Dropbox announced today that it has fixed a security vulnerability in its Android SDK that could potentially allow an attacker to capture new data being saved in vulnerable third-party apps, resulting in files being saved to the attacker's Dropbox in place of the user's.
Dropbox says that it patched the issue for a number of popular third-party apps a few months ago, but it recommends that all developers update their apps to the latest version of service's Android SDK.
The company goes on to note that the security issue was relatively minor, and the majority of apps using its SDKs were most likely not vulnerable:
Every app works differently, so many apps using the affected SDKs weren't vulnerable at all or required additional factors to exploit. This vulnerability couldn't give attackers access to any existing files in a user's account, and users with the Dropbox app installed on their devices were never vulnerable. There are no reports or evidence to indicate the vulnerability was ever used to access user data.
In any case, if you're an Android developer using Dropbox's Core API or Sync/Datastore SDKs, you may want to update your app to use the latest versions.
Update: Clarified that the security flaw only had the potential to affect new data being saved in vulnerable third-party apps.