Dolphin HD has long been our favorite third-party Web browser for Android. Its excellent tabbed user interface, add-on system, and gesture support have made it a popular choice among Android enthusiasts. But recent versions of the browser have introduced a startling privacy flaw.

Discussions in the XDA forums and a report published on the Android Police blog yesterday revealed that every URL loaded in Dolphin HD is relayed as plain text to a remote server. The article includes screenshots from a packet sniffer that clearly demonstrate the issue—it’s an unambiguous breach of privacy.

In response to the resulting controversy, the company behind Dolphin issued a statement explaining the situation. Recent versions of Dolphin introduced a feature called Webzine that offers a specialized presentation of websites. When a user visits a website, the URL is relayed to Dolphin’s servers which determine whether the Webzine view is supported for the specified destination. The company contends that the data is not collected or retained. It subsequently issued an update to disable the feature and said that it will be made opt-in in future versions.

As a frequent user of Dolphin HD, I was disappointed by this privacy blunder. In addition to failing to inform users of this dubious practice up front, Dolphin’s developers also made poor implementation decisions that exacerbated the privacy risk. It’s fortunate that the Android enthusiast community detected this behavior.