The fact that any application can spoof the os password prompt makes me wonder why they don't have a prominent feature to show the prompt is from the OS. On windows there is the secure desktop with the dimming effect.
That reminds of how Windows asks you to press "ctrl+alt+del" before typing your account password in some situations, because other software cannot intercept ctrl+ald+del so you know the login prompt is legit.
That was actually designed to avoid typing credentials into "faked" password dialogs. The above mentioned "Secure Desktop" with dimming is not designed for that, but for the, rather hilarious, fact that it is trivial for a Windows program to hit any button on the screen it wants to. Having the permission requests pop up on a "Secure Desktop" prevents a malicious program from hitting the "Allow" button for it's own permission request. The funny part is that this is the exact kind of functionality dropbox is "hacking" itself access to.
Dropbox isn't hacking anything. They show the legit OS dialog requesting permission, and the user complies blindly.
Hence why I put hacking in quotes...? I'm just pointing out that Dropbox is arguably jumping through hoops to get access to functionality that Windows gives to basically anything that gets a toehold on your system.