Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Android Privacy Software Your Rights Online

Dolphin, a 3rd Party Android Browser, Relayed URL Data 179

An anonymous reader sends this excerpt from "As it turns out, Dolphin HD, one of the top browsers the Android platform has to offer, sends pretty much every web page URL you visit, including those that start with https, to a remote server, which belongs to the company. In fact, the WebZines feature was introduced only recently back in June with version 6.0, so it's safe to say this tracking started around the same time.'" The Dolphin team quickly responded with a blog post saying they did not store any of the data, and no browsing information was captured about users. They also rolled out a new version of the browser, 7.0.2, which fixed the issue.
This discussion has been archived. No new comments can be posted.

Dolphin, a 3rd Party Android Browser, Relayed URL Data

Comments Filter:
  • Meaning... (Score:5, Insightful)

    by Pharmboy ( 216950 ) on Saturday October 29, 2011 @11:42AM (#37879210) Journal

    When they say "fix", does that mean it doesn't send the info, or their sending of info is harder to trace?

    • If this was an iPhone, the browser would only relay data if Apple approved it doing so!

      • by WrongSizeGlass ( 838941 ) on Saturday October 29, 2011 @11:53AM (#37879302)
        Dolphin is available for iOS [] and offers the same WebZines "feature" ;-)
      • If this was an iPhone, the browser would only relay data if Apple approved it doing so!

        Difficult to say. If any old application tries to send data to servers, Apple would find out. However, it is a browser, so it will be sending data to servers all the time. That's its business, so it would be hard to find.

    • by Anonymous Coward

      Now it stores the browsing data. Thanks for pointing that out.

      - Dolphin Team.

    • by Anonymous Coward

      Oopsie! Just like the Google Maps cars that "accidentally" sniffed and recorded packets as they drove around, did Dolphin "accidentally" set up this server to handle millions of requests per hour, the database (+ storage, backups and network capacity), write the code, etc. ?

      Just goes to show -- if you aren't paying for something you use, then you're not the customer -- YOU ARE THE PRODUCT BEING SOLD.

      • Google was using Kismet. As soon as you start Kismet it starts sniffing and recording packets to a file without any intervention.

        While they should've been more careful, comparing the two is dishonest.

    • Their app for iOS (Dolphin HD []) got updated today with the following changelog "some bug fixing.", that is not transparency.

      Regardless of the whole webzine thing, I'm concerned this developer was sending URL date of any site visited (banking, corporate, email etc ) in plain text to a server in China. There is a lot of data mining that can be done with URL data, specially older websites that stuff private date into URL.
      • by MagicM ( 85041 )

        That must be an iPad-only version or something. Their other app for iOS (Dolphin Browser []) has not been updated since September.

        They describe the webzine feature as something like the Reader functionality that was added in iOS 5:

        Webzine. Fast loading, without ads; Webzine simplifies the way you read your favorite news, blogs and websites.
        Effortless Browsing. Dolphin Webzine displays web articles in an elegant format without distractions. Scroll through thumbnail images to open one of 120+ channel subscriptions and = tap on any thumbnail image open to the article. From Elle to Wired, Webzine brings the elegance back to reading on the web.

        • Webzine. Fast loading, without ads;

          Sure, who needs ads when you can sell people's browsing history to recoup the lack of revenue?

      • The problem is, some badly coded websites will send session id's and/or even usernames/passwods in the URL (GET). Someone in china might have gotten your login information if you used a badly coded website.

    • When they say "fix", does that mean it doesn't send the info, or their sending of info is harder to trace?

      It means that "they didn't inhale"

    • by marqs ( 774373 )
      I think the answer is in the reply
      "The Dolphin team quickly responded with a blog post saying they did not store any of the data, and no browsing information was captured about users."
      Now they fixed it so that it logs data and capture user information.
  • by bobstreo ( 1320787 ) on Saturday October 29, 2011 @11:42AM (#37879216)

    All the information according to articles was sent in plain text to the servers.

    • by impaledsunset ( 1337701 ) on Saturday October 29, 2011 @11:55AM (#37879318)

      is bad?

      How is that? Chrome already sends any URLs visited and anything you typed in the address bar to Google. The former is done to make a lookup in the database of malicious URLs (where other browsers such as Iceweasel store the database locally), the latter is done for the uses of Google Suggest.

      • It's a matter of being up-front about the fact that it's being done, and what is being done with the information.
        • by SharkLaser ( 2495316 ) on Saturday October 29, 2011 @12:29PM (#37879618) Journal
          But Google IS NOT upfront about that, and it doesn't even ask if they are allowed to do so. It's enabled by default and without telling the user about it.
          • When I first started my Android phone, Google asked me pretty plainly if I wanted to send location data or usage data. When I said no, it didn't send the data.

            Not sure what's hard about that. At least Google gave the option to disable it, unlike Apple.

            • by Pieroxy ( 222434 )

              I don't think what we're talking about in here is being counted as being "location data or usage data". So without further information I will assume your browser sends every letter you type in the address bar or search bar to Google and every URL you visit too.

      • What was funny about all this was all the commentators on ArsTechnica that said they were going to leave Dolphin for Opera (?!)

