12月 012011
 

[PRIVACY] WARNING: Dolphin’s collection of your browsing history

If it weren’t for things like this, I’d still be a fan of Dolphin Browser.

Ever since the ‘webzine’ ‘feature’ came out (in version 6), this app forwards the URL of:

  • Every link you click.
  • Every search you enter.
  • Every page you load.

To: http://en.mywebzines.com/v3/columns?u=(URLencodedURL)&t=(TIMESTAMP

This includes:

  • SSL URLs.
  • QUERY_STRINGS.
  • IP addresses on private networks and file:// urls.

In addition, when I mentioned this on http://blog.dolphin-browser.com, the comment awaited moderation for two days before being deleted. I’ve yet to receive an email.

Proof as following:

Code:
[[email protected]]~# ngrep -P '!' -lq -R -W single -M '(^GET|^POST|^Host:|^[^ ]ookie:)' "tcp port 80"
interface: eth0 (10.23.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp port 80 )
match: (^GET|^POST|^Host:|^[^ ]ookie:)

T 10.23.1.220:60126 -> 107.20.41.53:80 [AP] GET /v3/columns?u=http%3A%2F%2F10.23.1.254%2F&t=1319574537635 HTTP/1.1!!Authorization: cd7f573ec9e6e865a28aaab7a1793796!!Accept-Encoding: gzip!!Host: en.mywebzines.com!!Connection: Keep-Alive!!!!

(less spammy proof)
[G] www.google.com:80/search?q=wut
[G] en.mywebzines.com:80/v3/columns?u=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwut&t=1319574984926
[G] en.mywebzines.com:80/v3/columns?u=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwhat%2Bis%2Bthis%2Bi%2Bdont%2Beven&t=1319575011872
[G] en.mywebzines.com:80/v3/columns?u=file%3A%2F%2Fsdcard%2Fdata%2Fhome.html&t=1319575109160

Stick this in your /system/etc/hosts to make the Orwellian nightmare stop. This will break webzine ‘functionality’, and is only possible on rooted phones:
Code:

127.0.0.1 en.mywebzines.com mywebzines.com

Alternatively, here is how to remove this via APKTool:
Code:
* apktool d mobi.mgeek.TunnyBrowser-1.apk
* apply the this patch to smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali

#####
— orig-7.0/smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali 2011-10-22 11:41:43.000000000 +0000
+++ mobi.mgeek.TunnyBrowser-7/smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali 2011-10-22 11:40:18.000000000 +0000
@@ -2189,7 +2189,7 @@

.line 576
:cond_2
– invoke-direct {p0, p1, v0}, Lmobi/mgeek/TunnyBrowser/WebViewCallbackHandler;->a(Lcom/dolphin/browser/core/IWebView;Ljava/lang/String;)V
+# invoke-direct {p0, p1, v0}, Lmobi/mgeek/TunnyBrowser/WebViewCallbackHandler;->a(Lcom/dolphin/browser/core/IWebView;Ljava/lang/String;)V

goto :goto_0
.end method
#####

I would attach an .apk of dolphin cleansed of it’s spyware AIDS, however I’m not sure if the mods would like that.

update:
Modified APKs posted http://forum.xda-developers.com/showpost.php?p=18799432&postcount=61

update: Fiasco appears on http://www.androidpolice.com/2011/10/27/privacy-advisory-dolphin-hd-sends-url-of-every-page-you-visit-to-a-remote-server-in-plain-text/

update: Dolphin writes blog post claiming data is not retained, and that ‘feature’ is disabled. Latest market version. (7.0.1/id105) appears, still forwards urls

update: Version 7.0.2 (id 106) no longer forwards urls.

Last edited by Fnorder; 29th October 2011 at 02:03 AM.
From: http://forum.xda-developers.com/showthread.php?t=1319529

 回复

您可以使用这些 HTML 标签和属性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>