[macOS 26 Beta] Dropbox needs to be dropped

Dropbox is proving itself to be unsafe now, demanding admin access in order to function. It’s been doing this for awhile but it now crashes in MacOS 26 when you refuse to give it said access. This is likely just a beta bug, but points to a larger problem: Dropbox is no longer trustworthy. I realize that other methods of syncing clash with Scrivener, but having everyone need to use the same commercial syncing service in order to sync Scrivener really is no longer working. We need alternatives. I’ve eliminated Dropbox from my computers effective today.

So the question then: Is there a way of syncing reliably that doesn’t involve Dropbox?

As you note, the operating system is still in (very) early beta right now. Stability and even behaviour shouldn’t be judged just yet, and it really shouldn’t be used for real work. I wouldn’t be making decisions on what software to use based on anything going on in it right now, either. All of that is subject to change.

As for needing admin access, you would need to provide more detail on what you were doing at the time, and what the prompt stated. I can’t think of any reason for it to do so, but on the other hand every other twitch prompts a “security” warning these days, and you have to type in your password hundreds of times on a new system. This isn’t the software doing it though, technically, nor do such things grant the software greater permissions, outside of the scope of the one narrow thing you just approved.

As to the rest, I think you have some information that isn’t quite correct.

• Any cloud service, bouncing back and forth a time-stamped zipped backup.
  (That’s one alternative. Although I’m not a fan. I consider it risky to some extent. Too exposed to user error to my personal taste. – Safe on the technical side, though.)

• Your project on a thumb-drive (USB 3.0) rather than on your hard-drive (along with meticulous/systematic local backups – on the computer itself, or on a cloud, or both, … anything but, on the thumb-drive itself –, in case you lose it), is another. ← I have been doing this for years, never had any issue.

But…

I’m not sure what the link implies, but this is absolutely something Dropbox is doing that is, at best non-standard, and truthfully unsafe, making them untrustworthy. This happened prior to the latest beta. It’s been happening awhile. Dropbox wants admin access supposedly to implement advanced features, integrating with the OS. But even with those features turned off Dropbox is asking for your system password. Dropbox no longer behaves the way you tell it to. It is trying to pull tricks under the hood.

I repeat. Dropbox is no longer trustworthy. There are other discussions of this on the internet. This isn’t just me.

Thank you. I have Scrivener backed up ten ways to Sunday. But I’m more concerned with syncing than backing up. I have custom python scripts that backs up both Scrivener and Calibre with multiple redundancies. Syncing to the iPad now involves manually downling the .scriv file from Dropbox via the browser. Deleting the .scriv file in the browser. Making chaninges locally. Uploading the .scrive file to Dropbox via the browser. Then deleting the local .scriv copy. Hardly efficient.

Luckily my process really has only one project that I sync with iPad, a project which is used exclusively for syncing. Once synced to the laptop, things then get distributed out to the various projects.

It’s all very convoluted. As it’s 2025, it feels like this should be worked out.

That was my reply.
It wasn’t about backups, at all.

You asked for sync alternatives, a gave you two. (I’m neither a dropbox user nor a Mac user, so that’s all I’ll say.)

See here: Dropbox Responds to Mac 'Security Risk' Accusations [Updated] | MacRumors Forums

And here: https://www.dropboxforum.com/discussions/101001016/dropbox-now-requires-authentication-in-macos-high-sierra-10-13-4/270720

And here: Should you drop Dropbox? – The Eclectic Light Company

Some of these are from 2016 and it’s still happening. This is how Dropbox wants it.

I’m using Scrivener and Dropbox in a test environment in Tahoe and not having any issues.

My Mac account is an admin account.

As for the ‘Dropbox is no longer trustworthy’, that’s sweeping claim.

It is a sweeping claim. And I stand by it. Did you follow the links I included?

Are you saying that Dropbox did not ask for your password?

I can’t really speak to the veracity of these ten year old articles and threads. Whether they are accurate (I see a lot of fundamental misunderstanding of how macOS works in them for example, thinking Dropbox is asking for passwords when its the OS doing it). I can say with much more confidence that back in 2016 the mechanisms Dropbox was using have almost nothing to do with the mechanisms they use now. The technology they use now is much closer to iCloud Drive in fact, than what they were doing back then.

But, this is all rather beside the point where it comes to Scrivener. As I noted in the linked to post, Scrivener has no dependency upon Dropbox, and anything it does wouldn’t be causing it to crash (on a stable OS version anyway). It is wholly unaware of it, just like it is unaware of any other cloud service you might choose to use—and as pointed out at length, almost everything out there is safe to use. Scrivener opens and saves files to your disk. Cloud services modify the disk. They are not connected to one another in any fashion.

