Major privacy flaw found in Dolphin HD browser for Android

[nsane.forums]

The makers of a popular mobile browser called Dolphin HD confirmed that their software leaks the addresses of all Web sites a user visits, a potential privacy and security breach.

Tapping the designated corner in the Dolphin HD browser will let you control many browser functions with gestures.

MoboTap, a Pasadena, Calif.-based mobile developer, told CNET today that Dolphin HD for Android transmitted the Web addresses back to the company's servers but that they were not stored. The addresses were used to determine whether to format Web pages in "Webzine" format, MoboTap said.

The privacy and security implications arise when a user connects to a secure Web site (usually shown by "https://" and a closed lock icon). The second, surreptitious connection to MoboTap is unencrypted, allowing an eavesdropper on a Wi-Fi network to learn what's happening.

"In some cases, if you knew the URL you can take over the user's session," says Seth Schoen, staff technologist at the Electronic Frontier Foundation, which has advocated the adoption of encrypted Web browsing to thwart eavesdroppers.

Alan Cooper, a spokesman for MoboTap, downplayed the impact of the security snafu, saying that "we've never stored anyone's user data" and have no intention to do so.

In a blog post, MoboTap said that: "With roughly 300 Webzines supported at the moment, it was necessary for the client to check the current user URL against a database housing these 300 Webzine columns... In terms of security, on a scale from one to ten, this is a zero."

EFF's Schoen disagrees. "I wish browser vendors would think things like this through before implementing them," he said. "It seems like they could have forseen the security implications of it."

Cooper said that "the issue has been 100 percent fixed already" in Android Market update 7.0.1. A post on a developer's forum, however, says 7.0.1 "still forwards URLs." Cooper said he would bring this to the attention of the developers for them to "double-check."

He added, in an e-mail message, that:

Dolphin didn't collect any device data in the API request, and doesn't know which clients are being used. The request was served only to crosscheck the URL against the availability of a corresponding Webzine.

Using https for this functionality (which will become an opt-in service with accompanying notification of URL pinging) is a great suggestion and we'll be working it into future versions.

Another privacy implication is that MoboTap was also notified what files you're using Dolphin HD to browse even on your computer. A post on AndroidPolice.com suggested one way to fix the problem would be to block connections to the MoboTap-operated Web site, en.mywebzines.com.

Dolphin is a popular gesture-based browser for iOS and Android devices (see CNET's coverage last month when the iPad version was released, a video review, and our "how-to" report on browsing with gestures). Dolphin HD received an average rating of 4.6 out of 5 in the Android Market.

Update 2:10 p.m. PT: Just got e-mail from MoboTap representative Alan Cooper: "It came to our attention that yesterday's hot fix did not fix the URL concern, and we've just published version 7.0.2, which fixes all URL issues. It's just been pushed to the Market, and all users should be seeing it rolled out as an update shortly."

:view: View: Original Article

[crack1up]

That running background service they make you agree to just to run the browser could never be a good thing. The reason I chose not to use it. Otherwise, the browser looked very nice.

[RadioActive]

I only use the stock browser, I see no need for a custom browser on my Android, since it's a phone not a tablet so I don't spend that much time surfing on it.

[Gabben]

Never used this bloatware crap. Sometimes i use Opera Mobile but other than that the stock browser was perfect for me.

[fred flintstone]

its a great risk anyway all that crap !

we still don't know if and when viruses attack the android platform, i use AVG pro but i don't know if it has the same security level as my trusted NIS 2012 on win7 ! :s