Dolphin, a 3rd Party Android Browser, Relayed URL Data

An anonymous reader sends this excerpt from AndroidPolice.com: "As it turns out, Dolphin HD, one of the top browsers the Android platform has to offer, sends pretty much every web page URL you visit, including those that start with https, to a remote server en.mywebzines.com, which belongs to the company. In fact, the WebZines feature was introduced only recently back in June with version 6.0, so it's safe to say this tracking started around the same time.'" The Dolphin team quickly responded with a blog post saying they did not store any of the data, and no browsing information was captured about users. They also rolled out a new version of the browser, 7.0.2, which fixed the issue.

Meaning...

[Pharmboy]

When they say "fix", does that mean it doesn't send the info, or their sending of info is harder to trace?

One more proof walled garden is better

[impaledsunset]

If this was an iPhone, the browser would only relay data if Apple approved it doing so!

Re:One more proof walled garden is better

[WrongSizeGlass]

Dolphin is available for iOS [apple.com] and offers the same WebZines "feature" ;-)

Re:

[bonch]

Are you seriously suggesting that Slashdot has a pro-Apple, anti-Android bias? Do we visit the same Slashdot?

To ignore the malware problem on Android is to deny a genuine negative aspect of the platform that needs to be talked about, regardless of how you feel about Apple products.

Re:

[tehcyder]

Are you seriously suggesting that Slashdot has a pro-Apple, anti-Android bias? Do we visit the same Slashdot?

Are you seriously suggesting that Slashdot doesn't have a pro-Apple bias? Do we visit the same Slashdot?

You're right that Slashdot isn't anti-Android though.

Re:

[Calibax]

Except the iPad bypass bug is a minor issue. I tried it on my iPad 2. Yes, the bug does allow someone to bypass the login screen without the password, but the interloper can't run any applications. All he can do is browse to see which apps are installed on the device and change the volume - touching an icon to run an application has no effect.

Furthermore, if you password protect your iPad with a normal password, rather than use the short four digit password mechanism, this exploit doesn't appear to work

Re:

[Calibax]

If he's putting corporate email on an iPad, then he shouldn't be using the four digit password mechanism - it's a bad feature and should be removed in my view. If he used a real password, this exploit doesn't work. Furthermore, this only worked because he left his email open. Close the email before locking the device, no access.

Notice how the apple haters are often ACs - and often feel the need to swear at people using Apple products. It's just a company. if you don't like their products just don't buy

Re:

[tehcyder]

If he's putting corporate email on an iPad, then he shouldn't be using the four digit password mechanism - it's a bad feature and should be removed in my view. If he used a real password, this exploit doesn't work. Furthermore, this only worked because he left his email open. Close the email before locking the device, no access.

Classic Apple apologist argument.

"Apple iWhatevs is a consumer device, therefore you can't expect industrial strength security, although it's not a toy and can be used for serious commercial purposes, and in any case it's the user's fault for doing something that the iSuck lets him do."

Re:

[517714]

That "flaw" requires physical access to the iPad that falls under rule 3 - If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

Re:

[517714]

It might be only in Android [dolphin-browser.com]. It may be an issue on iOS, but I didn't turn up anything with a Google search.

Re:

[gnasher719]

If this was an iPhone, the browser would only relay data if Apple approved it doing so!

Difficult to say. If any old application tries to send data to servers, Apple would find out. However, it is a browser, so it will be sending data to servers all the time. That's its business, so it would be hard to find.

Re:

[Anonymous Coward]

Now it stores the browsing data. Thanks for pointing that out.

- Dolphin Team.

Re:

[Anonymous Coward]

Oopsie! Just like the Google Maps cars that "accidentally" sniffed and recorded packets as they drove around, did Dolphin "accidentally" set up this server to handle millions of requests per hour, the database (+ storage, backups and network capacity), write the code, etc. ?

Just goes to show -- if you aren't paying for something you use, then you're not the customer -- YOU ARE THE PRODUCT BEING SOLD.

Re:

[icebraining]

Google was using Kismet. As soon as you start Kismet it starts sniffing and recording packets to a file without any intervention.

While they should've been more careful, comparing the two is dishonest.

Re:

[icebraining]

Yes, clearly having government workers should make them infallible! /s

Re:

[icebraining]

I'm not saying what Google did was OK - I'm saying that privacy violating inaction is better than direct action towards it.
I'm also saying that capturing data that was already being sent to the public street unencrypted is less bad than actively sending that data through the 'net unencrypted without the users' knowledge.

