Slashdot Mirror
Dolphin, a 3rd Party Android Browser, Relayed URL Data
An anonymous reader sends this excerpt from AndroidPolice.com:
"As it turns out, Dolphin HD, one of the top browsers the Android platform has to offer, sends pretty much every web page URL you visit, including those that start with https, to a remote server en.mywebzines.com, which belongs to the company. In fact, the WebZines feature was introduced only recently back in June with version 6.0, so it's safe to say this tracking started around the same time.'"
The Dolphin team quickly responded with a blog post saying they did not store any of the data, and no browsing information was captured about users. They also rolled out a new version of the browser, 7.0.2, which fixed the issue.
When they say "fix", does that mean it doesn't send the info, or their sending of info is harder to trace?
Tequila: It's not just for breakfast anymore!
All the information according to articles was sent in plain text to the servers.
If this was an iPhone, the browser would only relay data if Apple approved it doing so!
...over at xda-developers.com.
http://forum.xda-developers.com/showthread.php?t=1319529
That was their good deed for the week. Now for the bad deed of the week, they refuse to remove an ARP poisoning app so people can kill individual users on public wifi networks: http://forum.xda-developers.com/showthread.php?t=1282900
Probably worthy of it's own /. article.
Chrome does the same aka "Google Safe Browsing" - sends link to every web page you visit to google so you can feel "safe"
is bad?
How is that? Chrome already sends any URLs visited and anything you typed in the address bar to Google. The former is done to make a lookup in the database of malicious URLs (where other browsers such as Iceweasel store the database locally), the latter is done for the uses of Google Suggest.
I'm normally not an OSS zealot but news like this always get me thinking. This wouldn't be possible with an OS browser.
It's a matter of being up-front about the fact that it's being done, and what is being done with the information.
I don't trust Apple, but I trust the "wild west" approach of Android even less.
I want a totally open phone, but there's been too many cases of this activity. Yeah, I know it happens on iPhones as well, but it doesn't seem to happen as often, and Apple retaliates quickly.
I'm sticking with the iPhone for now.
If anyone would just read the terms bs when they install the browser they state that they send information back to their servers. This is why I uninstalled the app and I don't need another damn app tracking me.
"They also rolled out a new version of the browser, 7.0.2, which fixed the issue."
The word "fix" makes it sound like it was an unintentional error. The problem wasn't that the browser "accidentally" sent the data. The problem was that the company thought this would be okay in the first place. The real "fix" needed is ridding the company of the people who thought this was a good idea.
I don't care how fixed they say it is. They broke my trust, this app will never see my (or my friends') phones again.
Women are like electronics: you don't know how damaged they are until you try to turn them on.
Not by the CEO or any other person who might be held accountable if what they wrote turns out to be f*** lies.
I am always shocked at the number of android users (possible apple too - I don't know) that just install apps without any worry about what the apps actually do. I have seen simple battery monitor apps that want internet access and access to your contacts. Come on people, pay attention !
Android users signed up to be spied on by Google, not some random third party!
I am TheRaven on Soylent News
So that was just a BUG. Right?
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
Was this app approved by the Android app store?
rooooar
This might be a good case study for open vs curated app store models. Dolphin browser is also available on Apple's App Store - wonder if it sent iOS users' data too.
What was funny about all this was all the commentators on ArsTechnica that said they were going to leave Dolphin for Opera (?!)
Anyone want to elaborate on how much access Opera Mobile/Mini has to the content you surf on through their servers?
Or, in other words, why should I trust you?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Opera Mini grants them complete access, as by design, it routes all traffic through their system so they can compress it and send it to you. Opera Mobile is more like Opera Desktop where it gives you the option to turn that function on, Opera Turbo I believe its called. Though I do not know whether they collect your browsing habits by default.
I use all three, desktop, mobile for when I am on wifi and dont care how much data is used, and Mini for when I am using my mobile data plan.
about tracking. Seriously. You're tracked EVERYWHERE you go. You know all those free email accounts? How about Facebook? Your Newegg account? Amazon.com? Yep. All Tracked. Moreover, are people so easily manipulated to their detriment that a little web tracking matters. I guess there's the big scary gov't. But seriously. If a modern gov't is tracking you it's more for the hell of it then any real need to use it to oppress. A modern military does all that by itself. I'm ten times more worried about the Unions disintegrating then I am over some twit advertiser knowing what I googled last week.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Sure, they accidentally wrote software so that it sent that data, or they were sending it and incurring the traffic to their server for no reason at all.
