Hot on the heels of the previous privacy/security advisory about A.I.type Keyboard sending your keystrokes to the cloud in plain-text, some of our commenters pointed out another, much more popular app that does something similarly privacy-invading.

Description

As it turns out, Dolphin HD, one of the top browsers the Android platform has to offer, sends pretty much every web page url you visit, including those that start with https, to a remote server en.mywebzines.com, which belongs to the company. In fact, the WebZines feature was introduced only recently back in June with version 6.0, so it's safe to say this tracking started around the same time.

I've fired up a packet sniffer and indeed found every url I visited, including AndroidPolice.com, Gmail on https, reddit, etc. instantly sent to en.mywebzines.com, in plain-text at that. Now, the latter is not as important, as your http requests can already be sniffed by anyone on the local network, but the fact that every single url is reported to Dolphin's headquarters is more than disturbing.

Note: To be clear, the data reported includes only urls and not contents of web pages themselves.

I wasn't able to find a privacy policy that covers this aspect of Dolphin (i.e. the app itself), and frankly I don't think an official document that confirms these intentions exists. Did they really think somebody wouldn't notice?

Implications

Update: Dana from Dolphin Browser's PR team got in touch and let us know a fix is incoming. She also said that "there was never any privacy or security breach or cause for concern". Damage control, we get it. The fact that all these urls were reported to a central server is already a privacy violation, and we can only take their word that a database never existed or was destroyed, and never breached.

More details: "The newest version of Dolphin HD for Android 7.0 relays browsing information to a Webzine-specific URL. This information was never stored on our servers, and no browsing information has been captured about our users.

For some background, with Dolphin HD for Android 7.0, we rolled out a handful of updates to our Webzine feature. One of these is a "Toggle Webzine" button to view your current webpage as a Webzine. We currently have around 300 Webzines, and it was necessary for the client to check the current user URL against a database housing these 300 Webzine columns, which is what has caused this concern. None of the URLs have ever been stored by Dolphin, but were being used to cross-index if a Webzine for the current site exists. If it does, the current site is immediately converted to Webzine format; if not, it remains the standard mobile site. Again, none of this process is stored on the backend of our servers.

Note that this functionality has been completely removed for the time being.

We'll have a blog post up soon that will explain more."

Update #2: The Dolphin team posted a response on their blog, which tries to explain what they were trying to do (i.e. match every location you visit against a whitelist of about 300 webzines - an amateur solution from a programmer's point of view). They said the feature is turned off, and they'll be working on a toggle in the future. However, I don't see an update in the Market, so it looks like they just turned it off on the server, which means all Dolphin HD clients are still sending urls around. Sending every url you visit, including https, GET params, and path is really not the right solution to a problem of checking against a small whitelist. I hope a much less privacy-invading solution is put in place soon.

Update #3: The Dolphin team apparently thinks they fixed this issue in 7.0.1 on October 24th. I beg to differ - I was testing using 7.0.1 all along and just re-verified it again.

Update #4: An updated version of Dolphin HD (7.0.2) fixes the issue.

  1. Dolphin's servers collect information on websites visited by anyone using the Dolphin HD browser (tested on latest v7.0), including your searches and query parameters.
  2. These requests are sent over in plain-text, which exposes these urls to clients on the same network. While this is not a huge problem with http urls, as those are already sent out in plain-text, it does include https urls, which would otherwise be concealed by SSL (see this for more info on how SSL encrypts server and path information).
  3. It's worth noting that Dolphin Browser has Chinese roots (just how deep they are is unclear, but the url mgeek.mobi which was used to communicate with us when Dolphin was launched is registered in China), though both dolphin-browser.com and mywebzines.com are now hosted on Amazon AWS in the U.S. on the same IP range. I have nothing against China or the company itself, but do we really have to have our private information broadcast to a foreign company (unless you're from China, of course - then you'll feel right at home)?

Dolphin Mini doesn't seem to be affected, based on my analysis.

Technical Details

Let's take a look:

1. I request http://www.reddit.com/r/android. Dolphin sends a request to http://en.mywebzines.com/v3/columns?u=http%3A%2F%2Fwww.reddit.com%2Fr%2Fandroid&t=1319729827910. As you can see from the packet dump below, the request gets sent over HTTP unencrypted and pings Dolphin's servers with the url.

In a similar vein, my other requests were also ratted out.

2. One of the posts at https://www.androidpolice.com.

3. Gmail with https.

Temporary Workaround

If you are rooted, you can block en.mywebzines.com permanently on your device by adding the following entry into /etc/hosts:

127.0.0.1 en.mywebzines.com

To simplify this process, you can use Hosts Editor from the Android Market (tip: if you see # in front of any entry, that means it's commented out and will not work).

After this you may need to reboot to flush the DNS cache. You can test whether the fix worked or not by going to http://en.mywebzines.com in any browser and seeing if it loads an empty page with title Webzine (fix didn't work) or doesn't connect (fix worked).

Bad Dolphin, bad!

Thanks, Christopher for the original tip

Image credit