[PRIVACY] WARNING: Dolphin's collection of your browsing history

Search This thread

Fnorder

Senior Member
Nov 8, 2008
153
327
Lake Vostok
If it weren't for things like this, I'd still be a fan of Dolphin Browser.

Ever since the 'webzine' 'feature' came out (in version 6), this app forwards the URL of:
:mad: Every link you click.
:mad: Every search you enter.
:mad: Every page you load.

To: http://en.mywebzines.com/v3/columns?u=(URLencodedURL)&t=(TIMESTAMP)

This includes:
:mad: SSL URLs.
:mad: QUERY_STRINGS.
:mad: IP addresses on private networks and file:// urls.

In addition, when I mentioned this on http://blog.dolphin-browser.com, the comment awaited moderation for two days before being deleted. I've yet to receive an email.

Proof:
Code:
[[email protected]]~# ngrep -P '!' -lq -R -W single -M '(^GET|^POST|^Host:|^[^ ]ookie:)' "tcp port 80"
interface: eth0 (10.23.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp port 80 )
match: (^GET|^POST|^Host:|^[^ ]ookie:)


T 10.23.1.220:60126 -> 107.20.41.53:80 [AP] GET /v3/columns?u=http%3A%2F%2F10.23.1.254%2F&t=1319574537635 HTTP/1.1!!Authorization: cd7f573ec9e6e865a28aaab7a1793796!!Accept-Encoding: gzip!!Host: en.mywebzines.com!!Connection: Keep-Alive!!!!

(less spammy proof)
 [G] www.google.com:80/search?q=wut
 [G] en.mywebzines.com:80/v3/columns?u=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwut&t=1319574984926
 [G] en.mywebzines.com:80/v3/columns?u=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwhat%2Bis%2Bthis%2Bi%2Bdont%2Beven&t=1319575011872
 [G] en.mywebzines.com:80/v3/columns?u=file%3A%2F%2Fsdcard%2Fdata%2Fhome.html&t=1319575109160

Stick this in your /system/etc/hosts to make the Orwellian nightmare stop. This will break webzine 'functionality', and is only possible on rooted phones:
Code:
127.0.0.1 en.mywebzines.com mywebzines.com

Alternatively, here is how to remove this via APKTool:
Code:
* apktool d mobi.mgeek.TunnyBrowser-1.apk
* apply the this patch to smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali

#####
--- orig-7.0/smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali 2011-10-22 11:41:43.000000000 +0000
+++ mobi.mgeek.TunnyBrowser-7/smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali        2011-10-22 11:40:18.000000000 +0000
@@ -2189,7 +2189,7 @@
 
     .line 576
     :cond_2
-    invoke-direct {p0, p1, v0}, Lmobi/mgeek/TunnyBrowser/WebViewCallbackHandler;->a(Lcom/dolphin/browser/core/IWebView;Ljava/lang/String;)V
+#    invoke-direct {p0, p1, v0}, Lmobi/mgeek/TunnyBrowser/WebViewCallbackHandler;->a(Lcom/dolphin/browser/core/IWebView;Ljava/lang/String;)V
 
     goto :goto_0
 .end method
#####

I would attach an .apk of dolphin cleansed of it's spyware AIDS, however I'm not sure if the mods would like that. :mad:

update:
Modified APKs posted http://forum.xda-developers.com/showpost.php?p=18799432&postcount=61
update: Fiasco appears on http://www.androidpolice.com/2011/1...e-you-visit-to-a-remote-server-in-plain-text/
update: Dolphin writes blog post claiming data is not retained, and that 'feature' is disabled. Latest market version. (7.0.1/id105) appears, still forwards urls
update: Version 7.0.2 (id 106) no longer forwards urls.
 
Last edited:

Fnorder

Senior Member
Nov 8, 2008
153
327
Lake Vostok
While I have no proof dolphin == mywebzines, they conveniently share the same hosting and dns providers (both domains are registered via proxy)
Code:
[[email protected]]~# for i in $(host -t a dolphin-browser.com|awk '{print $NF}');do host $i;done
89.249.19.50.in-addr.arpa domain name pointer ec2-50-19-249-89.compute-1.amazonaws.com.
[[email protected]]~# for i in $(host -t a en.mywebzines.com|awk '{print $NF}');do host $i;done
77.123.17.50.in-addr.arpa domain name pointer ec2-50-17-123-77.compute-1.amazonaws.com.
185.179.17.50.in-addr.arpa domain name pointer ec2-50-17-179-185.compute-1.amazonaws.com.
58.30.19.50.in-addr.arpa domain name pointer ec2-50-19-30-58.compute-1.amazonaws.com.
167.175.19.50.in-addr.arpa domain name pointer ec2-50-19-175-167.compute-1.amazonaws.com.
93.246.101.75.in-addr.arpa domain name pointer ec2-75-101-246-93.compute-1.amazonaws.com.
53.41.20.107.in-addr.arpa domain name pointer ec2-107-20-41-53.compute-1.amazonaws.com.
205.64.72.184.in-addr.arpa domain name pointer ec2-184-72-64-205.compute-1.amazonaws.com.
119.178.72.184.in-addr.arpa domain name pointer ec2-184-72-178-119.compute-1.amazonaws.com.
156.2.73.184.in-addr.arpa domain name pointer ec2-184-73-2-156.compute-1.amazonaws.com.
33.95.17.50.in-addr.arpa domain name pointer ec2-50-17-95-33.compute-1.amazonaws.com.
[[email protected]]~# host -t ns mywebzines.com;host -t ns dolphin-browser.com
mywebzines.com name server ns2.dnsv5.com.
mywebzines.com name server ns1.dnsv5.com.
dolphin-browser.com name server ns1.dnsv4.com.
dolphin-browser.com name server ns2.dnsv4.com.
[[email protected]]~#
 

lexluthor

Senior Member
Feb 7, 2007
1,932
204
Subscribed.

As a Dolphin user, I'm interested to see where this goes.

Maybe you can get the adfree android developer to add en.mywebzines.com to the next hosts file update and problem solved (for adfree users, at least).
 

Fnorder

Senior Member
Nov 8, 2008
153
327
Lake Vostok
Subscribed.

As a Dolphin user, I'm interested to see where this goes.

Maybe you can get the adfree android developer to add en.mywebzines.com to the next hosts file update and problem solved (for adfree users, at least).

Does't adfree allow custom entries?

I still use dolphin 4 as it has the best UI on android...especially after the modifications I've made. Unfortunately since it's free of admob and mobosquare code I'd probably get in trouble for posting it :D
 

Rico ANDROID

Senior Member
Mar 23, 2011
342
15
In my DELL Streak
Uninstallimg today

Nice work. I'll keep watching this thread.

Makes you wonder why Google is still allowing Dolphin to stay in their catalog.... Uninstalling today!

Hmmmmph!

grump.jpg
 

Fnorder

Senior Member
Nov 8, 2008
153
327
Lake Vostok
I recommend Boat Browser. It's very smooth and clean. I switched to it from dolphin and I've never looked back.

I use Boat Browser, very clean.. none of the concerns and bloatware mentioned.:)

I remember trying boat. It failed my evaluation on two counts: The lower button bar wouldn't go away, and it constantly posted data to http://www.umeng.com/app_logs

Code:
 [P] www.umeng.com:80/app_logs
   post: T 10.23.1.220:38582 -> 211.151.139.246:80 [AP] H!}![K!1!!!!!'!!!K!7!A!!E!E|!Y!d!.M!!!H-!!N!!!!}!!!!sfV{!!!!!d!!!!!!#!I!v V-!!!(k!!T!k!!!!!2!j!!"G!A!!!5!A>!!!]!!`K!Tk!!!!`!!!!J^!XdT!jC!!!!!D!!&5C!!:W=!!S!!e D!!!!!g!G!!!!!!O!c!<!!!!!I!1!!!X!!!z!!!!!!1!!4#!!!!!!!!!0>!!!C{4%!:o!~!!!!!!tJ!!!!!!]!!!!!!!!!!!!!!!!!!!C!C!!!!!qY!!5[#!M!!K(+*s!!!PI!u!!/J!!q!0!!!-!!!=?!g!!!Q\!!w!!!R!!!!!0!G3-V2!!U!m!5!q![!j!g!!Z9w!!eV!oC!!od!!!

I've not sifted through smali code to see -what- gets posted, but it does so every time you do something.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 197
    If it weren't for things like this, I'd still be a fan of Dolphin Browser.

    Ever since the 'webzine' 'feature' came out (in version 6), this app forwards the URL of:
    :mad: Every link you click.
    :mad: Every search you enter.
    :mad: Every page you load.

    To: http://en.mywebzines.com/v3/columns?u=(URLencodedURL)&t=(TIMESTAMP)

    This includes:
    :mad: SSL URLs.
    :mad: QUERY_STRINGS.
    :mad: IP addresses on private networks and file:// urls.

    In addition, when I mentioned this on http://blog.dolphin-browser.com, the comment awaited moderation for two days before being deleted. I've yet to receive an email.

