The flaw, now identified as CVE-2014-8889, was found inside the Dropbox SDK (software development kit) for Android and could have potentially enabled an attacker to insert an arbitrary access token, to give the attacker access to user information.
IBM built a proof-of-concept exploit that it calls “DroppedIn” to test the impact of the vulnerability. Using the exploit, IBM found that 76 percent of the apps that it analyzed that leverage the Dropbox SDK were at risk from the flaw.
The vulnerability was just for the Dropbox SDK being used within Android apps; there is no indication that users of iOS or other operating systems would be affected. To be clear, it’s not Dropbox for Android itself that’s the big risk, but all of the apps on Android that leverage the Dropbox for Android SDK.