Dolphin HD browser snared in security breach
Popular Android browser transmitted addresses of all Web sites visited to its creator, MoboTap. A new version supposedly fixes the issue.
The makers of a popular mobile browser called Dolphin HD confirmed that their software leaks the addresses of all Web sites a user visits, a potential privacy and security breach.
MoboTap, a Pasadena, Calif.-based mobile developer, told CNET today that Dolphin HD for Android transmitted the Web addresses back to the company's servers but that they were not stored. The addresses were used to determine whether to format Web pages in "Webzine" format, MoboTap said.
The privacy and security implications arise when a user connects to a secure Web site (usually shown by "https://" and a closed lock icon). The second, surreptitious connection to MoboTap is unencrypted, allowing an eavesdropper on a Wi-Fi network to learn what's happening.
"In some cases, if you knew the URL, you can take over the user's session," says Seth Schoen, staff technologist at the Electronic Frontier Foundation, which has advocated the adoption of encrypted Web browsing to thwart eavesdroppers.
Alan Cooper, a spokesman for MoboTap, downplayed the impact of the security snafu, saying that "we've never stored anyone's user data" and have no intention to do so.
In a blog post, MoboTap said that: "With roughly 300 Webzines supported at the moment, it was necessary for the client to check the current user URL against a database housing these 300 Webzine columns...In terms of security, on a scale from one to ten, this is a zero."
EFF's Schoen disagrees. "I wish browser vendors would think things like this through before implementing them," he said. "It seems like they could have foreseen the security implications of it."
Cooper said that "the issue has been 100 percent fixed already" in Android Market update 7.0.1. A post on a developer's forum, however, says 7.0.1 "still forwards URLs." Cooper said he would bring this to the attention of the developers for them to "double-check."
He added, in an e-mail message, that:
Dolphin didn't collect any device data in the API request, and doesn't know which clients are being used. The request was served only to crosscheck the URL against the availability of a corresponding Webzine.
Using https for this functionality (which will become an opt-in service with accompanying notification of URL pinging) is a great suggestion and we'll be working it into future versions.
Another privacy implication is that MoboTap was also notified which files you're using Dolphin HD to browse even on your computer. A post on AndroidPolice.com suggested one way to fix the problem would be to block connections to the MoboTap-operated Web site, en.mywebzines.com.
Dolphin is a popular gesture-based browser for iOS and Android devices (see CNET's coverage last month when the iPad version was released, a video review, and our "how-to" report on browsing with gestures). Dolphin HD received an average rating of 4.6 out of 5 in the Android Market.
Update 2:10 p.m. PT: Just got e-mail from MoboTap representative Alan Cooper: "It came to our attention that yesterday's hot fix did not fix the URL concern, and we've just published version 7.0.2, which fixes all URL issues. It's just been pushed to the Market, and all users should be seeing it rolled out as an update shortly."
Update October 29 4 p.m. PT: Lauren Weinstein of People For Internet Responsibility, which has been tracking this issue, points out that the Dolphin HD update notice in Android Market doesn't mention what was actually changed in version 7.0.2. "Even giving them the benefit of the doubt, it's unfortunate to see an otherwise promising application called into question through what appears to be cluelessness by the authors regarding basic privacy practices and related disclosures," Weinstein says.