Oct
29
2011

Major Privacy Flaws found in Dolphin Browser for iOS and Android

The below post borrows heavily from a similar article posted on dotTech.org; which was in turn was a more up-to-date post based on a report from Ars Technica. Both sources have received credit for the below works and Technically Motivated makes no claim of ownership for non-original content.

Dolphin is an extremely popular third party browser that is much loved by many users of modern smart-phones. Available in many forms – Dolphin Browser HD and Dolphin Browser Mini on Android; and Dolphin Browser on iOS – the browser is generally considered to be sleek and feature filled and constantly receives updates. However, one recent new feature introduced to the browser has caused much controversy.
MoboTap, the developer of Dolphin, were recently discovered to have introduced a major breach of privacy with their Webzine feature.

Webzine is an attempt by MoboTap to make web browsing on mobile devices more pleasant. What happens is MoboTap teams up with websites to configure them to be Webzine compatible. (Actually I am not sure if MotoTap teams up with websites or if websites do it themselves; the point is websites are made to be Webzine compatible, one way or another.) Then when a user visits a Webzine compatible website in Dolphin, the mobile-friendly Webzine version is shown. That doesn’t sound too bad does it? The privacy issue is not with Webzine itself but rather how Dolphin identifies Webzine compatible websites.

Reports – thanks to the ever-vigilant people at XDA-Developers – have emerged that on Dolphin Browser HD [Android] and Dolphin Browser [iOS] every website users visit is being sent – in plain text – to Webzine’s server to check to see if the website is Webzine compatible. (If the website is, the Webzine version is shown; if it isn’t, the normal version is shown.) In other words, any URL you visit – may that be HTTP or HTTPS – is being sent to MoboTap’s server to be checked for Webzine compatibility. (These reports are mainly around Dolphin Browser HD [Android] but there has been some confirmation that Dolphin Browser [iOS] also behaves like this; Dolphin Browser Mini [Android] seems to be unaffected.)

Now, in their defense, MoboTap has come out and clarified Webzine does not store any user data; URLs are transmitted to Webzine server only to make a check for Webzine compatible websites, nothing more nothing less. However, even if what MoboTap says is true, stealthily introducing such functionality is a major breach of user trust and a huge privacy issue. Many people have mentioned there are better ways to check for Webzine compatible websites (such as storing hashes locally of compatible URL and doing local checks instead of sending URLs to Webzine’s server); but even if MoboTap wants to continue this method of checking of Webzine compatibility, they need to be crystal clear on what is happening and they need to give users a way to opt out. To its credit, MoboTap claim they ARE working on an opt-out feature; and the company also has quickly updated Dolphin Browser HD on Android to temporarily disable Webzine for the present time. (v7.0.2 is the version with Webzine disabled — update if you use Dolphin Browser HD but don’t have v7.0.2.)

Since there wasn’t as much noise about Dolphin Browser on iOS behaving like this, it appears Dolphin Browser on iOS has not yet been updated to disable this behavior. (Someone correct me if I am wrong.) However, if I were a Dolphin user – which I am not and now never will be – my confidence in MoboTap would now be eroded thanks to this incident. What’s to keep them from doing something similar – or worse – in the future?

Comments are closed.