Hot on the heels of the previous privacy/security advisory about A.I.type Keyboard sending your keystrokes to the cloud in plain-text, some of our commenters pointed out another, much more popular app that does something similarly privacy-invading.
Description
As it turns out, Dolphin HD, one of the top browsers the Android platform has to offer, sends pretty much every web page url you visit, including those that start with https, to a remote server en.mywebzines.com, which belongs to the company. In fact, the WebZines feature was introduced only recently back in June with version 6.0, so it's safe to say this tracking started around the same time.
I've fired up a packet sniffer and indeed found every url I visited, including AndroidPolice.com, Gmail on https, reddit, etc. instantly sent to en.mywebzines.com, in plain-text at that. Now, the latter is not as important, as your http requests can already be sniffed by anyone on the local network, but the fact that every single url is reported to Dolphin's headquarters is more than disturbing.
Note: To be clear, the data reported includes only urls and not contents of web pages themselves.
I wasn't able to find a privacy policy that covers this aspect of Dolphin (i.e. the app itself), and frankly I don't think an official document that confirms these intentions exists. Did they really think somebody wouldn't notice?
Implications
More details: "The newest version of Dolphin HD for Android 7.0 relays browsing information to a Webzine-specific URL. This information was never stored on our servers, and no browsing information has been captured about our users.
For some background, with Dolphin HD for Android 7.0, we rolled out a handful of updates to our Webzine feature. One of these is a "Toggle Webzine" button to view your current webpage as a Webzine. We currently have around 300 Webzines, and it was necessary for the client to check the current user URL against a database housing these 300 Webzine columns, which is what has caused this concern. None of the URLs have ever been stored by Dolphin, but were being used to cross-index if a Webzine for the current site exists. If it does, the current site is immediately converted to Webzine format; if not, it remains the standard mobile site. Again, none of this process is stored on the backend of our servers.
Note that this functionality has been completely removed for the time being.
We'll have a blog post up soon that will explain more."
Update #2: The Dolphin team posted a response on their blog, which tries to explain what they were trying to do (i.e. match every location you visit against a whitelist of about 300 webzines - an amateur solution from a programmer's point of view). They said the feature is turned off, and they'll be working on a toggle in the future. However, I don't see an update in the Market, so it looks like they just turned it off on the server, which means all Dolphin HD clients are still sending urls around. Sending every url you visit, including https, GET params, and path is really not the right solution to a problem of checking against a small whitelist. I hope a much less privacy-invading solution is put in place soon.
Update #3: The Dolphin team apparently thinks they fixed this issue in 7.0.1 on October 24th. I beg to differ - I was testing using 7.0.1 all along and just re-verified it again.
Update #4: An updated version of Dolphin HD (7.0.2) fixes the issue.
- Dolphin's servers collect information on websites visited by anyone using the Dolphin HD browser (tested on latest v7.0), including your searches and query parameters.
- These requests are sent over in plain-text, which exposes these urls to clients on the same network. While this is not a huge problem with http urls, as those are already sent out in plain-text, it does include https urls, which would otherwise be concealed by SSL (see this for more info on how SSL encrypts server and path information).
- It's worth noting that Dolphin Browser has Chinese roots (just how deep they are is unclear, but the url mgeek.mobi which was used to communicate with us when Dolphin was launched is registered in China), though both dolphin-browser.com and mywebzines.com are now hosted on Amazon AWS in the U.S. on the same IP range. I have nothing against China or the company itself, but do we really have to have our private information broadcast to a foreign company (unless you're from China, of course - then you'll feel right at home)?
Dolphin Mini doesn't seem to be affected, based on my analysis.
Technical Details
Let's take a look:
1. I request http://www.reddit.com/r/android. Dolphin sends a request to http://en.mywebzines.com/v3/columns?u=http%3A%2F%2Fwww.reddit.com%2Fr%2Fandroid&t=1319729827910. As you can see from the packet dump below, the request gets sent over HTTP unencrypted and pings Dolphin's servers with the url.
In a similar vein, my other requests were also ratted out.
2. One of the posts at http://www.androidpolice.com.
3. Gmail with https.
Temporary Workaround
If you are rooted, you can block en.mywebzines.com permanently on your device by adding the following entry into /etc/hosts:
127.0.0.1 en.mywebzines.com
To simplify this process, you can use Hosts Editor from the Android Market (tip: if you see # in front of any entry, that means it's commented out and will not work).
