Monday 14 November 2011

Dolphin Browser phones home again, here's how to stop it


When Dolphin Browser was caught sending your entire surfing history to its webzine server they got so much bad publicity that they had to clean up their act real quick. You'd expect that they learned something from that fiasco, but they didn't.

Dolphin HD version 7.1.0 was caught spying on the same day that it was released.

The new Dolphin sends your Android ID (a number that stays with your phone forever), a Dolphin client ID, your carrier and phone specifications to https://tracken.dolphin-browser.com.

Well, at least they use encryption. And the information isn't really that sensitive. Still, they frequently grab usage statistics and information about your phone without letting you opt out.

Of course you can opt out yourself. The obvious method is to remove Dolphin from your phone, but then you miss out on all its features which leave the competition in the dust. A better way to stop Dolphin from phoning home is to block the target URL in your Android hosts file. This file is usually in /system/etc/hosts. You can edit it manually, or feed the offending domain names to the blocklist of AdAway. Either way, you'll need root access. The URL to block is tracken.dolphin-browser.com.

To cut the line between Dolphin and its maker add these three lines to your hosts file or block the domains with AdAway:

127.0.0.1 tracken.dolphin-browser.com
127.0.0.1 en.mywebzines.com
127.0.0.1 pnsen.dolphin-browser.com

The first line stops usage stats collection. The second line cuts off URL collection by the webzines server (Dolphin stopped sending it, but you never know if it comes back). The third line prevents the popup that begs you to rate Dolphin in the Android Market.

Phoning home is not the only new feature of version 7.1.0. The update allows importing bookmarks from Dolphin Mini, deleting bookmarks from the side bar, picking a different search engine if you don't like Google (you can choose Bing and Yahoo too), and some bug fixes under the hood. Too bad for Dolphin that its data grabbing will get much more attention than the bookmark and search improvements.

Dolphin still doesn't encrypt its backups, so if someone steals your phone they can pull all sorts of private info from your SD card, even if your phone is locked.

Update: Dolphin finally encrypts your backups!

Gesture commands, tabs, plugins, bookmarks sidebar etcetera make Dolphin an excellent mobile web browser, but the way it handles security and privacy is unacceptable. It shares its bad habits with plenty of other Android apps, so root your phone and protect it with electronic condoms like AdAway, DroidWall, and LBE Privacy Guard. Android and its apps need a permanent reminder that it's your phone and your data.

Dolphin Browser HD


tweet this reddit digg this StumbleUpon digg this digg this

3 comments:

  1. Thanks for your comment! Most Android App (not only Dolphin Browser) send Android ID, carrier and phone specifications when user launches the App. This info is used to track total active users. It is a very common practice. Android ID is then hashed immediately and not store on any server - definitely not any Dolphin server. We are now working on the backup encrypt feature and we already put this in our plan. But it really takes time. If you have any issues, please feel free to send us an email at pr@mobotap.com.

    ReplyDelete
  2. Many Android apps let you opt out of data collection with a checkbox in the settings. Dolphin should add a way to opt out of sharing any info with Dolphin.

    A good browser (which Dolphin tries to be) should provide the option to send communications between websites and the end user without a single byte of data going to the servers of the browser manufacturer.

    Why use the Android ID? Hashing doesn't help, because if you remove Dolphin and then reinstall it, the same Android ID will generate the same hash.

    You should use a random number that's independent of hardware, and which can be reset by the user.

    Good that you're working on encryption of backups. They should have been encrypted right from the start, but I guess late is better than never.

    ReplyDelete
  3. p.s. Now that I've caught a Dolphin in my net, what about fixing the background tab checkbox annoyance described on http://androidunderground.blogspot.com/2011/09/dolphin-browser-hd-improves-gestures.html ?

    ReplyDelete