        Anyone want to elaborate on how much access Opera Mobile/Mini has to the content you surf on through their servers?

        • Opera Mini grants them complete access, as by design, it routes all traffic through their system so they can compress it and send it to you. Opera Mobile is more like Opera Desktop where it gives you the option to turn that function on, Opera Turbo I believe its called. Though I do not know whether they collect your browsing habits by default.

          I use all three, desktop, mobile for when I am on wifi and dont care how much data is used, and Mini for when I am using my mobile data plan.

        • I'm not sure about Mobile, but for Mini, *all* content is transmitted through their proxies, which work as an optimizing service.

    • 90%+ of your browsing information is sent in plain text (i.e. HTTP) to some server on the Internet anyway.

      Are the intermediate routers between your ISP and their servers more sinister than any random router on the net?

  • by Anonymous Coward on Saturday October 29, 2011 @11:51AM (#37879290)

    ...over at []

    That was their good deed for the week. Now for the bad deed of the week, they refuse to remove an ARP poisoning app so people can kill individual users on public wifi networks: []

    Probably worthy of it's own /. article.

    • That ARP poisoning app is awesome. I use it at work when someone clearly not in the store is using our WiFi.

      Also to prank co-workers. That's fun too.

      It's more about who uses it than the app. Maybe because throwing rocks can hurt people, we should ban rocks altogether, right?

    • Now for the bad deed of the week, they refuse to remove an ARP poisoning app so people can kill individual users on public wifi networks

      I'm confused... who is the 'they' that are refusing to remove an APR poisoning app? Google?

      Google pulled it from market, so it's only available here

      So, not Google... XDA-Dev? I don't see they they would.

      The author? Hmmm...

      Google might want to fix whatever allows the ARP poisoning - if they haven't already - but beyond that..

  • I'm normally not an OSS zealot but news like this always get me thinking. This wouldn't be possible with an OS browser.

    • Not possible?

      These guys beg to differ: []

      Of course, it's much simpler to convince the users that they *want* their data to be sent to the servers than to try to hide it.

      • by Hentes ( 2461350 )

        Wow, there are some elegant tricks on the page, although I'm an amateur, I don't know if a professional auditor would be able to catch those.

    • Just FYI, Dolphin (while not OSS itself) is a wrapper for Webkit...

      • by Hentes ( 2461350 )

        When you are looking for security holes you need access to every bit of the software.

      • by Ant P. ( 974313 )

        Not only that, these Maxthon clone makers couldn't be bothered to do a 10 second google to check whether their software's name was original.

  • I don't trust Apple, but I trust the "wild west" approach of Android even less.

    I want a totally open phone, but there's been too many cases of this activity. Yeah, I know it happens on iPhones as well, but it doesn't seem to happen as often, and Apple retaliates quickly.

    I'm sticking with the iPhone for now.

    • by Threni ( 635302 )

      Why? Can't you just use an OS browser instead?

      • Re: (Score:2, Insightful)

        Yeah and that other browser might turn out to be a scammer, spammer or fraud who took someone else's work and loaded it with spyware [] too. Who knew that when Android users said that Android is going to be the "Windows" of smartphones that's what they meant: shitty interfaces, spyware and crap software.

      • by Skynyrd ( 25155 )

        Why? Can't you just use an OS browser instead?

        I have apps that aren't browsers on my smartphone.

        This isn't a browser specific problem.

    • by mmcuh ( 1088773 )
      You don't want data about your activities being sent to a server somewhere, so you use iPhone?
      • by jo_ham ( 604554 )

        I assume you're referring to the "locationgate" issue, where no data was actually sent from the phone to Apple.

        I admit it's an odd position to take, given that the EULA for the iPhone does mention the possibility of Apple collecting data, although so far no one has been able to verify that they actually are doing so.

  • "Fixes" the issue? (Score:4, Insightful)

    by Elyjah ( 108222 ) on Saturday October 29, 2011 @12:01PM (#37879358)

    "They also rolled out a new version of the browser, 7.0.2, which fixed the issue."

    The word "fix" makes it sound like it was an unintentional error. The problem wasn't that the browser "accidentally" sent the data. The problem was that the company thought this would be okay in the first place. The real "fix" needed is ridding the company of the people who thought this was a good idea.

    • by Raenex ( 947668 ) on Saturday October 29, 2011 @12:09PM (#37879440)

      The real fix is uninstalling this app because they abused your trust.

      • There's one problem with that, which is Dolphin is the best browser on the mobile platform by a long shot.

        Sure I could uninstall it, but on the flip side they probably are realising now that people are watching and may think twice about doing it in a future. Plus this is a small data breach to pay for a free browser that is fully functional and doesn't somehow cripple JS or screw with the rendering of pages to try and make the experience "faster".

        I put that in quote because my experience is that Dolphin see

        • by symbolic ( 11752 )

          which is Dolphin is the best browser on the mobile platform

          Used to be. Firefox now has an (alpha) implementation of noscript, so I'm there. I use it on a tablet, so others mileage may vary.

