Slashdot Mirror
Dolphin, a 3rd Party Android Browser, Relayed URL Data
An anonymous reader sends this excerpt from AndroidPolice.com:
"As it turns out, Dolphin HD, one of the top browsers the Android platform has to offer, sends pretty much every web page URL you visit, including those that start with https, to a remote server en.mywebzines.com, which belongs to the company. In fact, the WebZines feature was introduced only recently back in June with version 6.0, so it's safe to say this tracking started around the same time.'"
The Dolphin team quickly responded with a blog post saying they did not store any of the data, and no browsing information was captured about users. They also rolled out a new version of the browser, 7.0.2, which fixed the issue.
When they say "fix", does that mean it doesn't send the info, or their sending of info is harder to trace?
Tequila: It's not just for breakfast anymore!
All the information according to articles was sent in plain text to the servers.
If this was an iPhone, the browser would only relay data if Apple approved it doing so!
...over at xda-developers.com.
http://forum.xda-developers.com/showthread.php?t=1319529
That was their good deed for the week. Now for the bad deed of the week, they refuse to remove an ARP poisoning app so people can kill individual users on public wifi networks: http://forum.xda-developers.com/showthread.php?t=1282900
Probably worthy of it's own /. article.
is bad?
How is that? Chrome already sends any URLs visited and anything you typed in the address bar to Google. The former is done to make a lookup in the database of malicious URLs (where other browsers such as Iceweasel store the database locally), the latter is done for the uses of Google Suggest.
It's a matter of being up-front about the fact that it's being done, and what is being done with the information.
Can you elaborate on this?
"They also rolled out a new version of the browser, 7.0.2, which fixed the issue."
The word "fix" makes it sound like it was an unintentional error. The problem wasn't that the browser "accidentally" sent the data. The problem was that the company thought this would be okay in the first place. The real "fix" needed is ridding the company of the people who thought this was a good idea.
I don't care how fixed they say it is. They broke my trust, this app will never see my (or my friends') phones again.
Women are like electronics: you don't know how damaged they are until you try to turn them on.
I am always shocked at the number of android users (possible apple too - I don't know) that just install apps without any worry about what the apps actually do. I have seen simple battery monitor apps that want internet access and access to your contacts. Come on people, pay attention !
Android users signed up to be spied on by Google, not some random third party!
I am TheRaven on Soylent News
If true, that's an odd way of doing it. Most other browsers maintain an offline database of 'unsafe' URLs, regularly updated, and only send the URL to a 3rd-party service for checking if it matches the database (in order to 'double check' that it's still considered unsafe, in case of any changes or updates since the last download).
Why? Can't you just use an OS browser instead?
You don't want data about your activities being sent to a server somewhere, so you use iPhone?
So that was just a BUG. Right?
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
This might be a good case study for open vs curated app store models. Dolphin browser is also available on Apple's App Store - wonder if it sent iOS users' data too.
What was funny about all this was all the commentators on ArsTechnica that said they were going to leave Dolphin for Opera (?!)
Anyone want to elaborate on how much access Opera Mobile/Mini has to the content you surf on through their servers?
http://www.scribd.com/doc/47498765/Google-Safe-Browsing-v2-API-implementation-notes#outer_page_6
Web browser sends first 32bits of sha256 hash of URL to google to check against database. Then if it matches (response from google) it sends the whole sha256 hash.
It's easy for google to get the real url form sha256 hash of it, they have a pretty big database of urls ;-)
Or, in other words, why should I trust you?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Opera Mini grants them complete access, as by design, it routes all traffic through their system so they can compress it and send it to you. Opera Mobile is more like Opera Desktop where it gives you the option to turn that function on, Opera Turbo I believe its called. Though I do not know whether they collect your browsing habits by default.
I use all three, desktop, mobile for when I am on wifi and dont care how much data is used, and Mini for when I am using my mobile data plan.
Not possible?
