[PRIVACY] WARNING: Dolphin’s collection of your browsing history
If it weren’t for things like this, I’d still be a fan of Dolphin Browser.
Ever since the ‘webzine’ ‘feature’ came out (in version 6), this app forwards the URL of:
- Every link you click.
- Every search you enter.
- Every page you load.
To: http://en.mywebzines.com/v3/columns?u=(URLencodedURL)&t=(TIMESTAMP
This includes:
- SSL URLs.
- QUERY_STRINGS.
- IP addresses on private networks and file:// urls.
In addition, when I mentioned this on http://blog.dolphin-browser.com, the comment awaited moderation for two days before being deleted. I’ve yet to receive an email.
Proof as following:
Code:
[root@phone]~# ngrep -P '!' -lq -R -W single -M '(^GET|^POST|^Host:|^[^ ]ookie:)' "tcp port 80"
interface: eth0 (10.23.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp port 80 )
match: (^GET|^POST|^Host:|^[^ ]ookie:)
T 10.23.1.220:60126 -> 107.20.41.53:80 [AP] GET /v3/columns?u=http%3A%2F%2F10.23.1.254%2F&t=1319574537635 HTTP/1.1!!Authorization: cd7f573ec9e6e865a28aaab7a1793796!!Accept-Encoding: gzip!!Host: en.mywebzines.com!!Connection: Keep-Alive!!!!
(less spammy proof)
[G] www.google.com:80/search?q=wut
[G] en.mywebzines.com:80/v3/columns?u=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwut&t=1319574984926
[G] en.mywebzines.com:80/v3/columns?u=https%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dwhat%2Bis%2Bthis%2Bi%2Bdont%2Beven&t=1319575011872
[G] en.mywebzines.com:80/v3/columns?u=file%3A%2F%2Fsdcard%2Fdata%2Fhome.html&t=1319575109160
Stick this in your /system/etc/hosts to make the Orwellian nightmare stop. This will break webzine ‘functionality’, and is only possible on rooted phones:
Code:
127.0.0.1 en.mywebzines.com mywebzines.com
Alternatively, here is how to remove this via APKTool:
Code:
* apktool d mobi.mgeek.TunnyBrowser-1.apk
* apply the this patch to smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali
#####
— orig-7.0/smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali 2011-10-22 11:41:43.000000000 +0000
+++ mobi.mgeek.TunnyBrowser-7/smali/mobi/mgeek/TunnyBrowser/WebViewCallbackHandler.smali 2011-10-22 11:40:18.000000000 +0000
@@ -2189,7 +2189,7 @@
.line 576
:cond_2
– invoke-direct {p0, p1, v0}, Lmobi/mgeek/TunnyBrowser/WebViewCallbackHandler;->a(Lcom/dolphin/browser/core/IWebView;Ljava/lang/String;)V
+# invoke-direct {p0, p1, v0}, Lmobi/mgeek/TunnyBrowser/WebViewCallbackHandler;->a(Lcom/dolphin/browser/core/IWebView;Ljava/lang/String;)V
goto :goto_0
.end method
#####
I would attach an .apk of dolphin cleansed of it’s spyware AIDS, however I’m not sure if the mods would like that.
update:
Modified APKs posted http://forum.xda-developers.com/showpost.php?p=18799432&postcount=61
update: Fiasco appears on http://www.androidpolice.com/2011/10/27/privacy-advisory-dolphin-hd-sends-url-of-every-page-you-visit-to-a-remote-server-in-plain-text/
update: Dolphin writes blog post claiming data is not retained, and that ‘feature’ is disabled. Latest market version. (7.0.1/id105) appears, still forwards urls
update: Version 7.0.2 (id 106) no longer forwards urls.
Last edited by Fnorder; 29th October 2011 at 02:03 AM.
From: http://forum.xda-developers.com/showthread.php?t=1319529