So if you don’t like Dropbox, use something else, no big deal.

The only argument you might have is for iOS to work differently, but we can’t really do a whole lot there, other than remove syncing entirely. Nothing else is suitable. So having some option, that one might opt-in to using, is in my opinion better than nothing.

Right. My problem isn’t with Scrivener per se. My point is that Dropbox is increasingly behaving like malware. Whenever the question gets asked — and I believe this comes from Scrivener as a company — if there is a way to sync Scrivener, the answer is that only Dropbox doesn’t mess up the files. It is a recommendation to use Dropbox. If no other service reliably syncs without messing up the files, then Scrivener doesn’t really have the ability to sync without Dropbox.

Maybe I’m just missing something.

Well that’s my question, are they increasingly acting like malware, or did they for a time work a certain way, that some might conflate with that term, that they now no longer do. Back in 2016, I suppose if you want to get really broad with your definition of malware, you could make that case. It, like other software of a particular kind, modified the OS itself to make itself work better (at least that is how they put it). So would drivers, or even some Apple software, or virus scanners… that in and of itself isn’t “malware”. It’s what you do with that power that matters.

But again, it doesn’t, and cannot, work that way in 2025, so whatever was being done back then is not terribly relevant. What it does have to do now is ask the OS for rights to do certain things (like put icons on your folders), and then the OS turns to you and throws up a permission dialogue with an admin password. That’s not Dropbox demanding anything, or Dropbox rootkitting itself, it’s you telling the OS that it’s okay for this program to add icons to Finder (or whatever is being asked about). All of this is done with extensions and entitlements these days, and yes you have to pound out your password over and over for every program that might want to do more, but can’t, without you saying it can. Scrivener is going to need those too, pretty much everything will given how broadly Apple defines “security”.

Again I can’t and won’t defend Dropbox here, I don’t know anything about them, but everything you’re showing me is just that, what I described above. And yeah, some of that might crash in the beta OS right now, who knows.

…and I believe this comes from Scrivener as a company — if there is a way to sync Scrivener, the answer is that only Dropbox doesn’t mess up the files

I just linked you to a thread that explicitly says the opposite! What you are stating was always a misconception, or at the least a misunderstanding of statements made about how the iOS version works (which doesn’t depend on Dropbox either, as I say it is opt-in).

Right. My problem isn’t with Scrivener per se.

Okay, well you started with: “Scrivener is proving itself to be unsafe now, demanding admin access in order to [function]…”, and I still don’t see my follow-up query about that claim being addressed.

Well the statement I meant to type was Dropbox is proving itself to be unsafe now, so my bad for mis-typing. But I cannot emphasize enough that Dropbox IS increasingly misbehaving … behaving like malware … being malicious … insert whatever phrase works. This isn’t my imagination. And this isn’t something that happened in 2016 and is no longer relevant. It is in fact more relevant today. I’m emphasizing this because Scrivener users need to be made aware of this. No other syncing service that I use asks for your password this way. Again, they only need these permissions to do new-fangled things. If those things are turned off, then they don’t need increased permission. And even when they do need deeper access, they are going about it in a way that exposes the user, poking holes in the users security.

I’m not being paranoid here. This is an issue.

Sorry, I did not mean to imply you were being paranoid. At most I just wanted to point out that software needing to ask the OS for permission for you to do stuff is not at all atypical, and does not imply malicious intent, in and of itself, which seems to be the thesis here. It’s an infrastructure that Apple built that is meant to be used by software.

My text expander needs the password typed in to work, because without that it couldn’t monitor keystrokes and change the text as I type it. BetterTouchTool needs several different kinds, and I have to type in the password multiple times to get it working, to do all of the things it can do with the keyboard, mouse, trackpad, other devices and window management. Maybe your other cloud sync doesn’t have a right-click action to “Share link” or whatever Dropbox adds to the context menu these days, so you don’t get a permission request.

These things in and of themselves are not categorically evil. To reiterate, it is a system that is functioning by design, and it is expected that some programs won’t work right at all if you don’t give them permission to do what they are designed to do.

By all means, if you’ve got a modern security article that shows Dropbox is hacking Macs right now, then yes, people deserve to know that. But all I saw along those lines was a misunderstanding of how kernel extensions worked back in 2016.

Well I read through the thread you linked.