After this you may need to reboot to flush the DNS cache. You can test whether the fix worked or not by going to http://en.mywebzines.com in any browser and seeing if it loads an empty page with title Webzine (fix didn't work) or doesn't connect (fix worked).
Bad Dolphin, bad!
Thanks, Christopher for the original tip
0
34,827
22,179
2,027
Loading ...
105 Comments
If AndroidPolice wasn't there, most of the people who doesn't have technical knowledge wouldn't be knowing these risks/consequences. Thank you so much for this update. Though it's a hackneyed statement, I am going to say it loud "YOU GUYS ROCK".
Cheers.
I just installed the app the other day. It lagged everything, including viewing my pictures in my gallery. So there must be more to this app.
I don't see how this is a problem it just sends what websites you're going to, how is that a privacy concern? It doesn't send any
personal info, not likee anyone can
steal personal info.
Fun fact: this is the image I was originally considering for this article. http://3.bp.blogspot.com/_StX-X72vqGM/SmlmZAwDiYI/AAAAAAAAAU4/mNCtlnFAwzY/s400/unicorn+dolphin.bmp
you should have picked that image, hahahaha !
I gotta say, articles like this are why you guys are my preferred site for Android news now. Nice find.
Thank you for the heads up. This sux as I am using Dolphin because i cannot get the stock browser to load Adobe Flash after it stopped working. Dolphin works fine. Running CM7.1, N1.
download the Adobe flash app
Doesn't work 10.1 and up to 11
Or try any of the many other alternative browsers out there...Miren, Opera, Firefox, etc...
Artem,
Any input on the way Dolphin backs up your data using the Dolphin "Data Backup" option? I don't know if it's common practice or not, but all your cookies, usernames, and passwords are stored in an unencrypted .db file easily accessible from your sdcard (and can be viewed in root explorer). If someone were to get a few mins with your device (or malware targeting this file were installed), they could pull all your info within 30 secs. Try it.
Yeah, looking into that next, thanks.
TOMMMMMM, can you point out which file it's stored in? I quickly scanned my sd card and didn't see this file. What's the exact location or at least file name?
Sorry I didn't get back to you sooner Artem, I was doing homework...
Its in sdcard/TunnyBrowser/backup/databases/webview.db
Of course you must make a backup first for it to appear.
I don't have that backup directory under TunnyBrowser.
Edit: I was able to produce the file after selecting Settings, Backup, Backup to SD, but that's to be expected, as that's what you're asking it to do. The word "backup" should have clued you in.
@Artem,
You have to make a backup first in the Dolphin HD settings for it to create the directory.
Well, what do you expect? You're telling it to make a backup, and it's doing what you told it to do. This is not a vulnerability.
so to block this i download the app, put that in it and then have it checked right?
You don't need to have it checked - that checkbox is just for mass editing. Just make sure the entry is there and there's no # in front of it. See the end of the post for more detailed instructions.
Easier workaround: uninstall dolphin
Which I'm doing now
Same here. Prefer the stock browser over Dolphin. I'm running the ICS port, and find it highly functional. There are a few bugs, but it isn't as buggy as I thought. I hope to roll with these betas until the official release.
This is old news and the single reason I didnt use Dolphin or Opera "enhanced" browsing...
Read the EULA and privacy statements when you install software ppl!
sheesh!
Im not even a Dolphin user and I understood that it was bascially like the new "Kindle Fire" browser. Its all a system where the local "browser" just sends the link to their servers, their big powerful servers do the rendering and then they send the page back.
Little or no local processing.
It's not, though. Dolphin doesn't do that.
Yeah, Dolphin doesn't do any kind of cloud processing, so a user wouldn't expect every url to be sent to a server that seems to deal with webzines, which is Dolphin's way of presenting RSS inside the browser.
Anyone know if dolphin browser mini does this too? Maybe it's time to switch to firefox. At least until ics
Dolphin Mini is not affected - just confirmed that.
I use Dolphin Mini and it has the database security issue as well.
This is crazy. All these privacy problems better be fixed soon. I wonder if apps on the iphone have the same problems. Companies better start watching what they are doing. Consumers have a lot of protection like sites like these.
http://www.huffingtonpost.com/2011/10/27/iphone-4-accelerometer-spy_n_1035193.html?ref=tw
Thanks for that. I just installed Dolphin HD today and when I was just looking for tips on it I made a side track here. HOO boy! I think your thread even posted as I was browsing this forum.
Does this mean that my lil 'ol Aria is sending every website I visit to the makers of the browser? Since I use browser bookmarks for so much, they know where I bank? Pay any bill? My e-mail providers? Comparison shop?
