[PRIVACY] WARNING: Dolphin's collection of your browsing history
- Thread starter Fnorder
- Start date
There's a new version 7.02 in the market. Does it actually remove the tracking as promised? I don't know.
I'm pleased to see that this has been corrected in v7.0.2 (106)
mobi.mgeek.TunnyBrowser
olphinNotification persists, but that is only relevant to annoyance levels, and not a privacy / security matter
mobi.mgeek.TunnyBrowser
olphinNotification persists, but that is only relevant to annoyance levels, and not a privacy / security matter
Last edited:
this browser dev. should tell the truth in first place. Why hide this serious matter from users. Sorry, no way for this kind of developer attitude for breach our privacy.
Techvir
Senior Member
this browser dev. should tell the truth in first place. Why hide this serious matter from users. Sorry, no way for this kind of developer attitude for breach our privacy.
I agree with you! If they knew all this information purpose from beggining why did not say it?
For people that say this is not important,you should ask yourself just this:do you think they bothered to risk theyr reputation and write that code for nothing? So obviusly the information it sends it is precious.
Sending using a crappy Lg phone (optimus white)whitch i will never ever buy from then again
.
You use a Google account which mines through all your messages for keywords to sell to advertisers and allows them to project personalized ads to you.
You search through Google to find web pages, which in turn Google watches and sells as trends to advertisers to project to you more ads.
You have Facebook account which constantly mines through every single interaction you do on the site, that tracks every single link that is posted to the site, that facilitates the ecosystem for apps and games to give you content in return for letting them access your private information.
Every single moment you're on the internet, someone is watching and gathering statistics on you. Just a newsflash, yes, maybe "you gotta have youre privacy", but please don't forget that on the internet, you rarely have any. Being smart about it is the key, paranoia is irrational.
That being said, I'm on a fresh flash of my ROM and haven't yet installed a browser. I'll wait and see what the Dolphin Team's reaction to this is.
K so I'm on 702 from market. That means I'm good right?
Sent from my rockin' Galaxy S 4G using XDA Premium App
Sent from my rockin' Galaxy S 4G using XDA Premium App
If you don't sign up for Dolphin Connect it doesn't. That got sorted out in v7.0.1.
Alex Molloy on the Dolphin blog said:
I just reported what Keiji found and Fnorder confirmed, so all credits go to them.
It looks like Dolphin 7.0.2 is clean, but keep the nets out just in case it tries to swim to polluted waters again.
I've installed Opera Mobile...can anyone confirm that it is safe? (Assuming Turbo mode is off)
Sent from my DROIDX using Tapatalk
Last edited:
I only ever change the hosts file to '0.0.0.0'. What other functions could be accomplished, by either adding to or changing this file?
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
197If it weren't for things like this, I'd still be a fan of Dolphin Browser.
Ever since the 'webzine' 'feature' came out (in version 6), this app forwards the URL of:
Every link you click.
Every search you enter.
Every page you load.
To: http://en.mywebzines.com/v3/columns?u=(URLencodedURL)&t=(TIMESTAMP)
This includes:
SSL URLs.
QUERY_STRINGS.
IP addresses on private networks and file:// urls.
In addition, when I mentioned this on http://blog.dolphin-browser.com, the comment awaited moderation for two days before being deleted. I've yet to receive an email.
