27
Oct
image
Last Updated: October 29th, 2011

Hot on the heels of the previous privacy/security advisory about A.I.type Keyboard sending your keystrokes to the cloud in plain-text, some of our commenters pointed out another, much more popular app that does something similarly privacy-invading.

Description

As it turns out, Dolphin HD, one of the top browsers the Android platform has to offer, sends pretty much every web page url you visit, including those that start with https, to a remote server en.mywebzines.com, which belongs to the company. In fact, the WebZines feature was introduced only recently back in June with version 6.0, so it's safe to say this tracking started around the same time.

I've fired up a packet sniffer and indeed found every url I visited, including AndroidPolice.com, Gmail on https, reddit, etc. instantly sent to en.mywebzines.com, in plain-text at that. Now, the latter is not as important, as your http requests can already be sniffed by anyone on the local network, but the fact that every single url is reported to Dolphin's headquarters is more than disturbing.

Note: To be clear, the data reported includes only urls and not contents of web pages themselves.

I wasn't able to find a privacy policy that covers this aspect of Dolphin (i.e. the app itself), and frankly I don't think an official document that confirms these intentions exists. Did they really think somebody wouldn't notice?

Implications

Update: Dana from Dolphin Browser's PR team got in touch and let us know a fix is incoming. She also said that "there was never any privacy or security breach or cause for concern". Damage control, we get it. The fact that all these urls were reported to a central server is already a privacy violation, and we can only take their word that a database never existed or was destroyed, and never breached.

More details: "The newest version of Dolphin HD for Android 7.0 relays browsing information to a Webzine-specific URL. This information was never stored on our servers, and no browsing information has been captured about our users.

For some background, with Dolphin HD for Android 7.0, we rolled out a handful of updates to our Webzine feature. One of these is a "Toggle Webzine" button to view your current webpage as a Webzine. We currently have around 300 Webzines, and it was necessary for the client to check the current user URL against a database housing these 300 Webzine columns, which is what has caused this concern. None of the URLs have ever been stored by Dolphin, but were being used to cross-index if a Webzine for the current site exists. If it does, the current site is immediately converted to Webzine format; if not, it remains the standard mobile site. Again, none of this process is stored on the backend of our servers.

Note that this functionality has been completely removed for the time being.

We'll have a blog post up soon that will explain more."

Update #2: The Dolphin team posted a response on their blog, which tries to explain what they were trying to do (i.e. match every location you visit against a whitelist of about 300 webzines - an amateur solution from a programmer's point of view). They said the feature is turned off, and they'll be working on a toggle in the future. However, I don't see an update in the Market, so it looks like they just turned it off on the server, which means all Dolphin HD clients are still sending urls around. Sending every url you visit, including https, GET params, and path is really not the right solution to a problem of checking against a small whitelist. I hope a much less privacy-invading solution is put in place soon.

Update #3: The Dolphin team apparently thinks they fixed this issue in 7.0.1 on October 24th. I beg to differ - I was testing using 7.0.1 all along and just re-verified it again.

Update #4: An updated version of Dolphin HD (7.0.2) fixes the issue.

  1. Dolphin's servers collect information on websites visited by anyone using the Dolphin HD browser (tested on latest v7.0), including your searches and query parameters.
  2. These requests are sent over in plain-text, which exposes these urls to clients on the same network. While this is not a huge problem with http urls, as those are already sent out in plain-text, it does include https urls, which would otherwise be concealed by SSL (see this for more info on how SSL encrypts server and path information).
  3. It's worth noting that Dolphin Browser has Chinese roots (just how deep they are is unclear, but the url mgeek.mobi which was used to communicate with us when Dolphin was launched is registered in China), though both dolphin-browser.com and mywebzines.com are now hosted on Amazon AWS in the U.S. on the same IP range. I have nothing against China or the company itself, but do we really have to have our private information broadcast to a foreign company (unless you're from China, of course - then you'll feel right at home)?

Dolphin Mini doesn't seem to be affected, based on my analysis.

Technical Details

Let's take a look:

1. I request http://www.reddit.com/r/android. Dolphin sends a request to http://en.mywebzines.com/v3/columns?u=http%3A%2F%2Fwww.reddit.com%2Fr%2Fandroid&t=1319729827910. As you can see from the packet dump below, the request gets sent over HTTP unencrypted and pings Dolphin's servers with the url.

image

In a similar vein, my other requests were also ratted out.