    Proof:
    Code:
    [[email protected]]~# ngrep -P '!' -lq -R -W single -M '(^GET|^POST|^Host:|^[^ ]ookie:)' "tcp port 80"
    interface: eth0 (10.23.1.0/255.255.255.0)
    filter: (ip or ip6) and ( tcp port 80 )
    match: (^GET|^POST|^Host:|^[^ ]ookie:)
    
    
    T 10.23.1.220:60126 -> 107.20.41.53:80 [AP] GET /v3/columns?u=http%3A%2F%2F10.23.1.254%2F&t=1319574537635 HTTP/1.1!!Authorization: cd7f573ec9e6e865a28aaab7a1793796!!Accept-Encoding: gzip!!Host: en.mywebzines.com!!Connection: Keep-Alive!!!!
    
    (less spammy proof)
     [G] www.google.com:80/search?q=wut
     [G] en.mywebzines.com:80/v3/columns?u=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwut&t=1319574984926
     [G] en.mywebzines.com:80/v3/columns?u=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwhat%2Bis%2Bthis%2Bi%2Bdont%2Beven&t=1319575011872
     [G] en.mywebzines.com:80/v3/columns?u=file%3A%2F%2Fsdcard%2Fdata%2Fhome.html&t=1319575109160

    Stick this in your /system/etc/hosts to make the Orwellian nightmare stop. This will break webzine 'functionality', and is only possible on rooted phones:
    Code:
    127.0.0.1 en.mywebzines.com mywebzines.com

    Alternatively, here is how to remove this via APKTool:
    Code:
    * apktool d mobi.mgeek.TunnyBrowser-1.apk
    * apply the this patch to smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali
    
    #####
    --- orig-7.0/smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali 2011-10-22 11:41:43.000000000 +0000
    +++ mobi.mgeek.TunnyBrowser-7/smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali        2011-10-22 11:40:18.000000000 +0000
    @@ -2189,7 +2189,7 @@
     
         .line 576
         :cond_2
    -    invoke-direct {p0, p1, v0}, Lmobi/mgeek/TunnyBrowser/WebViewCallbackHandler;->a(Lcom/dolphin/browser/core/IWebView;Ljava/lang/String;)V
    +#    invoke-direct {p0, p1, v0}, Lmobi/mgeek/TunnyBrowser/WebViewCallbackHandler;->a(Lcom/dolphin/browser/core/IWebView;Ljava/lang/String;)V
     
         goto :goto_0
     .end method
    #####

    I would attach an .apk of dolphin cleansed of it's spyware AIDS, however I'm not sure if the mods would like that. :mad:

    update:
    Modified APKs posted http://forum.xda-developers.com/showpost.php?p=18799432&postcount=61
    update: Fiasco appears on http://www.androidpolice.com/2011/1...e-you-visit-to-a-remote-server-in-plain-text/
    update: Dolphin writes blog post claiming data is not retained, and that 'feature' is disabled. Latest market version. (7.0.1/id105) appears, still forwards urls
    update: Version 7.0.2 (id 106) no longer forwards urls.
    19
    While I have no proof dolphin == mywebzines, they conveniently share the same hosting and dns providers (both domains are registered via proxy)
    Code:
    [[email protected]]~# for i in $(host -t a dolphin-browser.com|awk '{print $NF}');do host $i;done
    89.249.19.50.in-addr.arpa domain name pointer ec2-50-19-249-89.compute-1.amazonaws.com.
    [[email protected]]~# for i in $(host -t a en.mywebzines.com|awk '{print $NF}');do host $i;done
    77.123.17.50.in-addr.arpa domain name pointer ec2-50-17-123-77.compute-1.amazonaws.com.
    185.179.17.50.in-addr.arpa domain name pointer ec2-50-17-179-185.compute-1.amazonaws.com.
    58.30.19.50.in-addr.arpa domain name pointer ec2-50-19-30-58.compute-1.amazonaws.com.
    167.175.19.50.in-addr.arpa domain name pointer ec2-50-19-175-167.compute-1.amazonaws.com.
    93.246.101.75.in-addr.arpa domain name pointer ec2-75-101-246-93.compute-1.amazonaws.com.
    53.41.20.107.in-addr.arpa domain name pointer ec2-107-20-41-53.compute-1.amazonaws.com.
    205.64.72.184.in-addr.arpa domain name pointer ec2-184-72-64-205.compute-1.amazonaws.com.
    119.178.72.184.in-addr.arpa domain name pointer ec2-184-72-178-119.compute-1.amazonaws.com.
    156.2.73.184.in-addr.arpa domain name pointer ec2-184-73-2-156.compute-1.amazonaws.com.
    33.95.17.50.in-addr.arpa domain name pointer ec2-50-17-95-33.compute-1.amazonaws.com.
    [[email protected]]~# host -t ns mywebzines.com;host -t ns dolphin-browser.com
    mywebzines.com name server ns2.dnsv5.com.
    mywebzines.com name server ns1.dnsv5.com.
    dolphin-browser.com name server ns1.dnsv4.com.
    dolphin-browser.com name server ns2.dnsv4.com.
    [[email protected]]~#
    17
    I've had so many requests for them via pm....