This is very disturbing to me.
BTW, I posted a link to this thread at Android Central.
Can you please verify if this also applies to Dolphin Mini and does it attach the info to your user ID? Thanks.
Confirmed Dolphin Mini is not affected.
On the info for Dolphin Mini in Market, it states that all bookmarks and browser URL history is copied.
No, it doesn't say that. The only thing it can sync is bookmarks, and those need additional setup and approval from you.
I am not positive but it appears that Dolphin is the native browser on the Asus Transformer tablet. I'll be interested to see if this occurs there.
Dolphin is NOT the default browser on a transformer.
I think opera mobile is the superior browser on Android at this time. It is near desktop capable. Once we get ChromeDroid that will likely change.
I suggest everyone give it a try.
Dolphin mini, or any other proxy browser does not cut it for me. I have no desire to send my bank login or browsing history to anyone.
Good to know, dolphin browser performs awesome though. Not going to change it for just this. But still, good to know about, thanks.
Nice find thanks. What's a better web browser to use then?
Stock browser...Opera...Firefox...Miren...
Or, my personal favorite, http://tinyurl.com/3cocbej
;P
Where does MoboTap Inc. provide information on how usage of their app will be collected? I am thinking of starting a petition to get things rolling. A petition may not do a lot but, it will let MoboTap Inc. know that we are against such practices.
Update: The petition is online. After a long time debating and hearing input from people I know IRL, I have decided to put it online. There may be people opposed to such a petition but, I personally do not like their information collection practices.
http://www.change.org/petitions/mobotap-inc-revise-the-privacy-policy-for-dolphin-browser-hd
No need for a petition - they've already issued a preliminary statement (see update in the article), and will be posting an update on their blog tomorrow morning.
I propose that a petition to Mobotap (the makers of Dolphin Browser HD) is necessary to force them to post a clear privacy policy for the information practices of the browser products, is indeed necessary. The privacy policy on the Dolphin/Mobotap webpage clearly states that it applies only to information collected on those webpages, so it is not the privacy policy for the browsers themselves.
The 'About' link in the browser does not directly offer a privacy policy link; the Support page does mention Privacy, which links to the same policy on the Mobotap webpage (which does not apply to the browser itself).
And, the email which I just sent to privacypolicy@MoboTap.com bounced, with an error from Hotmail (where, apparently, mobotap.com is mailhosted) saying that the mailbox is unavailable...
I am open to advice/opinions concerning the petition. Sorry if I sound like a nag...
as someone obviously not as technical as most of the writers/users on this site, can anyone confirm is Opera Browser does the same thing?
What browser am i gonna use now??? OMG! this is horrible!!
As nice as Dolphin is, good thing I still only just use Honeycomb stock browser.
Wow. Am uninstalling! Thanks so much for shining a light on these unacceptable practices!
Not seeing why this is a big deal, possible access to the passwords etc yes, reporting general web URL's so what? its not sending your password and everything right? I've used dolphin browser from day 1 on my OG Droid till now with no issues or complaints and will continue to do so.
DAMN! When android police talks, people listen! thank you for bringing these issues front and center and forcing companies like HTC and Dolphin Browser to fix discrepancies in their products. And thank you for maintaining the journalistic integrity and professionalism to have a voice needed to be heard so loudly and taken seriously. I use the HTC thunderbolt and useD dolphin hd so these issues directly apply to me.
'And thank you for maintaining the journalistic integrity and professionalism'
Hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha. You missed sensationalism and melodrama.
This whole thing makes me laugh. If any of you complaining on here cared about privacy, you wouldn't be using Android. Google is the biggest data miner of the lot. But still, stay in your dream world lol.
Thalamus statement is spot on !
Is there packet sniffer I could install on Android and sniff any app on my phone? Would love to do some testing myself, got loads of app and would be nice to see what they send
Wireshark (just called Shark in the Market).
I encourage everyone who downloaded this app from the Android Market to change or leave a review with this info in it. Maybe that flood of 1-stars would get Dolphin's attention.
We've already gotten their attention - see the update in the post. They'll be posting a message on their blog in the morning.
They've already began their 5 star faux-review damage control. Since the issue began, lenthy 5 star reviews have been replaced with 1 and 2 word 5 star reviews with extremely generic names. Pretty obvious they're padding their current rating. Makes the issue an even bigger slap in the face.
Heh. I noticed that too.
It's a shame that this reared its ugly head, but I am glad that Android Police watches this stuff. I really like Dolphin HD Browser and I use it on my B&N Nook Color, but I will switch to stock until this is resolved.