2. One of the posts at http://www.androidpolice.com.

image

3. Gmail with https.

image

Temporary Workaround

If you are rooted, you can block en.mywebzines.com permanently on your device by adding the following entry into /etc/hosts:

127.0.0.1 en.mywebzines.com

To simplify this process, you can use Hosts Editor from the Android Market (tip: if you see # in front of any entry, that means it's commented out and will not work).

After this you may need to reboot to flush the DNS cache. You can test whether the fix worked or not by going to http://en.mywebzines.com in any browser and seeing if it loads an empty page with title Webzine (fix didn't work) or doesn't connect (fix worked).

Bad Dolphin, bad!

Thanks, Christopher for the original tip

Image credit

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • Harish

    If AndroidPolice wasn't there, most of the people who doesn't have technical knowledge wouldn't be knowing these risks/consequences. Thank you so much for this update. Though it's a hackneyed statement, I am going to say it loud "YOU GUYS ROCK".
    Cheers.

    • Meagan

      I just installed the app the other day. It lagged everything, including viewing my pictures in my gallery. So there must be more to this app.

    • serious_beans

      I don't see how this is a problem it just sends what websites you're going to, how is that a privacy concern? It doesn't send any
      personal info, not likee anyone can
      steal personal info.

  • http://www.AndroidPolice.com Artem Russakovskii

    Fun fact: this is the image I was originally considering for this article. http://3.bp.blogspot.com/_StX-X72vqGM/SmlmZAwDiYI/AAAAAAAAAU4/mNCtlnFAwzY/s400/unicorn+dolphin.bmp

    • http://www.gradweil.de alvinx

      you should have picked that image, hahahaha !

  • Todd

    I gotta say, articles like this are why you guys are my preferred site for Android news now. Nice find.

  • Digs

    Thank you for the heads up. This sux as I am using Dolphin because i cannot get the stock browser to load Adobe Flash after it stopped working. Dolphin works fine. Running CM7.1, N1.

    • Nocturnhabeo

      download the Adobe flash app

      • Digs

        Doesn't work 10.1 and up to 11

    • Adam

      Or try any of the many other alternative browsers out there...Miren, Opera, Firefox, etc...

  • TOMMMMMM

    Artem,
    Any input on the way Dolphin backs up your data using the Dolphin "Data Backup" option? I don't know if it's common practice or not, but all your cookies, usernames, and passwords are stored in an unencrypted .db file easily accessible from your sdcard (and can be viewed in root explorer). If someone were to get a few mins with your device (or malware targeting this file were installed), they could pull all your info within 30 secs. Try it.

    • http://www.AndroidPolice.com Artem Russakovskii

      Yeah, looking into that next, thanks.

    • http://www.AndroidPolice.com Artem Russakovskii

      TOMMMMMM, can you point out which file it's stored in? I quickly scanned my sd card and didn't see this file. What's the exact location or at least file name?

      • TOMMMMMM

        Sorry I didn't get back to you sooner Artem, I was doing homework...
        Its in sdcard/TunnyBrowser/backup/databases/webview.db

        Of course you must make a backup first for it to appear.

        • http://www.AndroidPolice.com Artem Russakovskii

          I don't have that backup directory under TunnyBrowser.

          Edit: I was able to produce the file after selecting Settings, Backup, Backup to SD, but that's to be expected, as that's what you're asking it to do. The word "backup" should have clued you in.

        • TOMMMMMM

          @Artem,

          You have to make a backup first in the Dolphin HD settings for it to create the directory.

        • http://www.AndroidPolice.com Artem Russakovskii

          Well, what do you expect? You're telling it to make a backup, and it's doing what you told it to do. This is not a vulnerability.

  • http://androidactivist.org Nathan

    so to block this i download the app, put that in it and then have it checked right?

    • http://www.AndroidPolice.com Artem Russakovskii

      You don't need to have it checked - that checkbox is just for mass editing. Just make sure the entry is there and there's no # in front of it. See the end of the post for more detailed instructions.

