A 4-digit passcode cannot be brute forced if the application is dependent upon an external service. After N bad attempts, lock the user (which I'm sure dropbox does.)
The default lockscreen passcode works the same way. After several attempts it will lock the phone and prevent further access for some time.
Brute forcing a PIN on iOS is not particularly practical in the same way brute forcing auth via a script isn't practical (so long as the system wasn't designed by idiots).
Sure, my point is just that a server-side check is immune to attack (assuming the server is not compromised.) A client-side check is subject to other exploits allowing the attacker to get around it.
Either way, you're right, it's pretty much a given that brute forcing a 4-digit passcode in iOS is far from easy, regardless of context if the developer knows what they are doing.