No, if they're telling the truth that no data was logged, then the only mistake on their part is they fucked up their data collection on the server.
But Google IS NOT upfront about that, and it doesn't even ask if they are allowed to do so. It's enabled by default and without telling the user about it.
Their app for iOS (Dolphin HD) got updated today with the following changelog "some bug fixing.", that is not transparency.
Regardless of the whole webzine thing, I'm concerned this developer was sending URL date of any site visited (banking, corporate, email etc ) in plain text to a server in China. There is a lot of data mining that can be done with URL data, specially older websites that stuff private date into URL.
This is part of the reason I don't trust close-source applications that require Internet access. At least with open source I can take a look at the code and see, "hey — this program is running a key logger!" I can then modify the code and permissions and run the application without the offending network activity.
(I actually did that with one program, found on code.google.com no less. It was written with a key logger that uses a closed-source library called FlurryAgent.)
Opera Mini is problematic because it has no normal HTML parser. All pages are prerendered in the Cloud, even https.
The other Opera variants have it as an opt-in feature, and private addresses (e.g 192.168.0.0/16) and https are always exempt.
Vested interest in Dolphin, eh?
I'm not sure about Mobile, but for Mini, *all* content is transmitted through their proxies, which work as an optimizing service.
Dilbert RSS feed
Their toolbar sends the URL, and search query for that Google scraping they did. It's slightly (only slightly) better because you have to check the button saying it can send anonymous statistical data back to them to improve their products. However it's search data and search data is not anonymous, and as it turned out it was sending the whole Google search data and result back to them.
Also slightly better in that it was encrypted, but that was more so that Microsoft wouldn't get caught.
"they did not store any of the data, and no browsing information was captured about users."
So basically they just wasted their own and their users bandwidth for no reason, sure then sent themselves the data but then it was instantly destroyed.
Troll is not a replacement for I disagree.
Oops, they should have used Google before taking that name , doh!
see http://dolphin.kde.org/
"Oh no they noticed our marketing/money making scheme....quick release patch"
"If any question why we died, Tell them because our fathers lied."
Yes, you can use custom blocking HOSTS files on ANDROID OS, & it'd work to stop this happening odds are!
It is simple to upload a custom one to blockout this en.mywebzines.com site (127.0.0.1, or 0.0.0.0 (better, smaller, faster one) preceeding the entry to block en.mywebzines.com):
E.G.->
0.0.0.0 en.mywebzines.com
Once you edit that into your custom HOSTS file, just upload it to ANDROID via this easy method:
---
1.) Get ahold of the "Android Debugging Bridge" (ADB) & install it
2.) Mount your system mountpoint as READ + WRITE (as powerful of priveleges as you need is this)
3.) Using the PULL command, copy the file over from your PC (or even on your ANDROID if its there already) using PULL & overwrite the etc. folder's copy of HOSTS
---
* DONE! Yes, it's THAT simple... &, it works, or should, vs. this happening for those concerned about it!
APK
P.S.=> Very easily taken care of, with a little effort by the user himself... & there you are!
... apk
When I first started my Android phone, Google asked me pretty plainly if I wanted to send location data or usage data. When I said no, it didn't send the data.
Not sure what's hard about that. At least Google gave the option to disable it, unlike Apple.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
the data was sent to a server with hidden whois
i wouldn't trust them as far as i could throw them
they know they are up to no good, why else would a legitimate company use a shady hidden whois service and chinese DNS servers ?
perhaps so when shit hits the fan, they can drop it all and walk away ?
Clearly, you have some kind of vested interest in this app, but I'm not convinced that being concerned over private information getting sent to a foreign country for unknown purposes is "xenophobic scaremongering."
This is not yellow journalism. It is a legitimate security concern, and calling people "vigilantes" for pointing it out is absurd.
In Opera Mobile, it is optional - if you don't want to use Turbo (their feature which optimizes websites to reduce the amount of data transfered) you don't have to. Personally, if I were on a phone service where I was charged by the MB or had a bandwidth cap, I'd use it. On an unlimited plan or via wi-fi, I wouldn't.
Sorry but your cheap excuse has being problem wrong many times before.
So to you, claiming out loud a "suspicious" activity of an app when most apps in that category do the same, without actually trying to get any sort of information as to why it is done is an acceptable "journalism behavior"?