BTW you people should really figure out a way to get paid since you're defending google all time...

Unlike you, who hide behind being an Anonymous Coward so that others can't spot who you defend?

I admit I'm biased for Google. What can I say? They make (or fund the development of) stuff I l

Re:

[jo_ham]

I can see why you posted AC. No facts!

I wouldn't want to stand behind that post either!

Re:

[Drakino]

It is, and has been for a long time. Just move on. In fact, not even sure why I came back recently. Very few people here are actually interested in real facts, too many of them are slanted towards RMS crazy land. *pssst, I hate cell phones, they are used to track you and will remotely spy on everyone. Oh, can I borrow yours to make a call?*

Changelog : "Some Bug Fixing"

[doomy]

Their app for iOS (Dolphin HD [apple.com]) got updated today with the following changelog "some bug fixing.", that is not transparency.

Regardless of the whole webzine thing, I'm concerned this developer was sending URL date of any site visited (banking, corporate, email etc ) in plain text to a server in China. There is a lot of data mining that can be done with URL data, specially older websites that stuff private date into URL.

Re:

[MagicM]

That must be an iPad-only version or something. Their other app for iOS (Dolphin Browser [apple.com]) has not been updated since September.

They describe the webzine feature as something like the Reader functionality that was added in iOS 5:

Webzine. Fast loading, without ads; Webzine simplifies the way you read your favorite news, blogs and websites.
Effortless Browsing. Dolphin Webzine displays web articles in an elegant format without distractions. Scroll through thumbnail images to open one of 120+ channel subscriptions and = tap on any thumbnail image open to the article. From Elle to Wired, Webzine brings the elegance back to reading on the web.

Re:

[MacGyver2210]

Webzine. Fast loading, without ads;

Sure, who needs ads when you can sell people's browsing history to recoup the lack of revenue?

Re:

[errandum]

The problem is, some badly coded websites will send session id's and/or even usernames/passwods in the URL (GET). Someone in china might have gotten your login information if you used a badly coded website.

Re:

[arisvega]

When they say "fix", does that mean it doesn't send the info, or their sending of info is harder to trace?

It means that "they didn't inhale"

Re:

[marqs]

I think the answer is in the reply
"The Dolphin team quickly responded with a blog post saying they did not store any of the data, and no browsing information was captured about users."
Now they fixed it so that it logs data and capture user information.

Didn't store But

[bobstreo]

All the information according to articles was sent in plain text to the servers.

When Google does it, it's OK, when Dolphin does it

[impaledsunset]

is bad?

How is that? Chrome already sends any URLs visited and anything you typed in the address bar to Google. The former is done to make a lookup in the database of malicious URLs (where other browsers such as Iceweasel store the database locally), the latter is done for the uses of Google Suggest.

Re:

[Nerdfest]

It's a matter of being up-front about the fact that it's being done, and what is being done with the information.

Re:When Google does it, it's OK, when Dolphin does

[SharkLaser]

But Google IS NOT upfront about that, and it doesn't even ask if they are allowed to do so. It's enabled by default and without telling the user about it.

Re:

[MacGyver2210]

When I first started my Android phone, Google asked me pretty plainly if I wanted to send location data or usage data. When I said no, it didn't send the data.

Not sure what's hard about that. At least Google gave the option to disable it, unlike Apple.

Re:

[Pieroxy]

I don't think what we're talking about in here is being counted as being "location data or usage data". So without further information I will assume your browser sends every letter you type in the address bar or search bar to Google and every URL you visit too.

Re:

[Anonymous Coward]

Vested interest in Dolphin, eh?

Re:

[Pieroxy]

So to you, claiming out loud a "suspicious" activity of an app when most apps in that category do the same, without actually trying to get any sort of information as to why it is done is an acceptable "journalism behavior"?

I see what you're doing on slashdot, but I'm wondering more and more what I'm doing here.

When Opera does it, it's OK, when Dolphin does it

[rwa2]

What was funny about all this was all the commentators on ArsTechnica that said they were going to leave Dolphin for Opera (?!)

Anyone want to elaborate on how much access Opera Mobile/Mini has to the content you surf on through their servers?

Re:

[BoogeyOfTheMan]

Opera Mini grants them complete access, as by design, it routes all traffic through their system so they can compress it and send it to you. Opera Mobile is more like Opera Desktop where it gives you the option to turn that function on, Opera Turbo I believe its called. Though I do not know whether they collect your browsing habits by default.

