Yesterday we posted findings from one intrepid XDA-Developers member who claimed that the popular alternative browser Dolphin Browser HD was sending private user information, including URLs, clicks and searches, to a remote server. The developer has responded with an explanation of the more technical aspects of their Webzine feature, and according to a representative that contacted us today, the part of the browser that raised alarms has been temporarily disabled. The developer claims that there was absolutely no breach in user privacy or data security.
UPDATE: Dolphin Browser’s PR representative has contacted us again to let us know that users should update to the latest version of Dolphin Browser, 7.0.2, to disable the security issues. Version 7.0.1 has not been modified.
Dana Zemack of Dolphin’s PR department assured us in an email, “We wanted to let you know that the Dolphin issue has been 100% fixed. It’s also extremely important to note that Dolphin has never tracked user browsing history, and there has been absolutely no breach in user privacy or user security.” In a blog post this morning (which was also posted as a response to the original XDA thread), Dolphin explained that the Webzines feature checks a user’s current site against a list of 300+ RSS-based “Webzines”, custom-formatted versions of popular websites, including Android Community. According to the developer, the information sent was merely a check for availability, and users’ private information was never stored on their server.
In terms of security, on a scale from one to ten, this is a zero. Dolphin does not store browsing history nor user personal information and we have never done so in the past.
The Webzines feature has been disabled in response to the XDA findings, but an upcoming Dolphin update will allow users to opt-in to the service, which will be disabled by default. The developer does not mention whether or not URLs and other browsing data will continue to be sent, regardless of whether or not the site in question has been made into a Webzine. Some security sticklers are likely to be unimpressed, since part of the original issue is that the data was sent in plain text, but the developer is urging users to send in questions or suggestions to their support email, firstname.lastname@example.org.