  • Sam

    Easier workaround: uninstall dolphin

    • New_Guy

      Which I'm doing now

      • ddp

        Same here. Prefer the stock browser over Dolphin. I'm running the ICS port, and find it highly functional. There are a few bugs, but it isn't as buggy as I thought. I hope to roll with these betas until the official release.

  • BeDammit

    This is old news and the single reason I didnt use Dolphin or Opera "enhanced" browsing...
    Read the EULA and privacy statements when you install software ppl!

    sheesh!

    • Ryan S

      Im not even a Dolphin user and I understood that it was bascially like the new "Kindle Fire" browser. Its all a system where the local "browser" just sends the link to their servers, their big powerful servers do the rendering and then they send the page back.

      Little or no local processing.

      • rodalpho

        It's not, though. Dolphin doesn't do that.

      • http://www.AndroidPolice.com Artem Russakovskii

        Yeah, Dolphin doesn't do any kind of cloud processing, so a user wouldn't expect every url to be sent to a server that seems to deal with webzines, which is Dolphin's way of presenting RSS inside the browser.

  • sgtguthrie

    Anyone know if dolphin browser mini does this too? Maybe it's time to switch to firefox. At least until ics ;-)

    • http://www.AndroidPolice.com Artem Russakovskii

      Dolphin Mini is not affected - just confirmed that.

      • TOMMMMMM

        I use Dolphin Mini and it has the database security issue as well.

  • Jaz

    This is crazy. All these privacy problems better be fixed soon. I wonder if apps on the iphone have the same problems. Companies better start watching what they are doing. Consumers have a lot of protection like sites like these.

  • Dansport

    Thanks for that. I just installed Dolphin HD today and when I was just looking for tips on it I made a side track here. HOO boy! I think your thread even posted as I was browsing this forum.

    Does this mean that my lil 'ol Aria is sending every website I visit to the makers of the browser? Since I use browser bookmarks for so much, they know where I bank? Pay any bill? My e-mail providers? Comparison shop?

    This is very disturbing to me.

    • Dansport

      BTW, I posted a link to this thread at Android Central.

  • Kat

    Can you please verify if this also applies to Dolphin Mini and does it attach the info to your user ID? Thanks.

    • http://www.AndroidPolice.com Artem Russakovskii

      Confirmed Dolphin Mini is not affected.

      • Digs

        On the info for Dolphin Mini in Market, it states that all bookmarks and browser URL history is copied.

        • http://www.AndroidPolice.com Artem Russakovskii

          No, it doesn't say that. The only thing it can sync is bookmarks, and those need additional setup and approval from you.

  • Darryl Wright

    I am not positive but it appears that Dolphin is the native browser on the Asus Transformer tablet. I'll be interested to see if this occurs there.

    • James

      Dolphin is NOT the default browser on a transformer.

  • bit

    I think opera mobile is the superior browser on Android at this time. It is near desktop capable. Once we get ChromeDroid that will likely change.
    I suggest everyone give it a try.

    Dolphin mini, or any other proxy browser does not cut it for me. I have no desire to send my bank login or browsing history to anyone.

  • Mike

    Good to know, dolphin browser performs awesome though. Not going to change it for just this. But still, good to know about, thanks.

  • brandon

    Nice find thanks. What's a better web browser to use then?

  • Sjogren

    Where does MoboTap Inc. provide information on how usage of their app will be collected? I am thinking of starting a petition to get things rolling. A petition may not do a lot but, it will let MoboTap Inc. know that we are against such practices.

    Update: The petition is online. After a long time debating and hearing input from people I know IRL, I have decided to put it online. There may be people opposed to such a petition but, I personally do not like their information collection practices.

    http://www.change.org/petitions/mobotap-inc-revise-the-privacy-policy-for-dolphin-browser-hd

  • Sjogren

    I am open to advice/opinions concerning the petition. Sorry if I sound like a nag...

  • Zohan

    as someone obviously not as technical as most of the writers/users on this site, can anyone confirm is Opera Browser does the same thing?

  • http://paralap.blogspot.com Glainskurt

    What browser am i gonna use now??? OMG! this is horrible!!

  • Mei

    As nice as Dolphin is, good thing I still only just use Honeycomb stock browser.

  • Robin

    Wow. Am uninstalling! Thanks so much for shining a light on these unacceptable practices!

