{"id":104,"date":"2025-11-22T21:22:18","date_gmt":"2025-11-22T21:22:18","guid":{"rendered":"https:\/\/lthcybersecurity.com\/blog\/?p=104"},"modified":"2025-11-22T21:22:18","modified_gmt":"2025-11-22T21:22:18","slug":"case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build","status":"publish","type":"post","link":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/","title":{"rendered":"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build)"},"content":{"rendered":"<p data-start=\"435\" data-end=\"685\">LTH Cybersecurity conducted a controlled forensic investigation to determine whether a 2020-era build of the Aloha Browser (v2.x, Chromium\/WebView ~80) records internal database artifacts when popups are triggered <strong data-start=\"649\" data-end=\"684\">without direct user interaction<\/strong>.<\/p>\n<p data-start=\"687\" data-end=\"932\"><strong data-start=\"687\" data-end=\"703\">Key Finding:<\/strong><br data-start=\"703\" data-end=\"706\" \/>Across all tested scenarios\u2014including redirect chains, iframe triggers, timer-based popups, and programmatic window.open() calls\u2014<strong data-start=\"835\" data-end=\"877\">no automatic entries were ever written<\/strong> to the browser\u2019s internal <code data-start=\"904\" data-end=\"923\">allow_popup_sites<\/code> table.<\/p>\n<p data-start=\"934\" data-end=\"1066\">Only <strong data-start=\"939\" data-end=\"969\">user-initiated permissions<\/strong> created database artifacts.<br data-start=\"997\" data-end=\"1000\" \/>All bypass or non-gesture events produced <strong data-start=\"1042\" data-end=\"1065\">zero trace evidence<\/strong>.<\/p>\n<p data-start=\"1068\" data-end=\"1180\">This behaviour has major implications for legal investigations, digital harassment cases, and WebView forensics.<\/p>\n<hr data-start=\"1182\" data-end=\"1185\" \/>\n<h2 data-start=\"1187\" data-end=\"1217\"><strong data-start=\"1190\" data-end=\"1217\">Background &amp; Importance<\/strong><\/h2>\n<p data-start=\"1218\" data-end=\"1409\">During several real-world investigations, analysts and legal teams have relied on the presence (or absence) of popup permission entries as evidence of a user\u2019s actions or browser behaviour.<\/p>\n<p data-start=\"1411\" data-end=\"1572\">However, Chromium\/WebView engines between 2018\u20132020 had known popup-related gesture bypasses, inconsistent iframe behaviour, and exploitable redirect heuristics.<\/p>\n<p data-start=\"1574\" data-end=\"1636\">This case study sought to answer a critical forensic question:<\/p>\n<blockquote data-start=\"1638\" data-end=\"1751\">\n<p data-start=\"1640\" data-end=\"1751\"><strong data-start=\"1640\" data-end=\"1751\">Can popups be triggered in Aloha Browser without leaving any evidence inside the browser\u2019s SQLite database?<\/strong><\/p>\n<\/blockquote>\n<p data-start=\"1753\" data-end=\"1790\">The results were definitive: <strong data-start=\"1782\" data-end=\"1789\">yes<\/strong>.<\/p>\n<hr data-start=\"1792\" data-end=\"1795\" \/>\n<h2 data-start=\"1797\" data-end=\"1820\"><strong data-start=\"1800\" data-end=\"1820\">Test Environment<\/strong><\/h2>\n<p data-start=\"1821\" data-end=\"1910\">All testing was performed under strict, isolated conditions to ensure forensic integrity.<\/p>\n<h3 data-start=\"1912\" data-end=\"1927\"><strong data-start=\"1916\" data-end=\"1927\">Devices<\/strong><\/h3>\n<ul data-start=\"1928\" data-end=\"2016\">\n<li data-start=\"1928\" data-end=\"1987\">\n<p data-start=\"1930\" data-end=\"1953\"><strong data-start=\"1930\" data-end=\"1951\">Samsung Galaxy S8<\/strong><\/p>\n<ul data-start=\"1956\" data-end=\"1987\">\n<li data-start=\"1956\" data-end=\"1975\">\n<p data-start=\"1958\" data-end=\"1975\">Android 9 (Pie)<\/p>\n<\/li>\n<li data-start=\"1978\" data-end=\"1987\">\n<p data-start=\"1980\" data-end=\"1987\">ARM64<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"1988\" data-end=\"2016\">\n<p data-start=\"1990\" data-end=\"2016\"><em data-start=\"1990\" data-end=\"2016\">(S9 results coming next)<\/em><\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"2018\" data-end=\"2033\"><strong data-start=\"2022\" data-end=\"2033\">Browser<\/strong><\/h3>\n<ul data-start=\"2034\" data-end=\"2185\">\n<li data-start=\"2034\" data-end=\"2185\">\n<p data-start=\"2036\" data-end=\"2072\"><strong data-start=\"2036\" data-end=\"2070\">Aloha Browser early 2020 build<\/strong><\/p>\n<ul data-start=\"2075\" data-end=\"2185\">\n<li data-start=\"2075\" data-end=\"2099\">\n<p data-start=\"2077\" data-end=\"2099\">Approximately v2.9.x<\/p>\n<\/li>\n<li data-start=\"2102\" data-end=\"2133\">\n<p data-start=\"2104\" data-end=\"2133\">Chromium\/WebView engine ~80<\/p>\n<\/li>\n<li data-start=\"2136\" data-end=\"2185\">\n<p data-start=\"2138\" data-end=\"2185\">Full bundle installed (base + native libraries)<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3 data-start=\"2187\" data-end=\"2215\"><strong data-start=\"2191\" data-end=\"2215\">Isolation &amp; Controls<\/strong><\/h3>\n<ul data-start=\"2216\" data-end=\"2443\">\n<li data-start=\"2216\" data-end=\"2233\">\n<p data-start=\"2218\" data-end=\"2233\">WiFi disabled<\/p>\n<\/li>\n<li data-start=\"2234\" data-end=\"2266\">\n<p data-start=\"2236\" data-end=\"2266\">All outbound traffic blocked<\/p>\n<\/li>\n<li data-start=\"2267\" data-end=\"2333\">\n<p data-start=\"2269\" data-end=\"2333\">Local content loaded only over <code data-start=\"2300\" data-end=\"2311\">127.0.0.1<\/code> using <code data-start=\"2318\" data-end=\"2331\">adb reverse<\/code><\/p>\n<\/li>\n<li data-start=\"2334\" data-end=\"2379\">\n<p data-start=\"2336\" data-end=\"2379\">No internet or external domains reachable<\/p>\n<\/li>\n<li data-start=\"2380\" data-end=\"2443\">\n<p data-start=\"2382\" data-end=\"2443\">Host NIC traffic monitored continuously (no packets observed)<\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"2445\" data-end=\"2458\"><strong data-start=\"2449\" data-end=\"2458\">Tools<\/strong><\/h3>\n<ul data-start=\"2459\" data-end=\"2594\">\n<li data-start=\"2459\" data-end=\"2494\">\n<p data-start=\"2461\" data-end=\"2494\">ADB (file extraction, DB pulls)<\/p>\n<\/li>\n<li data-start=\"2495\" data-end=\"2517\">\n<p data-start=\"2497\" data-end=\"2517\">SQLite3 CLI viewer<\/p>\n<\/li>\n<li data-start=\"2518\" data-end=\"2539\">\n<p data-start=\"2520\" data-end=\"2539\">Local HTTP server<\/p>\n<\/li>\n<li data-start=\"2540\" data-end=\"2566\">\n<p data-start=\"2542\" data-end=\"2566\">SHA256 hashing utility<\/p>\n<\/li>\n<li data-start=\"2567\" data-end=\"2594\">\n<p data-start=\"2569\" data-end=\"2594\">Screen recording \/ logs<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"2596\" data-end=\"2757\">Wireshark captured no traffic\u2014as expected\u2014because <strong data-start=\"2646\" data-end=\"2701\">all test traffic remained inside the Android device<\/strong> and never traversed a physical or virtual host adapter.<\/p>\n<hr data-start=\"2759\" data-end=\"2762\" \/>\n<h2 data-start=\"2764\" data-end=\"2785\"><strong data-start=\"2767\" data-end=\"2785\">Test Scenarios<\/strong><\/h2>\n<p data-start=\"2786\" data-end=\"2874\">Each scenario was repeated <strong data-start=\"2813\" data-end=\"2828\">three times<\/strong> with a clean baseline snapshot for every run.<\/p>\n<ol data-start=\"2876\" data-end=\"3346\">\n<li data-start=\"2876\" data-end=\"2954\">\n<p data-start=\"2879\" data-end=\"2901\"><strong data-start=\"2879\" data-end=\"2899\">Baseline control<\/strong><\/p>\n<ul data-start=\"2905\" data-end=\"2954\">\n<li data-start=\"2905\" data-end=\"2954\">\n<p data-start=\"2907\" data-end=\"2954\">User manually allows popups \u2192 expected DB entry<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"2956\" data-end=\"3015\">\n<p data-start=\"2959\" data-end=\"2979\"><strong data-start=\"2959\" data-end=\"2977\">Redirect chain<\/strong><\/p>\n<ul data-start=\"2983\" data-end=\"3015\">\n<li data-start=\"2983\" data-end=\"3015\">\n<p data-start=\"2985\" data-end=\"3015\">Multi-step 3xx \u2192 window.open()<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"3017\" data-end=\"3086\">\n<p data-start=\"3020\" data-end=\"3040\"><strong data-start=\"3020\" data-end=\"3038\">Nested iframes<\/strong><\/p>\n<ul data-start=\"3044\" data-end=\"3086\">\n<li data-start=\"3044\" data-end=\"3086\">\n<p data-start=\"3046\" data-end=\"3086\">Child iframe attempts to trigger a popup<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"3088\" data-end=\"3162\">\n<p data-start=\"3091\" data-end=\"3116\"><strong data-start=\"3091\" data-end=\"3114\">Programmatic popups<\/strong><\/p>\n<ul data-start=\"3120\" data-end=\"3162\">\n<li data-start=\"3120\" data-end=\"3162\">\n<p data-start=\"3122\" data-end=\"3162\">timers, onload triggers, JS-driven calls<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"3164\" data-end=\"3198\">\n<p data-start=\"3167\" data-end=\"3198\"><strong data-start=\"3167\" data-end=\"3198\">Prefetch \/ background fetch<\/strong><\/p>\n<\/li>\n<li data-start=\"3200\" data-end=\"3346\">\n<p data-start=\"3203\" data-end=\"3230\"><strong data-start=\"3203\" data-end=\"3228\">Restore \/ import test<\/strong><\/p>\n<ul data-start=\"3234\" data-end=\"3346\">\n<li data-start=\"3234\" data-end=\"3283\">\n<p data-start=\"3236\" data-end=\"3283\">Attempt to import previously exported DB data<\/p>\n<\/li>\n<li data-start=\"3287\" data-end=\"3346\">\n<p data-start=\"3289\" data-end=\"3346\"><em data-start=\"3289\" data-end=\"3346\">(Aloha 2.x does not support import in a meaningful way)<\/em><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p data-start=\"3348\" data-end=\"3362\">For every run:<\/p>\n<ul data-start=\"3363\" data-end=\"3504\">\n<li data-start=\"3363\" data-end=\"3394\">\n<p data-start=\"3365\" data-end=\"3394\">Pre-test DB pulled + hashed<\/p>\n<\/li>\n<li data-start=\"3395\" data-end=\"3412\">\n<p data-start=\"3397\" data-end=\"3412\">Test