I use all three, desktop, mobile for when I am on wifi and dont care how much data is used, and Mini for when I am using my mobile data plan.

Re:

[icebraining]

I'm not sure about Mobile, but for Mini, *all* content is transmitted through their proxies, which work as an optimizing service.

Re:

[SharkLaser]

Well Google does it by default in Chrome and their toolbars, doesn't even ask for permission for it and sends every URL you visit and whatever you type into the url/search text box.

Re:

[shutdown -p now]

With Google, the assumption that they gather data from all apps and services that are labelled "Google Anything" is pretty much the default, to be honest.

Re:

[sydneyfong]

90%+ of your browsing information is sent in plain text (i.e. HTTP) to some server on the Internet anyway.

Are the intermediate routers between your ISP and their servers more sinister than any random router on the net?

Been reading about this for a few days now

[Anonymous Coward]

...over at xda-developers.com.

http://forum.xda-developers.com/showthread.php?t=1319529 [xda-developers.com]

That was their good deed for the week. Now for the bad deed of the week, they refuse to remove an ARP poisoning app so people can kill individual users on public wifi networks: http://forum.xda-developers.com/showthread.php?t=1282900 [xda-developers.com]

Probably worthy of it's own /. article.

Re:

[MacGyver2210]

That ARP poisoning app is awesome. I use it at work when someone clearly not in the store is using our WiFi.

Also to prank co-workers. That's fun too.

It's more about who uses it than the app. Maybe because throwing rocks can hurt people, we should ban rocks altogether, right?

Re:

[QuasiSteve]

Now for the bad deed of the week, they refuse to remove an ARP poisoning app so people can kill individual users on public wifi networks

I'm confused... who is the 'they' that are refusing to remove an APR poisoning app? Google?

Google pulled it from market, so it's only available here

So, not Google... XDA-Dev? I don't see they they would.

The author? Hmmm...

Google might want to fix whatever allows the ARP poisoning - if they haven't already - but beyond that..

Open source

[Hentes]

I'm normally not an OSS zealot but news like this always get me thinking. This wouldn't be possible with an OS browser.

Re:

[impaledsunset]

Not possible?

These guys beg to differ: http://underhanded.xcott.com/ [xcott.com]

Of course, it's much simpler to convince the users that they *want* their data to be sent to the servers than to try to hide it.

Re:

[Hentes]

Wow, there are some elegant tricks on the page, although I'm an amateur, I don't know if a professional auditor would be able to catch those.

Re:

[alostpacket]

Just FYI, Dolphin (while not OSS itself) is a wrapper for Webkit...

Re:

[Hentes]

When you are looking for security holes you need access to every bit of the software.

Re:

[Ant P.]

Not only that, these Maxthon clone makers couldn't be bothered to do a 10 second google to check whether their software's name was original.

Until there's a firewall...

[Skynyrd]

I don't trust Apple, but I trust the "wild west" approach of Android even less.

I want a totally open phone, but there's been too many cases of this activity. Yeah, I know it happens on iPhones as well, but it doesn't seem to happen as often, and Apple retaliates quickly.

I'm sticking with the iPhone for now.

Re:

[Threni]

Why? Can't you just use an OS browser instead?

Re:

[CharlyFoxtrot]

Yeah and that other browser might turn out to be a scammer, spammer or fraud who took someone else's work and loaded it with spyware [reddit.com] too. Who knew that when Android users said that Android is going to be the "Windows" of smartphones that's what they meant: shitty interfaces, spyware and crap software.

Re:

[Skynyrd]

Why? Can't you just use an OS browser instead?

I have apps that aren't browsers on my smartphone.

This isn't a browser specific problem.

Re:

[mmcuh]

You don't want data about your activities being sent to a server somewhere, so you use iPhone?

Re:

[jo_ham]

I assume you're referring to the "locationgate" issue, where no data was actually sent from the phone to Apple.

I admit it's an odd position to take, given that the EULA for the iPhone does mention the possibility of Apple collecting data, although so far no one has been able to verify that they actually are doing so.

Re:

[CharlyFoxtrot]

iTunes can send crash reports [arstechnica.com] to Apple and app developers (it's opt-in.) Since those crash reports collect data on the phone that might be what they refer to.

"Fixes" the issue?

[Elyjah]

"They also rolled out a new version of the browser, 7.0.2, which fixed the issue."

