Wednesday 26 October 2011

Dolphin Browser: spyware?


Update: Dolphin clean after bath and shower

Dolphin is probably the most popular web browser for Android. There's a good reason for that, because is has a couple of killer features: unlimited tabs, gesture controls, and much more.

The bad news: version 7.0.0 adds a cloud to device messaging service (Dolphin Connect) without an off switch. The next version better come with a toggle in the settings menu for those who don't want Dolphin Connect listening online when there's no need for it.

The really really really bad news: a couple of updates ago Dolphin added a feature called "Webzines," and it seems that this addition turned Dolphin into spyware.

According to Fnorder on the xda forum the new Dolphin sends the address of every site you visit, every link you tap, and every search query you enter to http://en.mywebzines.com. The domain mywebzines.com is probably owned by Dolphin itself.

Maybe your surfing trips are sent out to target advertising, maybe it's just an innocent way to collect anonymous browsing statistics. Either way, having all your URLs collected can be a real security issue because many sites generate URLs of the www.domain.com/?personal.data type. And let's not even think about URLs for pages on your internal network, or URLs along the lines of [password]:[username].site.com.

If you want to stop Dolphin from sending your browsing history to mywebzines.com, open your Android hosts file (usually in /system/etc/hosts) and add this line to it:

127.0.0.1 en.mywebzines.com mywebzines.com

If you don't want to edit your hosts file by hand, you can blacklist the domain en.mywebzines.com with AdAway.

Editing your hosts file or using AdAway requires root access, but if you know what's good for you and your phone you'll have rooted it anyway.

You can also patch the Dolphin app itself so it doesn't send your surfing secrets out. Fnorder posted instructions on taming Dolphin by killing the offending code with APKTool.

Keeping your browsing data away from mywebzines.com will break the Webzine part of Dolphin, but does anybody really use that anyway?

Of course you can just throw Dolphin back into the ocean and surf with another browser, but keep in mind that other web browsers may do the same evil thing. For example, Boat Browser phones home to www.umeng.com and Maxthon reports to mm.maxthon.com and stats-a.maxthon.com.

Open source browser Firefox for Android is probably clean. Unfortunately it's not ready for human consumption yet. The best Dolphin alternative is xScope, but it lacks many of the features that make Dolphin such a popular browser.

This fish marine mammal should clean up its act real quick, or else I'm gonna eat a lot of tuna.

Dolphin
AdAway
• The Dolphin is fishy thread on the xda forum
xScope (Android Market)

Update: Dolphin clean after bath and shower


tweet this reddit digg this StumbleUpon digg this digg this

No comments:

Post a Comment