    7.0 cleaned: http://qfs.mobi/f40936 : Not renamed, but resigned, so the original (and all plugins and themes) will need to be uninstalled

    4.0 modded: http://qfs.mobi/f40949 : Renamed, won't need to uninstall original. This one has a number of tweaks to UI behavior, and extra functionality (Custom search URL, customizable bookmarklet button, unlimited tabs) 'exit' menu option closes tab, so hold back to exit. All admob/analytics/mobosquare code removed.

    (if mods -do- object, apologies ahead of time :p)
    13
    This is old and Dolphin have explained this!
    It's no longer an issue.

    Stop defending Dolphin by propagating their public relations spin.

    The whole truth is that Dolphin now encrypts the data that they phone home. That does not fix the privacy issue. They made a completely incompetent and bonehead move phoning home all URLs in plain text, even https URLs which should always be encrypted as they contain sensitive information like passwords. It is true they stopped that idiocy, but you are ignoring what is really happening now.

    Look at this analysis of the current version of Dolphin Browser:
    http://mobilesandbox.org/xml_report_static/?q=357932

    android.permission.READ_LOGS [basically no app should have this]
    android.permission.RECEIVE_BOOT_COMPLETED [why is your browser starting on boot?]
    android.permission.READ_CONTACTS [you want your browser to read your contacts?]
    android.permission.RECORD_AUDIO [you want your browser to record audio?]
    android/telephony/TelephonyManager;->getDeviceId [to identify you]
    getSubscriberId [to identify you]
    Execution of external commands [scary]
    Cipher(AES/ECB/PKCS5PADDING) [now they encrypt data]
    Cipher(DES/CBC/PKCS5Padding) [they learned not to send it in plain text]
    Cipher(RSA/ECB/PKCS1Padding) [encrypted so we cannot know what they collect]
    HttpPost [and phoning home]


    That is not even all of the garbage brought to light by that report. Dolphin's developers should be ashamed of themselves and its users need to learn the whole truth. Look at their so-called privacy policy, for example.

    If your argument is "Google spies, so what" then you need to wise up. For one, Google is a large and well-known public company that does face repercussions for violating privacy. Dolphin is...not.

    Second, even if you do not care about your privacy--and you should--spying wastes battery power, bandwidth, and CPU cycles. No one needs more garbage on their device.
    8
    Thank you for all your comments.
    We are delighted that our user community is growing to new heights daily. We continue to learn from you, our users, and will always be responsive to your comments.
    Here we promised we never stored user data. Please check here to know more details. blog.dolphin-browser.com/2011/10/27/webzine-does-not-store-user-data/

    Dolphin Browser

    I'm torn between cynicism and my hope that this -is- innocent, so I'll go with both in my reply.

    The way you guys dealt with previous attempts at calling this to your attention - ignoring emails and outright deleting my blog comment - cast the honesty of your organization into doubt (in my mind at least, I cannot prove this part of the affair). I find myself in doubt that dolphin would have (claimed to have) taken action had this issue not appeared on major android news sites such as http://www.androidpolice.com/2011/1...e-you-visit-to-a-remote-server-in-plain-text/

    You -say- data is not collected, but I do not have access to your server and thus cannot verify that browsing history (juicy marketing data) is not retained (this includes access_log), I only have the promise of an organisation that has not earned my trust. (And I would not trust Mozilla with this)

    As you can see, people consider browsing history sensitive data, it is -not- a zero on a scale of 1-10 as stated in your blog, especially for those of us that make use of url obscurity. (HTTPS requests secure host and path, this was defeated with dolphin)

    That said, while I'm pleased that you -say- steps are being taken, I can confirm that:
    version 7.0.1 (build id 105) still forwards urls like version 6-7.0.0 (id 103) have done. In addition, unlike v7.0.0(103) from getjar, it nagged me to rate it, thus I have bumped my one star security warning.

    Assuming you will actually fix this:

    Making this opt-in is good, provided it's opt-in and explains the security considerations clearly.

    Alas, were I not so dependant on the features I added to 4.x, I'd still find myself analysing traffic with a packet sniffer and scouring smali code each time a Dolphin upgrade were made available. I would not do this for firefox or opera, as they've proven themselves to recognize browser security and privacy as Serious Business.

    Since you have claimed to disable this, and have yet to actually do so, you prove the opposite with each passing minute.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone