Right, the Dropbox app on their phone is asking the OS for contact info, which the phone generates and provides to the Dropbox app and only the Dropbox app. Any other app would get a different fake address.
Or are you talking about the scenario where competitor apps use some kind of sandbox escape to jump out and steal other apps' trap addresses from the OS?
I figure that's what @ceejayoz is talking about. This probably won't happen between 'mom and pop' apps, but maybe a failing SV unicorn might become desperate enough to pay $1MM, or however much a blackhat will ask for this service, to trash their main competitor.
Or are you talking about the scenario where competitor apps use some kind of sandbox escape to jump out and steal other apps' trap addresses from the OS?