Dolphin Browser Sends All of Your URLs to Remote Server
Apparantly, the über popular web browser Dolphin Browser has been sending all of the URLs you've ever visited to a remote server in China. The browser even sends URLs of webpages that are supposed to be secured, like those starting with https. While the browser doesn't send the actual content, just the URLs, we still consider this a fairly massive breach in security.
This creepy detail was first spotted by Artem Russakovski over at Android Police. It's safe to say the tracking started around this past June. Using a "packet sniffer," Russakovksi was able to find every URL he'd visited all in plain text. So far as we know, there is nary a mention of third-party URL eavesdropping in the official privacy notice when installing the Dolphin Browser, so the company may be in murky waters, legally.
Android Police has contacted Dolphin Browser and received the following explanation:
...With Dolphin HD for Android 7.0, we rolled out a handful of updates to our Webzine feature. One of these is a "Toggle Webzine" button to view your current webpage as a Webzine. We currently have around 300 Webzines, and it was necessary for the client to check the current user URL against a database housing these 300 Webzine columns, which is what has caused this concern. None of the URLs have ever been stored by Dolphin, but were being used to cross-index if a Webzine for the current site exists. If it does, the current site is immediately converted to Webzine format; if not, it remains the standard mobile site. Again, none of this process is stored on the backend of our servers.
If you are rooted, you can block en.mywebzines.com permanently on your device by adding "127.0.0.1 en.mywebzines.com" into /etc/hosts.