Dolphin Browser on Android caught red handed sending a copy of the browsing data to it’s remote server; How to Fix it

Posted on by

Dolphin Browser was and maybe IS logging the your browsing data, ever since the ‘webzine‘ feature came out (in version 6), this app forwards the URL of:
Every link you click.
Every search you enter.
Every page you load.

Dolphin HD, one of the hot browsers on the Android platform has been caught in the act of sending almost every web page url you visit, including those that start with https, to a remote server [highlight color=”blue”] en.mywebzines.com [/highlight], which belongs to the company. WebZines feature was introduced recently back in around June with version 6.0, so it’s safe to say this tracking started around the same time.

Folks over at Xda-developers (Fnorder) and AndroidPolice caught its act on a packet sniffer and intercepted every packet sent and most certainly they were instantly sent to en.mywebzines.com, in plain-text!!!

evil-dolphin-browser-android intercepting browser data

 

Here is the proof

[[email protected]]~# ngrep -P '!' -lq -R -W single -M 
'(^GET|^POST|^Host:|^[^ ]ookie:)' "tcp port 80"
interface: eth0 (10.23.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp port 80 )
match: (^GET|^POST|^Host:|^[^ ]ookie:)

T 10.23.1.220:60126 -> 107.20.41.53:80 [AP] 
GET /v3/columns?u=http%3A%2F%2F
10.23.1.254%2F&t=1319574537635 
HTTP/1.1!!Authorization: 
cd7f573ec9e6e865a28aaab7a1793796!!
Accept-Encoding: gzip!!
Host: en.mywebzines.com!!Connection: Keep-Alive!!!!

(less spammy proof)
 [G] www.google.com:80/search?q=wut
 [G] en.mywebzines.com:80/v3/columns?u=http%3A%2F%2Fwww.google.com
%2Fsearch%3Fq%3Dwut&t=1319574984926
 [G] en.mywebzines.com:80/v3/columns?u=https%3A%2F%2F
www.google.com%2Fsearch%3Fq%3Dwhat
%2Bis%2Bthis%2Bi%2Bdont%2Beven&t=1319575011872
 [G] en.mywebzines.com:80/v3/columns?u=file
%3A%2F%2Fsdcard%2Fdata%2Fhome.html&t=1319575109160


The above was on a private network, but it does the same on the public network (Internet) too. Every single time.


This is what Android Police have to say


    

  1. Dolphin’s servers collect information on websites visited by anyone using the Dolphin HD browser (tested on latest v7.0), including your searches and query parameters.
    2. 

  2. These requests are sent over in plain-text, which exposes these urls to clients on the same network. While this is not a huge problem with http urls, as those are already sent out in plain-text, it does include https urls, which would otherwise be concealed by SSL (see this for more info on how SSL encrypts server and path information).
    3. 

  3. It’s worth noting that Dolphin Browser has Chinese roots (just how deep they are is unclear, but the url mgeek.mobi which was used to communicate with us when Dolphin was launched is registered in China), though both dolphin-browser.com and mywebzines.com are now hosted on Amazon AWS in the U.S. on the same IP range. I have nothing against China or the company itself, but do we really have to have our private information broadcast to a foreign company (unless you’re from China, of course – then you’ll feel right at home)?
    4. 



 


However, yesterday Dolphin Team posted and update about this issue on their blog and said as I quote, “It is not critical and we have temporary removed this functionality in our latest update yesterday.”


Dolphin Team on their blog also say that, for now it has been deactivated but will be an Opt-In feature in the future, if that was they case, why weren’t the user not made aware of the “feature“? a nifty cover up then.


 


[notification type=”alert”] NOTE: Dolphin Browser 7.0.1 also doesn’t fix the Issue, Dolphin Browser 7.0.2 does. [/notification]


 


Just incase you want to block webzine.com anyway or to be sure that Dolphin browser is not invading your privacy, here is a fix


If you are rooted, you can block en.mywebzines.com permanently on your device by adding the following entry into /etc/hosts:


127.0.0.1 en.mywebzines.com


To simplify this process, you can use Hosts Editor from the Android Market.


After this you may need to reboot to flush the DNS cache. You can test whether the fix worked or not by going to http://en.mywebzines.com in any browser and seeing if it loads an empty page with title Webzine (fix didn’t work) or doesn’t connect (fix worked).


 


Fixed or not this is a serious concern and may harm Dolphin Browsers reputation as it is, one of the most used Android Browser and ranks in the Top 3 Android Browser along with Firefox


 


The DNetWorks Team