Proof:
Code:[root@phone]~# ngrep -P '!' -lq -R -W single -M '(^GET|^POST|^Host:|^[^ ]ookie:)' "tcp port 80" interface: eth0 (10.23.1.0/255.255.255.0) filter: (ip or ip6) and ( tcp port 80 ) match: (^GET|^POST|^Host:|^[^ ]ookie:) T 10.23.1.220:60126 -> 107.20.41.53:80 [AP] GET /v3/columns?u=http%3A%2F%2F10.23.1.254%2F&t=1319574537635 HTTP/1.1!!Authorization: cd7f573ec9e6e865a28aaab7a1793796!!Accept-Encoding: gzip!!Host: en.mywebzines.com!!Connection: Keep-Alive!!!! (less spammy proof) [G] www.google.com:80/search?q=wut [G] en.mywebzines.com:80/v3/columns?u=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwut&t=1319574984926 [G] en.mywebzines.com:80/v3/columns?u=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwhat%2Bis%2Bthis%2Bi%2Bdont%2Beven&t=1319575011872 [G] en.mywebzines.com:80/v3/columns?u=file%3A%2F%2Fsdcard%2Fdata%2Fhome.html&t=1319575109160
Stick this in your /system/etc/hosts to make the Orwellian nightmare stop. This will break webzine 'functionality', and is only possible on rooted phones:
Code:127.0.0.1 en.mywebzines.com mywebzines.com
Alternatively, here is how to remove this via APKTool:
Code:* apktool d mobi.mgeek.TunnyBrowser-1.apk * apply the this patch to smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali ##### --- orig-7.0/smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali 2011-10-22 11:41:43.000000000 +0000 +++ mobi.mgeek.TunnyBrowser-7/smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali 2011-10-22 11:40:18.000000000 +0000 @@ -2189,7 +2189,7 @@ .line 576 :cond_2 - invoke-direct {p0, p1, v0}, Lmobi/mgeek/TunnyBrowser/WebViewCallbackHandler;->a(Lcom/dolphin/browser/core/IWebView;Ljava/lang/String;)V +# invoke-direct {p0, p1, v0}, Lmobi/mgeek/TunnyBrowser/WebViewCallbackHandler;->a(Lcom/dolphin/browser/core/IWebView;Ljava/lang/String;)V goto :goto_0 .end method #####
I would attach an .apk of dolphin cleansed of it's spyware AIDS, however I'm not sure if the mods would like that.
update:
Modified APKs posted http://xdaforums.com/showpost.php?p=18799432&postcount=61
update: Fiasco appears on http://www.androidpolice.com/2011/1...e-you-visit-to-a-remote-server-in-plain-text/
update: Dolphin writes blog post claiming data is not retained, and that 'feature' is disabled. Latest market version. (7.0.1/id105) appears, still forwards urls
update: Version 7.0.2 (id 106) no longer forwards urls.19While I have no proof dolphin == mywebzines, they conveniently share the same hosting and dns providers (both domains are registered via proxy)
Code:[root@vm]~# for i in $(host -t a dolphin-browser.com|awk '{print $NF}');do host $i;done 89.249.19.50.in-addr.arpa domain name pointer ec2-50-19-249-89.compute-1.amazonaws.com. [root@vm]~# for i in $(host -t a en.mywebzines.com|awk '{print $NF}');do host $i;done 77.123.17.50.in-addr.arpa domain name pointer ec2-50-17-123-77.compute-1.amazonaws.com. 185.179.17.50.in-addr.arpa domain name pointer ec2-50-17-179-185.compute-1.amazonaws.com. 58.30.19.50.in-addr.arpa domain name pointer ec2-50-19-30-58.compute-1.amazonaws.com. 167.175.19.50.in-addr.arpa domain name pointer ec2-50-19-175-167.compute-1.amazonaws.com. 93.246.101.75.in-addr.arpa domain name pointer ec2-75-101-246-93.compute-1.amazonaws.com. 53.41.20.107.in-addr.arpa domain name pointer ec2-107-20-41-53.compute-1.amazonaws.com. 205.64.72.184.in-addr.arpa domain name pointer ec2-184-72-64-205.compute-1.amazonaws.com. 119.178.72.184.in-addr.arpa domain name pointer ec2-184-72-178-119.compute-1.amazonaws.com. 156.2.73.184.in-addr.arpa domain name pointer ec2-184-73-2-156.compute-1.amazonaws.com. 33.95.17.50.in-addr.arpa domain name pointer ec2-50-17-95-33.compute-1.amazonaws.com. [root@vm]~# host -t ns mywebzines.com;host -t ns dolphin-browser.com mywebzines.com name server ns2.dnsv5.com. mywebzines.com name server ns1.dnsv5.com. dolphin-browser.com name server ns1.dnsv4.com. dolphin-browser.com name server ns2.dnsv4.com. [root@vm]~#17I've had so many requests for them via pm....