The word "fix" makes it sound like it was an unintentional error. The problem wasn't that the browser "accidentally" sent the data. The problem was that the company thought this would be okay in the first place. The real "fix" needed is ridding the company of the people who thought this was a good idea.

Re:"Fixes" the issue?

[Raenex]

The real fix is uninstalling this app because they abused your trust.

Re:

[thegarbz]

There's one problem with that, which is Dolphin is the best browser on the mobile platform by a long shot.

Sure I could uninstall it, but on the flip side they probably are realising now that people are watching and may think twice about doing it in a future. Plus this is a small data breach to pay for a free browser that is fully functional and doesn't somehow cripple JS or screw with the rendering of pages to try and make the experience "faster".

I put that in quote because my experience is that Dolphin see

Re:

[symbolic]

which is Dolphin is the best browser on the mobile platform

Used to be. Firefox now has an (alpha) implementation of noscript, so I'm there. I use it on a tablet, so others mileage may vary.

Re:

[thegarbz]

Yep and it's WAAAAAAAAAAY too slow on my phone. Orders of magnitude slower opening the browser and loading pages than anything else I've tried so far, except for a really early version of the Google browser under Eclair.

Opera Mobile?

[cciRRus]

Have you tried Opera Mobile?

Re:

[thegarbz]

Yes I actually switched to Dolphin from Opera. The earlier version of Opera didn't even work on Slashdot. The later versions still seemed to have horrendous problems with JavaScript especially pages that detect a click on a point of a picture. Haven't tried it in the last couple of months though.

Re:

[JarekC]

If you read TFA, you would notice that they said they had "decided to to temporarily disable this feature". They are not claiming it was a bug. In fact they provided quite a reasonable explanation what the feature did and why it needed to check urls against the server-side database.

Re:

[emurphy42]

Except the server-side database was limited to about 300 URLs for which the WebZine feature was available, so why upload all your URLs instead of just downloading theirs?

Uninstalled.

[Majik Sheff]

I don't care how fixed they say it is. They broke my trust, this app will never see my (or my friends') phones again.

Re:

[flappinbooger]

I don't care how fixed they say it is. They broke my trust, this app will never see my (or my friends') phones again.

What browser do you plan to go to now? Dolphin "worked" pretty well for me, but ... obviously ...

Re:

[Majik Sheff]

I'm now using opera. I think I like it better anyway.

Re:

[account_deleted]

Comment removed based on user account deletion

people don't pay attention to privacy

[anonymous9991]

I am always shocked at the number of android users (possible apple too - I don't know) that just install apps without any worry about what the apps actually do. I have seen simple battery monitor apps that want internet access and access to your contacts. Come on people, pay attention !

Re:people don't pay attention to privacy

[icebraining]

It's a browser, so it's kinda hard to doubt it needs Internet access. How exactly are users supposed to know?

Shocking!

[TheRaven64]

Android users signed up to be spied on by Google, not some random third party!

Fixed? Issue?

[aglider]

So that was just a BUG. Right?

Re:

[Opportunist]

Certainly. You should have never noticed that it happens. But it was fixed.

Case Study

[Anonymous Coward]

This might be a good case study for open vs curated app store models. Dolphin browser is also available on Apple's App Store - wonder if it sent iOS users' data too.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Calibax]

Citation? Or is this FUD?

Fool me once...

[Opportunist]

Or, in other words, why should I trust you?

I'm starting to wonder why people care

[rsilvergun]

about tracking. Seriously. You're tracked EVERYWHERE you go. You know all those free email accounts? How about Facebook? Your Newegg account? Amazon.com? Yep. All Tracked. Moreover, are people so easily manipulated to their detriment that a little web tracking matters. I guess there's the big scary gov't. But seriously. If a modern gov't is tracking you it's more for the hell of it then any real need to use it to oppress. A modern military does all that by itself. I'm ten times more worried about the Unions disintegrating then I am over some twit advertiser knowing what I googled last week.

Re:

[Anonymous Coward]

So because others walk all over yourself you should let anyone walk all over yourself every day. What kind of stupid justification is that ?

Re:

[rastoboy29]

Dude...how else do you think they've gotten the Unions to disintigrate?

The general disparity of knowledge is part of the greater disparity between individuals and various corporate entities, including the government.  If Amazon wants to track me, well, I say I should get to track Amazon more, too.  Lots of data, publicly available to everyone *they* track.

I'm not a pushover

[rsilvergun]

re-read my comment. There's lots better battles to be fighting. My point is tracking of this sort is largely harmless. Hell, for many people it's beneficial, since target advertising means they become aware of goods and services they otherwise missed.