Excellent...I fixed it by following the instructions...a couple of flops but finally it is working.
Surely dolphin knows... Won't they finda way out?
Does this flaw also apply to Dolphin for Pad? Can't see any mention of the webzine "feature" there.
lucky for me... i uninstalled when the new version requested for some additional (and new) permissions, including start service when phone starts up (or sth like that).
sad to see dolphin's turned to the darkside (?!) coz i really liked using it.
gave up on Dolphin HD a while ago,now using MIREN browser,faster and nicer
This is funny. I tried this 127.0.0.1 en.mywebzines.com in etc/hosts and it works perfect on my HTC Desire S, but won't work on my SonyEricsson Xperia ARC. Can't figure out why.
Doesn't work on HTC Thunderbolt either - rooted - tried using Host Edit app...but still let's me go to whatever sites I put in there with 127.0.0.1 I wonder if some phones just won't let you truly edit the hosts file?
Try restarting?
Another workaround if you have AdAway installed is open the app, press the menu button, select 'Your Lists', add en.mywebzines.com to your blacklist & reboot.
I note their statement didn't actually say they'd remove this behaviour from the app, nor did it address the lack of a privacy policy for this.
Though their blog post seems to suggest in future there will be a way to disable this feature:
http://blog.dolphin-browser.com/2011/10/27/webzine-does-not-store-user-data/
That would be great, as it's not a feature I use -- and to send every URL to a server, just to check whether it's matches against a mere 300 WebZine-enabled sites, is pretty stupid.
I wrote a comment on that blog mentioning that even if they do not actively store URLs sent to en.mywebzines.com, the data is likely still held in their web server log files for a long time. Hopefully they address that too.
Exactly - if they disable the end point, it doesn't prevent every Dolphin HD app out there from sending the urls like it's nobody's business.
I still love the Webzine feature in the Dolphin browser. I'm glad Dolphin is explaining the situation.
I would have preferred that AP obtained an explanation from Dolphin before setting the forest on fire. hehe
Thanks! the question is, which packet sniffer did you use and how can we set that up for our phones?
I'd love to track incoming and outgoing requests on my phone to see what apps are trying to do what.
See above - I've answered it (Shark).
"None of the URLs have ever been stored by Dolphin, but were being used to cross-index if a Webzine for the current site exists."
In order to develop their webzine wishlist they would have to store a record of known visited urls. Now, I don't know whether or not they stored personal info along with the urls but they did this without disclosure, anyway. There are altogether too many perps out there to trust anyone who even looks like they're invading our privacy.
This P. O.'d me so much I've uninstalled it and reviewed their app on the Android Market with one star and a link to this thread. I'll follow along patiently and wait to see if they actually correct their mistake before I take any further action.
I had an update for Dolphin HD this morning. Looking at Dolphin's Blog, it looks like this update removed the URL sending that was mentioned in this article. I look forward to update to see if my assessment is correct. I will have to pay closer attention to future Dolphin HD updates.
I like the browser too much to quit it just yet, but I will definitely be more cautious with it.
I don't see any updates here: https://market.android.com/details?id=mobi.mgeek.TunnyBrowser or in my My Apps on the phone. As far as I can tell, there was no client update.
Incorrect, as of v7.0.1 (buildid 105):
T 10.23.1.220:39660 -> 50.17.123.77:80 [AP] GET /v3/columns?u=http%3A%2F%2Fwww.androidpolice.com%2F2011%2F10%2F27%2Fprivacy-advisory-dolphin-hd-sends-url-of-every-page-you-visit-to-a-remote-server-in-plain-text%2F&t=1319821734304 HTTP/1.1!!Authorization: 36449c34526e97af184d2576965dd5d9!!Accept-Encoding: gzip!!Host: en.mywebzines.com!!Connection: Keep-Alive!!!!
Uninstalled...don't need them to look at my porn surfing habits...even if they update and remove this, it's a day late and a dollar short.
Well done. Thank you for posting about this security issue. That's why Android Police is my hero!
Thank you! Another block for my hosts file.
Damn, sometimes URLs carry lots of info.
What's a webzine anyway? I never asked to use it.
It's a glorified RSS reader - changes the UI of the page to something they think is prettier or better, which it arguably isn't (I never ended up using it). IMO, totally useless feature.
Wow. Thanks, Android Police. Major kudos for catching and pursuing this.
If there are only about 300 sites it checks against then why not just locally store those urls? Seems a lot easier, and less processor/network/server intensive.
