Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build)

Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build)

LTH Cybersecurity conducted a controlled forensic investigation to determine whether a 2020-era build of the Aloha Browser (v2.x, Chromium/WebView ~80) records internal database artifacts when popups are triggered without direct user interaction.

Key Finding:
Across all tested scenarios—including redirect chains, iframe triggers, timer-based popups, and programmatic window.open() calls—no automatic entries were ever written to the browser’s internal allow_popup_sites table.

Only user-initiated permissions created database artifacts.
All bypass or non-gesture events produced zero trace evidence.

This behaviour has major implications for legal investigations, digital harassment cases, and WebView forensics.

Background & Importance

During several real-world investigations, analysts and legal teams have relied on the presence (or absence) of popup permission entries as evidence of a user’s actions or browser behaviour.

However, Chromium/WebView engines between 2018–2020 had known popup-related gesture bypasses, inconsistent iframe behaviour, and exploitable redirect heuristics.

This case study sought to answer a critical forensic question:

Can popups be triggered in Aloha Browser without leaving any evidence inside the browser’s SQLite database?

The results were definitive: yes.

Test Environment

All testing was performed under strict, isolated conditions to ensure forensic integrity.

Devices

  • Samsung Galaxy S8

    • Android 9 (Pie)

    • ARM64

  • (S9 results coming next)

Browser

  • Aloha Browser early 2020 build

    • Approximately v2.9.x

    • Chromium/WebView engine ~80

    • Full bundle installed (base + native libraries)

Isolation & Controls

  • WiFi disabled

  • All outbound traffic blocked

  • Local content loaded only over 127.0.0.1 using adb reverse

  • No internet or external domains reachable

  • Host NIC traffic monitored continuously (no packets observed)

Tools

  • ADB (file extraction, DB pulls)

  • SQLite3 CLI viewer

  • Local HTTP server

  • SHA256 hashing utility

  • Screen recording / logs

Wireshark captured no traffic—as expected—because all test traffic remained inside the Android device and never traversed a physical or virtual host adapter.

Test Scenarios

Each scenario was repeated three times with a clean baseline snapshot for every run.

  1. Baseline control

    • User manually allows popups → expected DB entry

  2. Redirect chain

    • Multi-step 3xx → window.open()

  3. Nested iframes

    • Child iframe attempts to trigger a popup

  4. Programmatic popups

    • timers, onload triggers, JS-driven calls

  5. Prefetch / background fetch

  6. Restore / import test

    • Attempt to import previously exported DB data

    • (Aloha 2.x does not support import in a meaningful way)

For every run:

  • Pre-test DB pulled + hashed

  • Test executed

  • Post-test DB pulled + hashed

  • SHA256 digests compared

  • DB inspected for new entries

Results Overview

Scenario 1: Baseline

User manually allowed popups →
1 new entry added to allow_popup_sites (as expected).

Scenario 2: Redirect Chains

In all three runs:

  • Popups triggered successfully

  • No DB entries created

Scenario 3: Nested Iframes

  • Popups never triggered

  • DB unchanged in all runs

  • Matches known WebView limitations from Chromium 70–80

Scenario 4: Programmatic Triggers

  • Timers and JS events fired

  • Popups opened

  • No permission entries created

Scenario 5: Prefetch / Background Fetch

  • No user gesture → no UI event

  • No DB changes

Scenario 6: Restore / Import

  • Aloha 2.x does not support importing data in a way that affects popup artifacts

  • Re-importing the DB produced no behavioural change

  • Zero entries added

🔍 Core Forensic Conclusion

Bypass popups do not trigger Aloha Browser’s permission pipeline.
And because the permission pipeline is the only mechanism that writes to allow_popup_sites, the SQLite database shows no evidence whatsoever, even though visible popups occurred.

This means:

  • The absence of database entries

  • cannot be used to prove popups did not occur

  • and cannot be used to infer user action or consent

This is a significant forensic limitation.

Why This Matters for Legal & Investigative Work

This finding is crucial for:

✔ Digital harassment cases

An attacker could trigger popups without leaving trace artifacts, meaning the victim’s browser logs won’t show anything.

✔ Criminal defence & digital evidence challenges

A missing DB entry does not imply the user did not experience unwanted popup activity.

✔ Mobile forensics & expert testimony

This test demonstrates a reproducible blind spot in Aloha’s 2020 WebView behaviour.

✔ Corporate security & fraud investigations

Popup-driven phishing or malvertising could occur without forensic persistence.

Technical Quote for Reports

“In Aloha Browser v2.x (WebView ~80), popup events triggered without user gesture do not invoke the permission callback responsible for writing to the ‘allow_popup_sites’ SQLite table. As a result, non-interactive popup behaviour leaves zero database artifacts and cannot be reconstructed from the browser’s internal state.”

Artifacts & Integrity

All collected artifacts were hashed using SHA256:

  • Baseline DB files

  • All pre/post lab DB extractions

  • Video recordings

  • Final zipped deliverable

  • Manifest documenting each file’s hash

These are available in the final deliverable package.

About LTH Cybersecurity

LTH Cybersecurity specializes in:

  • Mobile application forensics

  • Browser behaviour analysis

  • Digital investigations

  • Vulnerability research

  • Isolated testbed construction

  • Reproducible forensic methodologies

If your organization requires high-integrity, legally defensible mobile browser analysis or expert testimony, LTH can help.

LTH