Safer Dropbox-ing for apps requesting ‘Full Access’

Like it or not, Dropbox is Internet glue.

It’s grown beyond ‘just’ file-syncing, and is now a universal ‘online disk’ for web and mobile apps. Often those apps access the user’s absence to do ‘useful stuff’ triggered by an external event or allowing long tasks to complete without the user waiting.

Having apps read and write to a folder on my laptop is brilliantly useful, but also risky. I don’t store sensitive stuff on Dropbox, but it would be inconvenient to lose files or for them to be compromised by malware.

The best apps use Dropbox’s permissions options to access only the files and folders they actually use. That way, if a service has a ‘security problem’ the damage is contained. However, some don’t and ask for ‘full access, despite not needing it.

A recent example of this I encountered is Fujitsu’s ScanSnap Cloud. This update to my desktop scanner added direct uploads to ‘the cloud’ and it’s super useful… Except it requests ‘full’ access to my Dropbox files, not just the upload folder it uses. However convenient, I’m not handing unsupervised access to that much of my data to a 3rd party.

I needed to create my own equivalent Dropbox’s single-folder permissions. A separate Dropbox account and folder sharing lets us get close. Here’s how to do it (this doesn’t appear to contravene any Dropbox terms or conditions):

  1. Sign-up for a new ‘Basic’ Dropbox account via the website – you can leave desktop and mobile clients logged in to your ‘real’ account throughout this process. The new account needs a dedicated email address – create one via your email host (use a descriptive name in the address so you can tell which account Dropbox emails relate to).
  2. Complete email verification for the new account and use it to login to Dropbox via the website. Add a profile photo with an icon of the service you’re sandboxing (again, for ease of identification) and turn on 2-factor authentication (optional, but recommended).
  3. Logout of Dropbox and back in to your ‘real’ account. Still via the website, create the folder you’d like to store the app’s data. I add mine to a dedicated ‘syncing’ folder to keep things tidy.
  4. Click ‘Share’ next to the folder you have just created and send a sharing invite to the new account in step 1 with ‘can edit’ permissions and management by ‘Only owners’ (management options are in ‘Folder settings’).
  5. Logout of Dropbox (again, sorry) and find the invitation email for the sharing request you have just sent. Click ‘Go to folder’, login with the new account credentials and accept the invitation.
  6. Dropbox setup is now done. Test it by adding a file to the newly-shared folder through the web browser and checking it is visible in your ‘real’ Dropbox account through a desktop or mobile client.
  7. Switch to the app or cloud service insisting on ‘full access’ and link it to the newly created account. Selected the shared folder (it should be the only folder in that account) to use and give it the permissions requested.
  8. Use the service (in my case, by scanning some documents) and confirm that, although the files are being written to a dedicated account they are synchronised to the chosen folder within your main account.

Setup is now complete. The shared folder gives access to the app’s files as if you’d allowed it access to your ‘real’ account, but without exposing any of your other files.

This has worked reliably for me for many months and syncing is instant. It requires no maintenance other than ensuring the shared folder doesn’t grow larger than the ‘Basic’ account’s 2GB capacity. If you have several apps requiring it, you can repeat this method as many times as needed.

I tried a similar process with Evernote, but it didn’t work for me as the app I tried couldn’t write to a shared folder.

Leave a Reply