Actually it want to check whether the site is support the integrated Webzine. It is not a whitelist but a service for users.
Best solution for this issues, updated to the latest 7.0.1 on the android market which disabled the webzine discover feature.
No, it doesn't. All of my tests were done just yesterday with 7.0.1.
The update to v7.0.1 removes the C2DM background process for those who don't use Dolphins bookmark sync service, but it still sends your URLs to en.mywebzines.com. Even though Dolphin said on their blog that it doesn't do that anymore.
More here:
http://androidunderground.blogspot.com/2011/10/dolphin-browser-washed-looks-clean.html
http://forum.xda-developers.com/showpost.php?p=18846320&postcount=114
According to the small print Dolphin is a mammal, but it smells fishy anyway.
You're correct, verified it as well. The tests in this article were done on 7.0.1. I even remember getting the update and thinking maybe they've addressed it, but nope.
The good news is that the new update fixes the problem. No more URL snooping in version 7.0.2.
First, thank you Dolphin Police for making us aware of this issue!
Second, I thought it only fair to post the response I received from Dolphin in response to an email inquiring about this issue:
"Thank you so much for letting us know the issue.
Actually, we never store our users' information. With roughly 300 Webzines supported at the moment, it was necessary for our client to check the current user URL against a database housing these Webzine columns, which is what user Fnorder at XDA-Developers referred to. But none of these URLs have ever been stored by Dolphin, instead being used to cross-index if a Webzine for the current site exists. If it does, the current site is immediately converted to Webzine format; if not, it remains the standard mobile site.
Again, none of this process is stored on the backend of our servers and we are deeply sorry that this was not made clear to our users from the beginning.
Besides, we have already temporary removed this functionality in the latest update Dolphin Browser HD v 7.0.1. Hope you will continue to support us."
This really isn't a BF'nD. I appreciate the investigation, but it's been blown way out of proportion.
This is inaccurate, all of my tests were done just yesterday with 7.0.1.
Hi Artem, Just thought i would mention that my reason for posting the response I got from Dolphin was for fairness, and to keep the conversation productive.
I appreciate your response to this! Please continue to stay on top of this issue, it is important to many of us!
This is so idiotic. At the very least they should hash the URL before they send it over. Geez.
Even though I don't use Dolphin, Opera works best and suits my needs the most, at no time did I ever think they would do anything malicious. I've seen numerous articles on other sites that accuse honest devs of something malicious, doing them great harm, and only afterwards when the dev contacts the site do they issue a response. A responsible writer with at least an ounce of integrity would at least attempt to contact a dev to get their response before going off half cocked. Still every page hit counts I suppose.
Dolphin got plenty of warnings, yet their software kept sending data out.
Why store the whitelist at a remote server anyway, therefore necessitating the sending of URLs over the net? Why not just retrieve the list to the device when the browser is started and do any webzine checking on the client side? Nothing in Dolphin's reasoning thus far indicates that the check cannot be done on the device.
Shame that, It had really good looking text display and was fast browser, but this webzine shit slows it down. Too bad there isn't an option so you cant switch it off totally
Fnorder at
http://forum.xda-developers.com/showthread.php?s=80f0ee05358a85eea4bd70ecf43d9545&t=1319529&page=13
says the issue is fixed in version 7.0.2 (106). He's good, but didn't post test results from the new version. I want technical verification and I just don't know about all that packet sniffing and stuff: I just want to use my phone. That's why I come here. Artem, I like your results and your reasoning. Would you please run those tests again on v. 7.0.2? It would relieve me - and I'm sure a lot of people - to get verification that their snooping stopped.
Yeah, it's fixed in 7.0.2 - I verified it (the update is in the article).
For the Dolphin folks:
Since you only have 300 webzines, you can't have their URLs stored locally to check? Whoever taught you to program should be fired. You waste bandwidth, time, and privacy for a lousy check of a list of 300.
Here's a hint - I assume ANY information my system sends to elsewhere IS being stored & used. Why? Because once it leaves my system, I have no control. So, anything that sends information elsewhere, without upfront telling me, and giving me the option to say "NO" will be uninstalled and comments to not use that APP will be posted on appropriate forums.
Thanks for all your work. Having seen such diligence, I trust you guys. I reinstalled Dolphin and added comments to other forums where appropriate. You may have more followers than you know.
What the heck is a webzine anyway and why do Dolphin keep banging on about them? I just want to see the damn page.
Does anyone know if this problem applies to Dolphin on iOS?
Great job! Thnak you