Safer Dropbox-ing for apps requesting ‘Full Access’

Like it or not, Dropbox is Internet glue.

It’s grown beyond ‘just’ file-syncing, and is now a universal ‘online disk’ for web and mobile apps. Often those apps access the user’s absence to do ‘useful stuff’ triggered by an external event or allowing long tasks to complete without the user waiting.

Having apps read and write to a folder on my laptop is brilliantly useful, but also risky. I don’t store sensitive stuff on Dropbox, but it would be inconvenient to lose files or for them to be compromised by malware.

The best apps use Dropbox’s permissions options to access only the files and folders they actually use. That way, if a service has a ‘security problem’ the damage is contained. However, some don’t and ask for ‘full access, despite not needing it.

A recent example of this I encountered is Fujitsu’s ScanSnap Cloud. This update to my desktop scanner added direct uploads to ‘the cloud’ and it’s super useful… Except it requests ‘full’ access to my Dropbox files, not just the upload folder it uses. However convenient, I’m not handing unsupervisedaccess to that much of my data to a 3rd party.

I needed to create my own equivalent Dropbox’s single-folder permissions. A separate Dropbox account and folder sharing lets us get close. Here’s how to do it (this doesn’t appear to contravene any Dropbox terms or conditions):

  1. Sign-up for a new ‘Basic’ Dropbox account via the website – you can leave desktop and mobile clients logged in to your ‘real’ account throughout this process. The new account needs a dedicated email address – create one via your email host (use a descriptive name in the address so you can tell which account Dropbox emails relate to).
  2. Complete email verification for the new account and use it to login to Dropbox via the website. Add a profile photo with an icon of the service you’re sandboxing (again, for ease of identification) and turn on 2-factor authentication (optional, but recommended).
  3. Logout of Dropbox and back in to your ‘real’ account. Still via the website, create the folder you’d like to store the app’s data. I add mine to a dedicated ‘syncing’ folder to keep things tidy.
  4. Click ‘Share’ next to the folder you have just created and send a sharing invite to the new account in step 1 with ‘can edit’ permissions and management by ‘Only owners’ (management options are in ‘Folder settings’).
  5. Logout of Dropbox (again, sorry) and find the invitation email for the sharing request you have just sent. Click ‘Go to folder’, login with the new account credentials and accept the invitation.
  6. Dropbox setup is now done. Test it by adding a file to the newly-shared folder through the web browser and checking it is visible in your ‘real’ Dropbox account through a desktop or mobile client.
  7. Switch to the app or cloud service insisting on ‘full access’ and link it to the newly created account. Selected the shared folder (it should be the only folder in that account) to use and give it the permissions requested.
  8. Use the service (in my case, by scanning some documents) and confirm that, although the files are being written to a dedicated account they are synchronised to the chosen folder within your main account.

Setup is now complete. The shared folder gives access to the app’s files as if you’d allowed it access to your ‘real’ account, but without exposing any of your other files.

This has worked reliably for me for many months and syncing is instant. It requires no maintenance other than ensuring the shared folder doesn’t grow larger than the ‘Basic’ account’s 2GB capacity. If you have several apps requiring it, you can repeat this method as many times as needed.

I tried a similar process with Evernote, but it didn’t work for me as the app I tried couldn’t write to a shared folder.

Essential apps and utilities for a new Mac

These are the apps I always install first on any Mac.

In order:

  1. 1Password – My password manager of choice – rock solid and now TouchID enabled on my Mac. All the logins and license keys for subsequent apps are in here. We have a family plan, synced via 1Password’s own service. I’d previously used Dropbox syncing which added a frustrating delay waiting for the initial sync on a fresh Dropbox installation.
  2. Dropbox – This contains nearly everything I care about – working files, cloud-based app data (Auphonic for podcast production and Receipt Bank for business admin are my 2 must-haves) and scanned documents from my Fujitsu ScanSnap. During installation I enable ‘selective file sync’ and exclude an ‘online only’ folder containing photos and videos I want to share, but don’t want taking-up laptop storage. I’ve previously fought Dropbox’s sneaky accessibility permissions grab but have now given up in favour of a quiet life (I fear I’ll regret this at some point).
  3. Cloak – The best Mac VPN for browsing securely on public WiFi (I don’t need to access location-locked content and their team make it clear that’s not what Cloak is for), this app goes on all my MacOS and iOS devices. I’ve no idea if it’s the fastest, but it’s been incredibly reliable for me and the team behind it care about the right things.
  4. TripMode – A ‘mobile data saver’, this tool limits the apps that can use an internet connection when you’re using a personal hotspot. A menu-bar icon flashes as apps are blocked and they can individually be enabled or disabled stopping bandwidth hogs such as iCloud Photo Library or Dropbox from burning through your data allowance.
  5. Moom – There are many Mac window managers but this is mine. Although highly configurable I use the simplest features – a popup menu triggered by hovering over the ‘maximise’ window button that offers a list of window size / position presets (I use the default ones) and a grid to ‘draw’ more complex layouts. I tried others that relied on dragging windows to the screen edge but accidentally triggered that too often.
  6. Caffeine – This app overrides any power saving / screen-saver settings to keep your Mac awake for extended periods. I use it when I’m not actively using the laptop but need the screen to stay on, such as reading show notes during a 361 recording or following a recipe on a website.
  7. Alfred – I can’t remember a time my Macs didn’t have Alfred mapped to ⌘-Space in preference to Spotlight with my settings synced via Dropbox. Alfred is another powerful tool but I rely on it almost entirely for keyboard access to apps, an instant calculator and as a clipboard manager. I bought the ‘Power Pack’ upgrade despite not needing the features to support this brilliant independent developer.
  8. Keyboard Maestro – This tool lets me create simple macros for the Mac. I use it for inserting text (code snippets, business addresses or tax numbers) and clipboard ‘cleverness’ such as pasting text as if it had been typed. I previously also used TextExpander for the text-specific tasks but found Keyboard Maestro could do both jobs to the level I needed. It’s a tool I’ve previously used much more extensively and I like to keep it around ‘for emergencies’. I store my macros in Dropbox to keep them synced between Macs.
  9. SoundSource – The most recent addition, this app adds a menu-bar item showing the volume and other settings for each audio input or output device. Essential for podcasting, but also handy for demos / presentations when you need to quickly mute sound effects but leave other audio playing.
  10. Bartender – MacOS’s menu bar doesn’t cope well with lots of apps, quickly becoming a cluttered mess of randomly-ordered icons. Bartender offers an ‘overflow’ area where I put the apps I don’t need one-click access to and lets me set the order permanently so they’re always where I expect them to be. This goes-on last so I can arrange all the icons in one go.