executed<\/p>\n<\/li>\n<li data-start=\"3413\" data-end=\"3445\">\n<p data-start=\"3415\" data-end=\"3445\">Post-test DB pulled + hashed<\/p>\n<\/li>\n<li data-start=\"3446\" data-end=\"3473\">\n<p data-start=\"3448\" data-end=\"3473\">SHA256 digests compared<\/p>\n<\/li>\n<li data-start=\"3474\" data-end=\"3504\">\n<p data-start=\"3476\" data-end=\"3504\">DB inspected for new entries<\/p>\n<\/li>\n<\/ul>\n<hr data-start=\"3506\" data-end=\"3509\" \/>\n<h2 data-start=\"3511\" data-end=\"3534\"><strong data-start=\"3514\" data-end=\"3534\">Results Overview<\/strong><\/h2>\n<h3 data-start=\"3536\" data-end=\"3564\"><strong data-start=\"3540\" data-end=\"3564\">Scenario 1: Baseline<\/strong><\/h3>\n<p data-start=\"3565\" data-end=\"3657\">User manually allowed popups \u2192<br data-start=\"3595\" data-end=\"3598\" \/><strong data-start=\"3598\" data-end=\"3619\">1 new entry added<\/strong> to <code data-start=\"3623\" data-end=\"3642\">allow_popup_sites<\/code> (as expected).<\/p>\n<h3 data-start=\"3659\" data-end=\"3694\"><strong data-start=\"3663\" data-end=\"3694\">Scenario 2: Redirect Chains<\/strong><\/h3>\n<p data-start=\"3695\" data-end=\"3713\">In all three runs:<\/p>\n<ul data-start=\"3714\" data-end=\"3775\">\n<li data-start=\"3714\" data-end=\"3747\">\n<p data-start=\"3716\" data-end=\"3747\">Popups triggered successfully<\/p>\n<\/li>\n<li data-start=\"3748\" data-end=\"3775\">\n<p data-start=\"3750\" data-end=\"3775\"><strong data-start=\"3750\" data-end=\"3775\">No DB entries created<\/strong><\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"3777\" data-end=\"3811\"><strong data-start=\"3781\" data-end=\"3811\">Scenario 3: Nested Iframes<\/strong><\/h3>\n<ul data-start=\"3812\" data-end=\"3929\">\n<li data-start=\"3812\" data-end=\"3842\">\n<p data-start=\"3814\" data-end=\"3842\">Popups <strong data-start=\"3821\" data-end=\"3840\">never triggered<\/strong><\/p>\n<\/li>\n<li data-start=\"3843\" data-end=\"3871\">\n<p data-start=\"3845\" data-end=\"3871\">DB unchanged in all runs<\/p>\n<\/li>\n<li data-start=\"3872\" data-end=\"3929\">\n<p data-start=\"3874\" data-end=\"3929\">Matches known WebView limitations from Chromium 70\u201380<\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"3931\" data-end=\"3972\"><strong data-start=\"3935\" data-end=\"3972\">Scenario 4: Programmatic Triggers<\/strong><\/h3>\n<ul data-start=\"3973\" data-end=\"4057\">\n<li data-start=\"3973\" data-end=\"4003\">\n<p data-start=\"3975\" data-end=\"4003\">Timers and JS events fired<\/p>\n<\/li>\n<li data-start=\"4004\" data-end=\"4021\">\n<p data-start=\"4006\" data-end=\"4021\">Popups opened<\/p>\n<\/li>\n<li data-start=\"4022\" data-end=\"4057\">\n<p data-start=\"4024\" data-end=\"4057\"><strong data-start=\"4024\" data-end=\"4057\">No permission entries created<\/strong><\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"4059\" data-end=\"4106\"><strong data-start=\"4063\" data-end=\"4106\">Scenario 5: Prefetch \/ Background Fetch<\/strong><\/h3>\n<ul data-start=\"4107\" data-end=\"4160\">\n<li data-start=\"4107\" data-end=\"4140\">\n<p data-start=\"4109\" data-end=\"4140\">No user gesture \u2192 no UI event<\/p>\n<\/li>\n<li data-start=\"4141\" data-end=\"4160\">\n<p data-start=\"4143\" data-end=\"4160\"><strong