[By the way, other services also do need increased permission, they just go about it in a way that isn’t suspect. You used the word 'opaque 'to describe iOS in the thread you linked. I think that’s the right word for what’s going on with Dropbox. There are settings in Dropbox that supposedly allow you turn off Dropbox monitoring the system, but they are false settings. Dropbox continues to misbehave even when you’ve told it to stop. What’s more, increased permission is handled through the OS and can be accessed through the official settings. There is no need for a service to ask for your password in order to get permissions.]

Anyway, the larger issue is reliable sync. My understanding is that iCloud is as reliable as Dropbox, as per your statements in that thread. Is that still true? Does this work for iOS/iPadOS?

[On a related matter which might be unwelcome input from me: I’ve often wondered why Scrivener didn’t just read and write directly to and from a zip file. I can do this through the command line using python. It’s a fairly simply matter. You wouldn’t even need to change the underlying code base, just simply write a layer which handles whatever reading and writing Scrivener is doing and the passes those read and writes through the layer. This would change it from a file structure to something at least treated as a file. But again, maybe I’m misunderstanding.]

The crazy part is that Dropbox (every software, actually) used to be much more “dangerous” in the past, but appeared more safe without all the current restrictions and permission-requests. It’s a paradox.

Again, I don’t think people are seeing the difference between what Dropbox is doing and what other services are doing to gain increased permission. There is no need for them to directly ask for your password. This is a false-equivalency.

That’s true, and if it’s actually Dropbox asking for your password, something went seriously wrong. I suspect the culprit is rather the current macOS beta and how it presents this permission-request. Since Apple forced them (and everyone else) to use the OS’s cloud-storage system instead of several different proprietary ones, there’s actually not much they could do outside of that and certainly don’t need “special” permissions for anything.

Well I think that is the main question here, are they even doing that? Everything I’ve seen looks like a regular macOS permission password box to me.

That’s why I was suggesting that an up-to-date audit from a reputable security source would be a good next step here in supporting the assertion.

There are settings in Dropbox that supposedly allow you turn off Dropbox monitoring the system, but they are false settings. Dropbox continues to misbehave even when you’ve told it to stop.

These things I don’t know about, I haven’t used the client in over 10 years I think. It’s been ages. I don’t really follow the description though, how would sync do anything at all if it can’t monitor your files?

Anyway, the larger issue is reliable sync. My understanding is that iCloud is as reliable as Dropbox, as per your statements in that thread. Is that still true? Does this work for iOS/iPadOS?

Yes, iCloud Drive and Dropbox are very similar, based on very similar technology using the FileProvider infrastructure on the Mac. What is different are the features and presentation. I personally would not choose iCloud Drive for any reason, as I feel that’s an overall feature downgrade from Dropbox. There are plenty of better options out there beyond the mainstream megacorp sync services in my opinion.

Almost all sync services integrate with Files.app on iOS, by the way. With a program like Scrivener that also gives you access to its storage in Files, it’s a matter of mere basic file management to use anything you want. There are few limitations these days, whereas in the past you did need some contortions if you didn’t want Dropbox syncing. The one I use, Tresorit, works fine, and I regularly copy Scrivener projects to and from it, for mobile review or gathering notes.

I’ve often wondered why Scrivener didn’t just read and write directly to and from a zip file.

There are older threads about that here and there. It is true that there are ways to edit zip files inline, but with Scrivener we do have to consider the scale of how it is used. While a 750kb ePub file (which is zip), or an 80kb DOCX (which is zip) can be edited inline just fine, I don’t know about a 120gb project, or if many sync services would look kindly upon a file that large. How much of that is going to have to be uploaded again after changing a few words?

Anyway, that’s a bit of a red herring, as I pointed out in that other thread, “package format” has never been an issue, because it is a fiction that only exists in your GUI, and indeed syncing folders of files, distributing that 120gb across tens of thousands of files, is the most efficient way to sync large amounts of information, and only change the small parts of that overall body of data that has been modified.

No. It’s fundamentally different. I see — well saw — nowhere in settings where I could allow/disallow permissions. This was defintely Dropbox directly asking for your password.

They need to monitor files in one folder. This is how Dropbox started. Now they’re monitoring when you take a screenshot, when you delete a file, download a file, etc. And I couldn’t get it turn off. It’s malicious. It’s all academic anyway. As I said, I’ve dropped Dropbox for good, after having used them since their creation as a company.

All the rest of that makes perfect sense and clears some things up. I think iCloud is becoming more resilient and powerful. It was a mess at the beginning. I think Apple is starting to truly figure it out. I also use JottaCloud, so I’ll play with that as well.

I think the old message of only use Dropbox to sync is still in effect in most users’ minds. (And this was defintely a thing.) Maybe an information campaign to get the word out would clarify things for people.

Thank you for taking the time to engage with me.

Michael