These guys beg to differ: http://underhanded.xcott.com/
Of course, it's much simpler to convince the users that they *want* their data to be sent to the servers than to try to hide it.
about tracking. Seriously. You're tracked EVERYWHERE you go. You know all those free email accounts? How about Facebook? Your Newegg account? Amazon.com? Yep. All Tracked. Moreover, are people so easily manipulated to their detriment that a little web tracking matters. I guess there's the big scary gov't. But seriously. If a modern gov't is tracking you it's more for the hell of it then any real need to use it to oppress. A modern military does all that by itself. I'm ten times more worried about the Unions disintegrating then I am over some twit advertiser knowing what I googled last week.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Sure, they accidentally wrote software so that it sent that data, or they were sending it and incurring the traffic to their server for no reason at all.
No, if they're telling the truth that no data was logged, then the only mistake on their part is they fucked up their data collection on the server.
I'm pretty sure all the URL's we access from our phones & other mobile devices *that are using a wireless carrier* are being stored any analyzed for "marketing purposes" by the wireless carriers. Dolphin doing it is just another glommer sucking at the same teat.
But Google IS NOT upfront about that, and it doesn't even ask if they are allowed to do so. It's enabled by default and without telling the user about it.
Their app for iOS (Dolphin HD) got updated today with the following changelog "some bug fixing.", that is not transparency.
Regardless of the whole webzine thing, I'm concerned this developer was sending URL date of any site visited (banking, corporate, email etc ) in plain text to a server in China. There is a lot of data mining that can be done with URL data, specially older websites that stuff private date into URL.
This is part of the reason I don't trust close-source applications that require Internet access. At least with open source I can take a look at the code and see, "hey — this program is running a key logger!" I can then modify the code and permissions and run the application without the offending network activity.
(I actually did that with one program, found on code.google.com no less. It was written with a key logger that uses a closed-source library called FlurryAgent.)
Yeah and that other browser might turn out to be a scammer, spammer or fraud who took someone else's work and loaded it with spyware too. Who knew that when Android users said that Android is going to be the "Windows" of smartphones that's what they meant: shitty interfaces, spyware and crap software.
If all else fails, immortality can always be assured by spectacular error.
Vested interest in Dolphin, eh?
I'm not sure about Mobile, but for Mini, *all* content is transmitted through their proxies, which work as an optimizing service.
Dilbert RSS feed
If you're doing HTTPS, the wireless carrier only knows the hostname, not the whole URL. Unless you're going through one of their proxies, of course.
"they did not store any of the data, and no browsing information was captured about users."
So basically they just wasted their own and their users bandwidth for no reason, sure then sent themselves the data but then it was instantly destroyed.
Troll is not a replacement for I disagree.
Well Google does it by default in Chrome and their toolbars, doesn't even ask for permission for it and sends every URL you visit and whatever you type into the url/search text box.
Oops, they should have used Google before taking that name , doh!
see http://dolphin.kde.org/
"Oh no they noticed our marketing/money making scheme....quick release patch"
"If any question why we died, Tell them because our fathers lied."
Why? Can't you just use an OS browser instead?
I have apps that aren't browsers on my smartphone.
This isn't a browser specific problem.
Again, it's the latest version of the Android app that does this.
When I first started my Android phone, Google asked me pretty plainly if I wanted to send location data or usage data. When I said no, it didn't send the data.
Not sure what's hard about that. At least Google gave the option to disable it, unlike Apple.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
Clearly, you have some kind of vested interest in this app, but I'm not convinced that being concerned over private information getting sent to a foreign country for unknown purposes is "xenophobic scaremongering."
This is not yellow journalism. It is a legitimate security concern, and calling people "vigilantes" for pointing it out is absurd.
I assume you're referring to the "locationgate" issue, where no data was actually sent from the phone to Apple.
I admit it's an odd position to take, given that the EULA for the iPhone does mention the possibility of Apple collecting data, although so far no one has been able to verify that they actually are doing so.
In Opera Mobile, it is optional - if you don't want to use Turbo (their feature which optimizes websites to reduce the amount of data transfered) you don't have to. Personally, if I were on a phone service where I was charged by the MB or had a bandwidth cap, I'd use it. On an unlimited plan or via wi-fi, I wouldn't.
iTunes can send crash reports to Apple and app developers (it's opt-in.) Since those crash reports collect data on the phone that might be what they refer to.