  • wicked six

    Not seeing why this is a big deal, possible access to the passwords etc yes, reporting general web URL's so what? its not sending your password and everything right? I've used dolphin browser from day 1 on my OG Droid till now with no issues or complaints and will continue to do so.

  • Btod

    DAMN! When android police talks, people listen! thank you for bringing these issues front and center and forcing companies like HTC and Dolphin Browser to fix discrepancies in their products. And thank you for maintaining the journalistic integrity and professionalism to have a voice needed to be heard so loudly and taken seriously. I use the HTC thunderbolt and useD dolphin hd so these issues directly apply to me.

    • _thalamus

      'And thank you for maintaining the journalistic integrity and professionalism'

      Hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha. You missed sensationalism and melodrama.

      This whole thing makes me laugh. If any of you complaining on here cared about privacy, you wouldn't be using Android. Google is the biggest data miner of the lot. But still, stay in your dream world lol.

      • Yamba

        Thalamus statement is spot on !

  • SHADOW-XIII

    Is there packet sniffer I could install on Android and sniff any app on my phone? Would love to do some testing myself, got loads of app and would be nice to see what they send

    • http://www.AndroidPolice.com Artem Russakovskii

      Wireshark (just called Shark in the Market).

  • Shaun

    I encourage everyone who downloaded this app from the Android Market to change or leave a review with this info in it. Maybe that flood of 1-stars would get Dolphin's attention.

    • http://www.AndroidPolice.com Artem Russakovskii

      We've already gotten their attention - see the update in the post. They'll be posting a message on their blog in the morning.

    • Mike

      They've already began their 5 star faux-review damage control. Since the issue began, lenthy 5 star reviews have been replaced with 1 and 2 word 5 star reviews with extremely generic names. Pretty obvious they're padding their current rating. Makes the issue an even bigger slap in the face.

      • Simon Belmont

        Heh. I noticed that too.

        It's a shame that this reared its ugly head, but I am glad that Android Police watches this stuff. I really like Dolphin HD Browser and I use it on my B&N Nook Color, but I will switch to stock until this is resolved.

  • Iamsra

    Excellent...I fixed it by following the instructions...a couple of flops but finally it is working.
    Surely dolphin knows... Won't they finda way out?

  • janner

    Does this flaw also apply to Dolphin for Pad? Can't see any mention of the webzine "feature" there.

  • mydragoon

    lucky for me... i uninstalled when the new version requested for some additional (and new) permissions, including start service when phone starts up (or sth like that).

    sad to see dolphin's turned to the darkside (?!) coz i really liked using it.

  • Maz

    gave up on Dolphin HD a while ago,now using MIREN browser,faster and nicer

  • Niclas

    This is funny. I tried this 127.0.0.1 en.mywebzines.com in etc/hosts and it works perfect on my HTC Desire S, but won't work on my SonyEricsson Xperia ARC. Can't figure out why.

    • Doug

      Doesn't work on HTC Thunderbolt either - rooted - tried using Host Edit app...but still let's me go to whatever sites I put in there with 127.0.0.1 I wonder if some phones just won't let you truly edit the hosts file?

      • http://www.AndroidPolice.com Artem Russakovskii

        Try restarting?

  • LJ

    Another workaround if you have AdAway installed is open the app, press the menu button, select 'Your Lists', add en.mywebzines.com to your blacklist & reboot.

  • Christopher

    I note their statement didn't actually say they'd remove this behaviour from the app, nor did it address the lack of a privacy policy for this.

    Though their blog post seems to suggest in future there will be a way to disable this feature:
    http://blog.dolphin-browser.com/2011/10/27/webzine-does-not-store-user-data/

    That would be great, as it's not a feature I use -- and to send every URL to a server, just to check whether it's matches against a mere 300 WebZine-enabled sites, is pretty stupid.

    I wrote a comment on that blog mentioning that even if they do not actively store URLs sent to en.mywebzines.com, the data is likely still held in their web server log files for a long time. Hopefully they address that too.

    • http://www.AndroidPolice.com Artem Russakovskii

      Exactly - if they disable the end point, it doesn't prevent every Dolphin HD app out there from sending the urls like it's nobody's business.

