Friday 7 September 2012

Fishy browser Dolphin tries to track your location for no reason



History lesson

Dolphin Browser is possibly the best Android web browser out there, mainly because no other Android web browser can match Dolphins custom gesture feature.

But Dolphin doesn't always know how to behave. Last year it was caught sending all the URLs you visited to its own server. Unencrypted! Even when visiting https sites! After lots of bad publicity Dolphin cleaned up its act, but two weeks later the marine mammal started phoning home again. This time it sent your Android ID (a number that stays with your phone forever), a Dolphin client ID, and your carrier and phone specifications to itself. You can stop this, but only if your phone is rooted so you can block all traffic to https://tracken.dolphin-browser.com with an app like AdAway.

Dolphin didn't learn

And today Dolphin received another update that smells fishy.

When you launch the new Dolphin you'll find that it starts up slower than the previous version. The new edition throws a splash screen on your display, probably to hide the slower startup.

And then the real issue kicks in. Because the updated Dolphin asks your phone for your GPS location for no apparent reason. Some websites may ask for your location for a good reason, but Dolphin now tries to find out where you are even if you set a homepage that doesn't want to know your whereabouts.

Disabling location in Dolphins settings doesn't stop it from trying to grab your location. You can use apps like LBE Privacy Guard to stop Dolphin from polling your GPS, but this also stops legit location requests from sites like Nokia Maps.

Update 1: I got a mail from Dolphin in which they explained that  the location request on launch is a mistake. They're gonna kick their developers asses and make 'em fix their error. So Dolphin is not malicious but merely incompetent.
Thank you so much for your information.
We are so sorry for the trouble. We have tested and figured out that our developers changed the code which cause this issue by mistake.
Our senior engineers checked and confirmed that we did not upload your location data to the server. It is just a no-data transmission action.
We will correct this error and update soon. If you found any further issues, please don’t hesitate to contact us.
Update 2: Dolphin fixed the loaction leak.

Some good news

Dolphin is still an excellent mobile phone web browser once you stop it from phoning home and snooping on your whereabouts. The update added a few useful things too.

The new Dolphin has a download manager, a file manager, more accurate gestures, and it lets you switch off search suggestions.

The gesture improvement is very welcome. Because of the super customisable gestures and the way Dolphin handles tabs I still use Dolphin, but if a competing browser manages to match its gesture controls I may be tempted to ditch Dolphin.

Flash on Jelly Bean

Android officially stopped supporting Flash since Jelly Bean, and Dolphin on Jelly Bean won't run Flash anymore. Well, not officially, but there's a way to make it work on Jelly Bean anyway.

Restoring a Titanium backup of your Dolphin settings from an earlier Android version revives Flash on Dolphin, but only if you had Flash enabled or "on demand" when you made the backup. Of course you can use MyBackup or any of the other backup apps out there, as long as they're able to backup your app settings in addition to the app itself. Deleting Dolphins settings file in its system folder makes it run Flash too. Both methods require root access. Full details on the xda forum. Of course you need to sideload a copy of Flash too, but you can get it straight from Adobe.

Dolphin Browser (Google Play Store)
Flash in Dolphin on Jelly Bean (xda)
Adobe Flash installer


tweet this reddit digg this StumbleUpon digg this digg this

No comments:

Post a Comment