The Dolphin web browser for Android was found to be harvesting user data and sending the information to its server at en.mywebzines.com. The reason for this was because of the new webzine reading mode feature that's part of the Dolphin browser. It is used to format pages on supported websites better for reading on mobile devices. Users who browsed the web from their Android devices using Dolphin were also automatically connected to a company called MoboTap, which determined how to format the pages. Dolphin admits it inadvertently exposed users' Web traffic history which prompts questions on Android developers' security policies in an increasingly insecure environment.
The information sent from the Dolphin browser included all the pages the user went to, even secure pages (HTTPS). Another interesting note is that the data transferred to en.mywebzines.com, which is owned by the Dolphin developers, was sent unencrypted and in plain text. And the links sent from Dolphin to MoboTap were unsecured, meaning hackers could access unsuspecting users' browsing history pretty easily. "In some cases, if you knew the URL, you can take over the user's session," says Seth Schoen, staff technologist at the Electronic Frontier Foundation. Even though only the URLs of sites visited were sent and not the data on the sites, it still means that thousands of Dolphin browser users had their privacy violated without them even knowing.
Alan Cooper from MoboTap's says they "never stored anyone's user data," and "We've just published version 7.0.2, which fixes all URL issues." This URL harvester started with version 6.0 of the browser, so previous versions will not have it and Dolphin developers have since removed the offending code.
This latest Android security issue raises questions about developers' readiness for the increasing frequency of Android privacy breaches. Android based programs especially are in need of protection, given the platform's growing number of viruses.
