Sunday, 30 October 2011

Yet another Dolphin Browser security issue: think twice before backing up

Update: Dolphin finally encrypts your backups!

Dolphin Browser HD may be the Android browser with the most features of the pack, but it doesn't always behave well.

It used to send your entire surfing history to its webzine server. That got fixed in an update after the entire web screamed murder about it.

But there's another problem that remains unfixed, and this problem can cause a lot of trouble if exploited.

Dolphin has a backup feature that lets you backup all its browser settings, bookmarks, cookies, etcetera to your SD card. If you tell Dolphin to remember your logins and passwords they'll be included in the backup too.

It's your own choice to make backups or not, so what's the problem? The problem is that nobody expects their backups to be in a format that can easily be abused by anyone with access to the backup file. You'd expect the backup to be in a secure format, but unfortunately it's not. The backup is not encrypted, so anyone with access to your SD card can look into the backup file (sdcard/TunnyBrowser/backup/databases/webview.db) and read your stored passwords and login cookies.

Even if you sit on top of your phone 24/7 that doesn't mean your backup is safe. Any app with permission to read your memory card and go online (that means just about every app on the Android Market) could send the unencrypted backup file out and steal your passwords and login cookies. It only takes one evil programmer to release a bad app on the market to send your Dolphin backups out. Maybe those bad apps are already out there.

Any app that stores data on your memory card should consider the SD card of your phone an unsafe location that should only store sensitive data under lock and key. That's why backup app Titanium lets you encrypt its backups. The other big backup app out there does not. MyBackup should add encryption as soon as possible.

With all the recent fuzz about Dolphin you might think this web browser is a malicious app. It's probably not. The security issues are more likely a result of incompetence rather than evil intent. Of course that won't make any difference to you if your passwords get stolen, so if you keep surfing with Dolphin make sure you take your own measures to close the security holes.

My advice: do NOT use Dolphins built-in backup feature unless you've cleared your saved passwords and login cookies. If you want a backup with your login data included, just make an encrypted backup with Titanium.

Update: Dolphin finally encrypts your backups!

tweet this reddit digg this StumbleUpon digg this digg this

No comments:

Post a Comment