allow having two API keys for the same app, but it would let you to choose during the WikiPack signup process whether you want to grant full access, or keep WikiPack safely sandboxed in an app folder. Over 600 individuals have entrusted WikiPack with full access so far, but I agree that the adoption rate might be a lot higher if the signup process had a 100% risk-free option.
It's one of the top priorities for 2013, having just rolled out Markdown todo lists at the end of last year, and I look forward to making it the perfect solution.
Regards,
Mark
crystal...@gmail.com
Jan 2, 2013, 7:02:42 AM1/2/13
to wiki...@googlegroups.com
I don't think you ever need to use the global access API. AFAIK Trunknotes lets you choose the location to sync to on Dropbox. So I think there is no reason why you couldn't use a sandboxed folder and ask people to move their stuff there, or simply get people to use their pre-existing Trunknotes folder. I think by default Markable does a pretty good job by automatically making a sandboxed markable.in folder. Thanks!
Mark Beattie
Jan 2, 2013, 8:15:10 PM1/2/13
to wiki...@googlegroups.com
Trunk Notes does allow you change it's Dropbox folder, because it also has full access, but as you say, the session is stored on your iOS device as opposed to on the developer's servers. Markable allows you to save to Dropbox, but not import files from Dropbox created by other apps, so it uses sandboxed mode.
I have experimented with using WikiPack in an app folder and symlinking it to the trunksync folder as a workaround for integrating with external apps from a sandboxed folder, and it is possible, but requires some command line fu and kinda defeats the purpose of sandboxed access.
To find out what existing WikiPack users would prefer, I ran a survey, and it came out in favor of keeping full access for the convenience of seamless integration with other apps, but I do plan implement sandboxed mode as well if possible.
Regards,
Mark
Reply all
Reply to author
Forward
0 new messages