  • TBolt

    I still love the Webzine feature in the Dolphin browser. I'm glad Dolphin is explaining the situation.

    I would have preferred that AP obtained an explanation from Dolphin before setting the forest on fire. hehe

  • http://chriswaldron.com Chris W

    Thanks! the question is, which packet sniffer did you use and how can we set that up for our phones?
    I'd love to track incoming and outgoing requests on my phone to see what apps are trying to do what.

    • http://www.AndroidPolice.com Artem Russakovskii

      See above - I've answered it (Shark).

  • Dansport

    "None of the URLs have ever been stored by Dolphin, but were being used to cross-index if a Webzine for the current site exists."

    In order to develop their webzine wishlist they would have to store a record of known visited urls. Now, I don't know whether or not they stored personal info along with the urls but they did this without disclosure, anyway. There are altogether too many perps out there to trust anyone who even looks like they're invading our privacy.

    This P. O.'d me so much I've uninstalled it and reviewed their app on the Android Market with one star and a link to this thread. I'll follow along patiently and wait to see if they actually correct their mistake before I take any further action.

  • Greg

    I had an update for Dolphin HD this morning. Looking at Dolphin's Blog, it looks like this update removed the URL sending that was mentioned in this article. I look forward to update to see if my assessment is correct. I will have to pay closer attention to future Dolphin HD updates.

    I like the browser too much to quit it just yet, but I will definitely be more cautious with it.

    • http://www.AndroidPolice.com Artem Russakovskii

      I don't see any updates here: https://market.android.com/details?id=mobi.mgeek.TunnyBrowser or in my My Apps on the phone. As far as I can tell, there was no client update.

    • http://forum.xda-developers.com/showthread.php?t=1319529 Fnorder

      Incorrect, as of v7.0.1 (buildid 105):
      T 10.23.1.220:39660 -> 50.17.123.77:80 [AP] GET /v3/columns?u=http%3A%2F%2Fwww.androidpolice.com%2F2011%2F10%2F27%2Fprivacy-advisory-dolphin-hd-sends-url-of-every-page-you-visit-to-a-remote-server-in-plain-text%2F&t=1319821734304 HTTP/1.1!!Authorization: 36449c34526e97af184d2576965dd5d9!!Accept-Encoding: gzip!!Host: en.mywebzines.com!!Connection: Keep-Alive!!!!

  • h8t

    Uninstalled...don't need them to look at my porn surfing habits...even if they update and remove this, it's a day late and a dollar short.

  • http://www.theandroidvibe.com Troy

    Well done. Thank you for posting about this security issue. That's why Android Police is my hero!

  • http://cafe-ti.blog.br Alroger Jr

    Thank you! Another block for my hosts file.
    Damn, sometimes URLs carry lots of info.
    What's a webzine anyway? I never asked to use it.

    • http://www.AndroidPolice.com Artem Russakovskii

      It's a glorified RSS reader - changes the UI of the page to something they think is prettier or better, which it arguably isn't (I never ended up using it). IMO, totally useless feature.

  • Graham

    Wow. Thanks, Android Police. Major kudos for catching and pursuing this.

  • Ryan

    If there are only about 300 sites it checks against then why not just locally store those urls? Seems a lot easier, and less processor/network/server intensive.

    • Aaron

      Actually it want to check whether the site is support the integrated Webzine. It is not a whitelist but a service for users.
      Best solution for this issues, updated to the latest 7.0.1 on the android market which disabled the webzine discover feature.

      • http://www.AndroidPolice.com Artem Russakovskii

        No, it doesn't. All of my tests were done just yesterday with 7.0.1.

  • http://androidblog.site666.info android underground

    The update to v7.0.1 removes the C2DM background process for those who don't use Dolphins bookmark sync service, but it still sends your URLs to en.mywebzines.com. Even though Dolphin said on their blog that it doesn't do that anymore.

    More here:

    http://androidunderground.blogspot.com/2011/10/dolphin-browser-washed-looks-clean.html

    http://forum.xda-developers.com/showpost.php?p=18846320&postcount=114

    According to the small print Dolphin is a mammal, but it smells fishy anyway.

    • http://www.AndroidPolice.com Artem Russakovskii

      You're correct, verified it as well. The tests in this article were done on 7.0.1. I even remember getting the update and thinking maybe they've addressed it, but nope.

