I’ve opined on the security of cloud solutions in the past, usually stating that the odds were good that established cloud vendors have better security than the average data center. Yesterday, I saw an shared an article about how researchers reversed engineered the Dropbox client. While this isn’t necessarily a critical issue for Dropbox, it does raise some interesting discussion points around security through obfuscation.
First, the Research
The researchers decompiled the Dropbox client which was compiled in a manner that decompiling was difficult. Once the researchers were able to do it, they hijacked the account. Given that a program would already possess full access to a person’s machine to accomplish this, there wouldn’t be new data to access through the client.
The researchers did share that they still use Dropbox and that they weren’t concerned about the security of the client. They went on to say that the obfuscation didn’t make much sense for Dropbox:
We wonder what Dropbox aims to gain by employing such anti-reversing measures. Most of Dropbox’s “secret sauce” is on the server side which is already well protected. We do not believe these anti-reverse engineering measures are beneﬁcial for Dropbox users and for Dropbox.
Which takes me back to a topic from my old hardcore developer days. How do you achieve security?
Security Through Design
The first thing I remembered when I read the article is a talk from an old security pro at an Association for Computing Machinery seminar. The speaker stressed that while obfuscation may make things challenging for a hacker and thus more secure, the security was fleeting and illusory. There will always be someone who can reverse engineer the code and replicate, or subvert, the process. While primarily discussed in the context of proper encryption, the concept applies to all computing security applications.
Hiding your code isn’t going to make your software secure. This doesn’t mean that every vendor should be open source. When you assume that your code will be accessible by anyone with enough resolve, security has to be built into the design.