[iOS, Android] Dolphin browser found to have major privacy flaw, demonstrates why you should stick to stock browserOctober 29, 2011 15 Email article | Print article
Dolphin – available as Dolphin Browser HD and Dolphin Browser Mini on Android and Dolphin Browser on iOS – is an extremely popular third party browser much loved by many users. The developer of Dolphin, however, decided to abuse that love by introducing a major breach of privacy with their Webzine feature.
Webzine is an attempt by MoboTap – the developer of Dolphin browsers – to make web browsing on mobile devices more pleasant. What happens is MoboTap teams up with websites to configure them to be Webzine compatible. (Actually I am not sure if MotoTap teams up with websites or if websites do it themselves; the point is websites are made to be Webzine compatible, one way or another.) Then when a user visits a Webzine compatible website in Dolphin, the mobile-friendly Webzine version is shown. That doesn’t sound too bad does it? The privacy issue is not with Webzine itself but rather how Dolphin identifies Webzine compatible websites.
Reports – thanks to the ever-vigilant people at XDA-Developers – have emerged that on Dolphin Browser HD [Android] and Dolphin Browser [iOS] every website users visit is being sent – in plain text – to Webzine’s server to check to see if the website is Webzine compatible. (If the website is, the Webzine version is shown; if it isn’t, the normal version is shown.) In other words, any URL you visit – may that be HTTP or HTTPS – is being sent to MoboTap’s server to be checked for Webzine compatibility. (These reports are mainly around Dolphin Browser HD [Android] but there has been some confirmation that Dolphin Browser [iOS] also behaves like this; Dolphin Browser Mini [Android] seems to be unaffected,)
Now, in their defense, MoboTap has come out and clarified Webzine does not store any user data; URLs are transmitted to Webzine server only to make a check for Webzine compatible websites, nothing more nothing less. However, even if what MoboTap says is true, stealthily introducing such functionality is a major breach of user trust and a huge privacy issue. Many people have mentioned there are better ways to check for Webzine compatible websites (such as storing hashes locally of compatible URL and doing local checks instead of sending URLs to Webzine’s server); but even if MoboTap wants to continue this method of checking of Webzine compatibility, they need to be crystal clear on what is happening and they need to give users a way to opt out. Call me paranoid, but incidents like these are the exact reason why I stick to the stock browser on my mobile device, with Opera as my backup (because I trust Opera).
For what it is worth, MoboTap has quickly updated Dolphin Browser HD on Android to temporarily disable Webzine until they add an opt-out feature. (v7.0.2 is the version with Webzine disabled — update if you use Dolphin Browser HD but don’t have v7.0.2.) Since there wasn’t as much noise about Dolphin Browser on iOS behaving like this, it appears Dolphin Browser on iOS has not yet been updated to disable this behavior. (Someone correct me if I am wrong.) However, if I were a Dolphin user – which I am not and now never will be – my confidence in MoboTap would now be eroded thanks to this incident. What’s to keep them from doing something similar – or worse – in the future?