You missed my point :(

[rsilvergun]

the people in power don't even have to bother tracking you. There are much better [wikipedia.org] strategies for keeping everyone down. They're not monitoring you because they have to, they're just doing it for kicks. Seriously.

Only one thing could be a mistake...

[Mister Fright]

Sure, they accidentally wrote software so that it sent that data, or they were sending it and incurring the traffic to their server for no reason at all.

No, if they're telling the truth that no data was logged, then the only mistake on their part is they fucked up their data collection on the server.

Can't trust closed source apps

[Trevin]

This is part of the reason I don't trust close-source applications that require Internet access. At least with open source I can take a look at the code and see, "hey — this program is running a key logger!" I can then modify the code and permissions and run the application without the offending network activity.

(I actually did that with one program, found on code.google.com no less. It was written with a key logger that uses a closed-source library called FlurryAgent.)

Wasting bandwidth for no reason?

[wisnoskij]

"they did not store any of the data, and no browsing information was captured about users."
So basically they just wasted their own and their users bandwidth for no reason, sure then sent themselves the data but then it was instantly destroyed.

Like KDE's Dolphin filebrowser?

[Anonymous Coward]

Oops, they should have used Google before taking that name , doh!

see http://dolphin.kde.org/

Re:

[captjc]

Or Dolphin [dolphin-emulator.com], the GameCube / Wii Emulator

LOL

[koan]

"Oh no they noticed our marketing/money making scheme....quick release patch"

use dolphin mini

[nazsco]

The mini version uses 1/100 of space, doesn't have any bloated and dumb features, like this ezine piece of crap, and as older dolphin versions is just the default browser +tabs +easier history clean.

Re:

[doti]

Amen.

I started with HD, then switched to mini (fortunately) just before the webzine crap.

Shit happens

[FyberOptic]

I think some people have made a bigger deal out of this than need be, because they're implying some kind of malicious intent when there is likely none.

Yes it's a big deal, particularly if a website is passing sensitive information in say an HTTPS GET request, and you're looking at that site on like public wifi or a school network or something where it's easy to snoop on others' traffic. But the intention was to check if their Webzine feature would work with the site (which is an interesting feature, just n

Opera Mini, proxied browsers...

[neurocutie]

so how do you implement a proxied browser that DOESN'T send the URL back to the proxy servers?
Opera Mini is one such browser and is excellent, particularly for smart and dumb phones, providing for a big increase in speed. It works well for Android and WM devices. I'm quite sure that it sends every URL back to Opera's browsers for rendering.

I thought Dolphin did the same, at least in part, that it uses server acceleration, no?

Re:

[Skynyrd]

Can you elaborate on this?

Re:

[rkwasny]

http://www.scribd.com/doc/47498765/Google-Safe-Browsing-v2-API-implementation-notes#outer_page_6 [scribd.com]

Web browser sends first 32bits of sha256 hash of URL to google to check against database. Then if it matches (response from google) it sends the whole sha256 hash.

It's easy for google to get the real url form sha256 hash of it, they have a pretty big database of urls ;-)

Re:

[broken_chaos]

If true, that's an odd way of doing it. Most other browsers maintain an offline database of 'unsafe' URLs, regularly updated, and only send the URL to a 3rd-party service for checking if it matches the database (in order to 'double check' that it's still considered unsafe, in case of any changes or updates since the last download).

Re:

[WrongSizeGlass]

I'm pretty sure all the URL's we access from our phones & other mobile devices *that are using a wireless carrier* are being stored any analyzed for "marketing purposes" by the wireless carriers. Dolphin doing it is just another glommer sucking at the same teat.

Re:

[BZ]

If you're doing HTTPS, the wireless carrier only knows the hostname, not the whole URL. Unless you're going through one of their proxies, of course.

Re:

[Pieroxy]

Even if you're going through one of their proxies, they would need to have their own CA and you'd need to have their certificate in your browser for them to be able to do that (without the https warning).

Re:

[BZ]

Since they control software installs on your phone when you first get it, they can in fact stick their cert in your browser by default. I would think. Not sure how this would work across updates or if you used a non-default browser on a smartphone, of course.

Re:

[bonch]

Again, it's the latest version of the Android app [esecurityplanet.com] that does this.

Re:

[Calibax]

The Apple store didn't approve the Android version of Dolphin. And only the latest Android version has this problem.

I'm sorry... I know it must hurt when your FUD is exposed as such,