If all else fails, immortality can always be assured by spectacular error.
Wow, there are some elegant tricks on the page, although I'm an amateur, I don't know if a professional auditor would be able to catch those.
So to you, claiming out loud a "suspicious" activity of an app when most apps in that category do the same, without actually trying to get any sort of information as to why it is done is an acceptable "journalism behavior"?
I see what you're doing on slashdot, but I'm wondering more and more what I'm doing here.
Write boring code, not shiny code!
I don't think what we're talking about in here is being counted as being "location data or usage data". So without further information I will assume your browser sends every letter you type in the address bar or search bar to Google and every URL you visit too.
Write boring code, not shiny code!
Even if you're going through one of their proxies, they would need to have their own CA and you'd need to have their certificate in your browser for them to be able to do that (without the https warning).
Write boring code, not shiny code!
Just FYI, Dolphin (while not OSS itself) is a wrapper for Webkit...
PocketPermissions Android Permission Guide
The mini version uses 1/100 of space, doesn't have any bloated and dumb features, like this ezine piece of crap, and as older dolphin versions is just the default browser +tabs +easier history clean.
The Apple store didn't approve the Android version of Dolphin. And only the latest Android version has this problem.
I'm sorry... I know it must hurt when your FUD is exposed as such,
At least some of them (by which I mean: my phone (vodaphone UK) does) will just proxy you and let you see the warning. What're you going to do?
I am trolling
There's a lot of choice when it comes to Android browsers. I've switched to something else... since they are either incompetent or full of shit.
When you are looking for security holes you need access to every bit of the software.
Not only that, these Maxthon clone makers couldn't be bothered to do a 10 second google to check whether their software's name was original.
re-read my comment. There's lots better battles to be fighting. My point is tracking of this sort is largely harmless. Hell, for many people it's beneficial, since target advertising means they become aware of goods and services they otherwise missed.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
the people in power don't even have to bother tracking you. There are much better strategies for keeping everyone down. They're not monitoring you because they have to, they're just doing it for kicks. Seriously.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Yea, but, but, all it takes is one little opt-in and Google is being sent all your tracking information!!
But this is second to Amazon's scam. I put my credit card info in there just to see what they would do with it. Then I clicked the innocent-enough-looking "Buy now" button and they started charging my credit card! I am out real money because of them. This needs to be addressed ASAP folks! Boycott these scammer web sites.
I think some people have made a bigger deal out of this than need be, because they're implying some kind of malicious intent when there is likely none.
Yes it's a big deal, particularly if a website is passing sensitive information in say an HTTPS GET request, and you're looking at that site on like public wifi or a school network or something where it's easy to snoop on others' traffic. But the intention was to check if their Webzine feature would work with the site (which is an interesting feature, just not one I really use), not harvest your web browsing history. It just wasn't thought through at all. In fact, I would go as far as say that whoever implemented the feature is a bonehead, because the security implications are obvious. They're going to have to take their knocks on this one.
That being said, I love their browser, and one blunder isn't enough to make me throw it to the curb. I don't trust my private data over an insecure network connection to begin with, so this was less of an issue for me (assuming their own servers weren't breached, allowing someone to snoop). I use OpenVPN when I want to do something "important." If I were to want to browse openly though, I'd either clear the cookies first, or I'd just use a separate browser (Opera is usually my alternate) where I'm not logged into anything. That'd be fine for just Googling or Wikipedia searches.
Anyway, they aren't the first company to make a big mistake. They won't be the last.
so how do you implement a proxied browser that DOESN'T send the URL back to the proxy servers?
Opera Mini is one such browser and is excellent, particularly for smart and dumb phones, providing for a big increase in speed. It works well for Android and WM devices. I'm quite sure that it sends every URL back to Opera's browsers for rendering.
I thought Dolphin did the same, at least in part, that it uses server acceleration, no?
With Google, the assumption that they gather data from all apps and services that are labelled "Google Anything" is pretty much the default, to be honest.
Since they control software installs on your phone when you first get it, they can in fact stick their cert in your browser by default. I would think. Not sure how this would work across updates or if you used a non-default browser on a smartphone, of course.
Have you tried Opera Mobile?
w00t