I see what you're doing on slashdot, but I'm wondering more and more what I'm doing here.
Write boring code, not shiny code!
I don't think what we're talking about in here is being counted as being "location data or usage data". So without further information I will assume your browser sends every letter you type in the address bar or search bar to Google and every URL you visit too.
Write boring code, not shiny code!
The mini version uses 1/100 of space, doesn't have any bloated and dumb features, like this ezine piece of crap, and as older dolphin versions is just the default browser +tabs +easier history clean.
http://www.google.com/chrome#eula
Chrome asks you before you can even download it, and it's OPT-IN, meaning it's disbled by default. Who mods this shit insightful? Stop giving the MS shill accounts karma to burn
You're a shill. Go away.
There's a lot of choice when it comes to Android browsers. I've switched to something else... since they are either incompetent or full of shit.
re-read my comment. There's lots better battles to be fighting. My point is tracking of this sort is largely harmless. Hell, for many people it's beneficial, since target advertising means they become aware of goods and services they otherwise missed.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
the people in power don't even have to bother tracking you. There are much better strategies for keeping everyone down. They're not monitoring you because they have to, they're just doing it for kicks. Seriously.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I think some people have made a bigger deal out of this than need be, because they're implying some kind of malicious intent when there is likely none.
Yes it's a big deal, particularly if a website is passing sensitive information in say an HTTPS GET request, and you're looking at that site on like public wifi or a school network or something where it's easy to snoop on others' traffic. But the intention was to check if their Webzine feature would work with the site (which is an interesting feature, just not one I really use), not harvest your web browsing history. It just wasn't thought through at all. In fact, I would go as far as say that whoever implemented the feature is a bonehead, because the security implications are obvious. They're going to have to take their knocks on this one.
That being said, I love their browser, and one blunder isn't enough to make me throw it to the curb. I don't trust my private data over an insecure network connection to begin with, so this was less of an issue for me (assuming their own servers weren't breached, allowing someone to snoop). I use OpenVPN when I want to do something "important." If I were to want to browse openly though, I'd either clear the cookies first, or I'd just use a separate browser (Opera is usually my alternate) where I'm not logged into anything. That'd be fine for just Googling or Wikipedia searches.
Anyway, they aren't the first company to make a big mistake. They won't be the last.
so how do you implement a proxied browser that DOESN'T send the URL back to the proxy servers?
Opera Mini is one such browser and is excellent, particularly for smart and dumb phones, providing for a big increase in speed. It works well for Android and WM devices. I'm quite sure that it sends every URL back to Opera's browsers for rendering.
I thought Dolphin did the same, at least in part, that it uses server acceleration, no?
The ability to control the distribution of location and usage data on both a device and application level has been available for quite some time on iOS. You are also asked whether you want to allow or deny access when an app first tries to make use of such services.
May I suggest you get an iPhone. Then your attempts to smear Apple won't be quite so ill informed, though it won't make your posts any more relevant.
Maybe it's a case of "welp, if I'm going to get tracked anyway, might as well use a good browser"?
Have you tried Opera Mobile?
w00t
From http://www.google.com/intl/en_us/privacy/browsing.html
"As a Chrome user with Safe Browsing enabled, your browser will contact Google’s servers periodically to download the most recent list of known phishing and malware sites. Google does not collect any account information or other personally identifying information as part of this contact, but it does receive standard log information, including an IP address and one or more cookies. Each site you visit will be checked against these locally maintained lists. If there is a match against one of these lists, your browser will send Google a hashed, partial copy of the site’s URL so that we can send more information to your browser. Google cannot determine the real URL from this information."
Without further information I'll assume you're a pedophile terrorist drug dealer.
Reading TFA: "Webzine simply performs an ancillary check if we can view current webpage in Webzine format."
But if they didn't store data themselves, maybe a third party did store it? :)
Then, let this company prove beyond a reasonable doubt they did no wrong, blatantly undermining confidences of their customers, in a US Court of Law. This app seems to have usurped every right to privacy Americans suppose they have, unambiguously, secretly.
Look @ http://www.dolphin-browser.com/privacy-in-dolphin-browser
There is no privacy policy for Dolphin Browser. They only disclose a couple of things concerning Google Analytics and some data collected from the phone. At the bottom, they say that the public version of a privacy policy will be released soon.