          • Yep and it's WAAAAAAAAAAY too slow on my phone. Orders of magnitude slower opening the browser and loading pages than anything else I've tried so far, except for a really early version of the Google browser under Eclair.

        • Have you tried Opera Mobile?
          • Yes I actually switched to Dolphin from Opera. The earlier version of Opera didn't even work on Slashdot. The later versions still seemed to have horrendous problems with JavaScript especially pages that detect a click on a point of a picture. Haven't tried it in the last couple of months though.

    • by JarekC ( 544383 )
      If you read TFA, you would notice that they said they had "decided to to temporarily disable this feature". They are not claiming it was a bug. In fact they provided quite a reasonable explanation what the feature did and why it needed to check urls against the server-side database.
      • Except the server-side database was limited to about 300 URLs for which the WebZine feature was available, so why upload all your URLs instead of just downloading theirs?
  • by Majik Sheff ( 930627 ) on Saturday October 29, 2011 @12:03PM (#37879386) Journal

    I don't care how fixed they say it is. They broke my trust, this app will never see my (or my friends') phones again.

    • I don't care how fixed they say it is. They broke my trust, this app will never see my (or my friends') phones again.

      What browser do you plan to go to now? Dolphin "worked" pretty well for me, but ... obviously ...

    • Okay, post the home addresses of the clowns responsible and I'll send a couple of da boys over there to learn 'em a lesson or two.

      Seriously, I'd like to see things like this made illegal so that consumers would have some recourse to make things right.
  • I am always shocked at the number of android users (possible apple too - I don't know) that just install apps without any worry about what the apps actually do. I have seen simple battery monitor apps that want internet access and access to your contacts. Come on people, pay attention !
  • Shocking! (Score:5, Funny)

    by TheRaven64 ( 641858 ) on Saturday October 29, 2011 @12:05PM (#37879396) Journal
    Android users signed up to be spied on by Google, not some random third party!
  • So that was just a BUG. Right?

  • by Anonymous Coward

    This might be a good case study for open vs curated app store models. Dolphin browser is also available on Apple's App Store - wonder if it sent iOS users' data too.

  • Or, in other words, why should I trust you?

  • by rsilvergun ( 571051 ) on Saturday October 29, 2011 @12:25PM (#37879592)
    about tracking. Seriously. You're tracked EVERYWHERE you go. You know all those free email accounts? How about Facebook? Your Newegg account? Yep. All Tracked. Moreover, are people so easily manipulated to their detriment that a little web tracking matters. I guess there's the big scary gov't. But seriously. If a modern gov't is tracking you it's more for the hell of it then any real need to use it to oppress. A modern military does all that by itself. I'm ten times more worried about the Unions disintegrating then I am over some twit advertiser knowing what I googled last week.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      So because others walk all over yourself you should let anyone walk all over yourself every day. What kind of stupid justification is that ?

    • else do you think they've gotten the Unions to disintigrate?

      The general disparity of knowledge is part of the greater disparity between individuals and various corporate entities, including the government.  If Amazon wants to track me, well, I say I should get to track Amazon more, too.  Lots of data, publicly available to everyone *they* track.
  • Sure, they accidentally wrote software so that it sent that data, or they were sending it and incurring the traffic to their server for no reason at all.

    No, if they're telling the truth that no data was logged, then the only mistake on their part is they fucked up their data collection on the server.

  • This is part of the reason I don't trust close-source applications that require Internet access. At least with open source I can take a look at the code and see, "hey — this program is running a key logger!" I can then modify the code and permissions and run the application without the offending network activity.

    (I actually did that with one program, found on no less. It was written with a key logger that uses a closed-source library called FlurryAgent.)

  • "they did not store any of the data, and no browsing information was captured about users."
    So basically they just wasted their own and their users bandwidth for no reason, sure then sent themselves the data but then it was instantly destroyed.

  • by Anonymous Coward

    Oops, they should have used Google before taking that name , doh!


  • by koan ( 80826 )

    "Oh no they noticed our marketing/money making scheme....quick release patch"

  • The mini version uses 1/100 of space, doesn't have any bloated and dumb features, like this ezine piece of crap, and as older dolphin versions is just the default browser +tabs +easier history clean.

    • by doti ( 966971 )


      I started with HD, then switched to mini (fortunately) just before the webzine crap.

  • I think some people have made a bigger deal out of this than need be, because they're implying some kind of malicious intent when there is likely none.

    Yes it's a big deal, particularly if a website is passing sensitive information in say an HTTPS GET request, and you're looking at that site on like public wifi or a school network or something where it's easy to snoop on others' traffic. But the intention was to check if their Webzine feature would work with the site (which is an interesting feature, just n

  • so how do you implement a proxied browser that DOESN'T send the URL back to the proxy servers?
    Opera Mini is one such browser and is excellent, particularly for smart and dumb phones, providing for a big increase in speed. It works well for Android and WM devices. I'm quite sure that it sends every URL back to Opera's browsers for rendering.

    I thought Dolphin did the same, at least in part, that it uses server acceleration, no?

"How many teamsters does it take to screw in a light bulb?" "FIFTEEN!! YOU GOT A PROBLEM WITH THAT?"