      • http://androidblog.site666.info android underground

        The good news is that the new update fixes the problem. No more URL snooping in version 7.0.2.

  • Dav

    First, thank you Dolphin Police for making us aware of this issue!
    Second, I thought it only fair to post the response I received from Dolphin in response to an email inquiring about this issue:

    "Thank you so much for letting us know the issue.
    Actually, we never store our users' information. With roughly 300 Webzines supported at the moment, it was necessary for our client to check the current user URL against a database housing these Webzine columns, which is what user Fnorder at XDA-Developers referred to. But none of these URLs have ever been stored by Dolphin, instead being used to cross-index if a Webzine for the current site exists. If it does, the current site is immediately converted to Webzine format; if not, it remains the standard mobile site.
    Again, none of this process is stored on the backend of our servers and we are deeply sorry that this was not made clear to our users from the beginning.
    Besides, we have already temporary removed this functionality in the latest update Dolphin Browser HD v 7.0.1. Hope you will continue to support us."

    • TBolt

      This really isn't a BF'nD. I appreciate the investigation, but it's been blown way out of proportion.

    • http://www.AndroidPolice.com Artem Russakovskii

      This is inaccurate, all of my tests were done just yesterday with 7.0.1.

      • Dav

        Hi Artem, Just thought i would mention that my reason for posting the response I got from Dolphin was for fairness, and to keep the conversation productive.
        I appreciate your response to this! Please continue to stay on top of this issue, it is important to many of us!

  • Ytram

    This is so idiotic. At the very least they should hash the URL before they send it over. Geez.

  • Scott

    Even though I don't use Dolphin, Opera works best and suits my needs the most, at no time did I ever think they would do anything malicious. I've seen numerous articles on other sites that accuse honest devs of something malicious, doing them great harm, and only afterwards when the dev contacts the site do they issue a response. A responsible writer with at least an ounce of integrity would at least attempt to contact a dev to get their response before going off half cocked. Still every page hit counts I suppose.

    • http://www.AndroidPolice.com Artem Russakovskii

      Dolphin got plenty of warnings, yet their software kept sending data out.

  • Castaway

    Why store the whitelist at a remote server anyway, therefore necessitating the sending of URLs over the net? Why not just retrieve the list to the device when the browser is started and do any webzine checking on the client side? Nothing in Dolphin's reasoning thus far indicates that the check cannot be done on the device.

  • zzzda

    Shame that, It had really good looking text display and was fast browser, but this webzine shit slows it down. Too bad there isn't an option so you cant switch it off totally

  • Dansport

    Fnorder at

    http://forum.xda-developers.com/showthread.php?s=80f0ee05358a85eea4bd70ecf43d9545&t=1319529&page=13

    says the issue is fixed in version 7.0.2 (106). He's good, but didn't post test results from the new version. I want technical verification and I just don't know about all that packet sniffing and stuff: I just want to use my phone. That's why I come here. Artem, I like your results and your reasoning. Would you please run those tests again on v. 7.0.2? It would relieve me - and I'm sure a lot of people - to get verification that their snooping stopped.

    • http://www.AndroidPolice.com Artem Russakovskii

      Yeah, it's fixed in 7.0.2 - I verified it (the update is in the article).

  • thankfully not a Dolphin user

    For the Dolphin folks:
    Since you only have 300 webzines, you can't have their URLs stored locally to check? Whoever taught you to program should be fired. You waste bandwidth, time, and privacy for a lousy check of a list of 300.

    Here's a hint - I assume ANY information my system sends to elsewhere IS being stored & used. Why? Because once it leaves my system, I have no control. So, anything that sends information elsewhere, without upfront telling me, and giving me the option to say "NO" will be uninstalled and comments to not use that APP will be posted on appropriate forums.

  • Dansport

    Thanks for all your work. Having seen such diligence, I trust you guys. I reinstalled Dolphin and added comments to other forums where appropriate. You may have more followers than you know.

  • Dave

    What the heck is a webzine anyway and why do Dolphin keep banging on about them? I just want to see the damn page.

  • Hank Hill

    Does anyone know if this problem applies to Dolphin on iOS?

  • chuck

    Great job! Thnak you

Quantcast