7.0 cleaned: http://qfs.mobi/f40936 : Not renamed, but resigned, so the original (and all plugins and themes) will need to be uninstalled
4.0 modded: http://qfs.mobi/f40949 : Renamed, won't need to uninstall original. This one has a number of tweaks to UI behavior, and extra functionality (Custom search URL, customizable bookmarklet button, unlimited tabs) 'exit' menu option closes tab, so hold back to exit. All admob/analytics/mobosquare code removed.
(if mods -do- object, apologies ahead of time)13
Stop defending Dolphin by propagating their public relations spin.
The whole truth is that Dolphin now encrypts the data that they phone home. That does not fix the privacy issue. They made a completely incompetent and bonehead move phoning home all URLs in plain text, even https URLs which should always be encrypted as they contain sensitive information like passwords. It is true they stopped that idiocy, but you are ignoring what is really happening now.
Look at this analysis of the current version of Dolphin Browser:
http://mobilesandbox.org/xml_report_static/?q=357932
android.permission.READ_LOGS [basically no app should have this]
android.permission.RECEIVE_BOOT_COMPLETED [why is your browser starting on boot?]
android.permission.READ_CONTACTS [you want your browser to read your contacts?]
android.permission.RECORD_AUDIO [you want your browser to record audio?]
android/telephony/TelephonyManager;->getDeviceId [to identify you]
getSubscriberId [to identify you]
Execution of external commands [scary]
Cipher(AES/ECB/PKCS5PADDING) [now they encrypt data]
Cipher(DES/CBC/PKCS5Padding) [they learned not to send it in plain text]
Cipher(RSA/ECB/PKCS1Padding) [encrypted so we cannot know what they collect]
HttpPost [and phoning home]
That is not even all of the garbage brought to light by that report. Dolphin's developers should be ashamed of themselves and its users need to learn the whole truth. Look at their so-called privacy policy, for example.
If your argument is "Google spies, so what" then you need to wise up. For one, Google is a large and well-known public company that does face repercussions for violating privacy. Dolphin is...not.
Second, even if you do not care about your privacy--and you should--spying wastes battery power, bandwidth, and CPU cycles. No one needs more garbage on their device.8
I'm torn between cynicism and my hope that this -is- innocent, so I'll go with both in my reply.
The way you guys dealt with previous attempts at calling this to your attention - ignoring emails and outright deleting my blog comment - cast the honesty of your organization into doubt (in my mind at least, I cannot prove this part of the affair). I find myself in doubt that dolphin would have (claimed to have) taken action had this issue not appeared on major android news sites such as http://www.androidpolice.com/2011/1...e-you-visit-to-a-remote-server-in-plain-text/
You -say- data is not collected, but I do not have access to your server and thus cannot verify that browsing history (juicy marketing data) is not retained (this includes access_log), I only have the promise of an organisation that has not earned my trust. (And I would not trust Mozilla with this)
As you can see, people consider browsing history sensitive data, it is -not- a zero on a scale of 1-10 as stated in your blog, especially for those of us that make use of url obscurity. (HTTPS requests secure host and path, this was defeated with dolphin)
That said, while I'm pleased that you -say- steps are being taken, I can confirm that:
version 7.0.1 (build id 105) still forwards urls like version 6-7.0.0 (id 103) have done. In addition, unlike v7.0.0(103) from getjar, it nagged me to rate it, thus I have bumped my one star security warning.
Assuming you will actually fix this:
Making this opt-in is good, provided it's opt-in and explains the security considerations clearly.
Alas, were I not so dependant on the features I added to 4.x, I'd still find myself analysing traffic with a packet sniffer and scouring smali code each time a Dolphin upgrade were made available. I would not do this for firefox or opera, as they've proven themselves to recognize browser security and privacy as Serious Business.
Since you have claimed to disable this, and have yet to actually do so, you prove the opposite with each passing minute.
