"On February 6th I was notified that an updated version 4.0.6035 had been released which is supposed to resolve the issue."
It would have been useful to check whether that 'supposed' is true and if so, how they fixed this. Worst-case, they did the easy thing and obfuscated the strings.
I supposedly have the updated version (according to Box's about screen) and I still see values for api_key and client_secret in these files.
I can't say what they do or if it's a real issue, but it's troubling to still see values there. There are also a few other keys that don't look like they should be there...
It would have been useful to check whether that 'supposed' is true and if so, how they fixed this. Worst-case, they did the easy thing and obfuscated the strings.