data-start=\"4143\" data-end=\"4160\">No DB changes<\/strong><\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"4162\" data-end=\"4198\"><strong data-start=\"4166\" data-end=\"4198\">Scenario 6: Restore \/ Import<\/strong><\/h3>\n<ul data-start=\"4199\" data-end=\"4366\">\n<li data-start=\"4199\" data-end=\"4282\">\n<p data-start=\"4201\" data-end=\"4282\">Aloha 2.x does not support importing data in a way that affects popup artifacts<\/p>\n<\/li>\n<li data-start=\"4283\" data-end=\"4341\">\n<p data-start=\"4285\" data-end=\"4341\">Re-importing the DB produced <strong data-start=\"4314\" data-end=\"4339\">no behavioural change<\/strong><\/p>\n<\/li>\n<li data-start=\"4342\" data-end=\"4366\">\n<p data-start=\"4344\" data-end=\"4366\"><strong data-start=\"4344\" data-end=\"4366\">Zero entries added<\/strong><\/p>\n<\/li>\n<\/ul>\n<hr data-start=\"4368\" data-end=\"4371\" \/>\n<h1 data-start=\"4373\" data-end=\"4406\">\ud83d\udd0d <strong data-start=\"4378\" data-end=\"4406\">Core Forensic Conclusion<\/strong><\/h1>\n<p data-start=\"4407\" data-end=\"4665\"><strong data-start=\"4407\" data-end=\"4476\">Bypass popups do not trigger Aloha Browser\u2019s permission pipeline.<\/strong><br data-start=\"4476\" data-end=\"4479\" \/>And because the permission pipeline is the <em data-start=\"4522\" data-end=\"4528\">only<\/em> mechanism that writes to <code data-start=\"4554\" data-end=\"4573\">allow_popup_sites<\/code>, the SQLite database shows <strong data-start=\"4601\" data-end=\"4627\">no evidence whatsoever<\/strong>, even though visible popups occurred.<\/p>\n<p data-start=\"4667\" data-end=\"4678\">This means:<\/p>\n<ul data-start=\"4680\" data-end=\"4827\">\n<li data-start=\"4680\" data-end=\"4715\">\n<p data-start=\"4682\" data-end=\"4715\">The absence of database entries<\/p>\n<\/li>\n<li data-start=\"4716\" data-end=\"4768\">\n<p data-start=\"4718\" data-end=\"4768\"><strong data-start=\"4718\" data-end=\"4728\">cannot<\/strong> be used to prove popups did not occur<\/p>\n<\/li>\n<li data-start=\"4769\" data-end=\"4827\">\n<p data-start=\"4771\" data-end=\"4827\">and <strong data-start=\"4775\" data-end=\"4785\">cannot<\/strong> be used to infer user action or consent<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"4829\" data-end=\"4871\">This is a significant forensic limitation.<\/p>\n<hr data-start=\"4873\" data-end=\"4876\" \/>\n<h2 data-start=\"4878\" data-end=\"4932\"><strong data-start=\"4881\" data-end=\"4932\">Why This Matters for Legal &amp; Investigative Work<\/strong><\/h2>\n<p data-start=\"4933\" data-end=\"4961\">This finding is crucial for:<\/p>\n<h3 data-start=\"4963\" data-end=\"4999\"><strong data-start=\"4967\" data-end=\"4997\">\u2714 Digital harassment cases<\/strong><\/h3>\n<p data-start=\"5000\" data-end=\"5120\">An attacker could trigger popups without leaving trace artifacts, meaning the victim\u2019s browser logs won&#8217;t show anything.<\/p>\n<h3 data-start=\"5122\" data-end=\"5180\"><strong data-start=\"5126\" data-end=\"5178\">\u2714 Criminal defence &amp; digital evidence challenges<\/strong><\/h3>\n<p data-start=\"5181\" data-end=\"5271\">A missing DB entry does <strong data-start=\"5205\" data-end=\"5212\">not<\/strong> imply the user did not experience unwanted popup activity.<\/p>\n<h3 data-start=\"5273\" data-end=\"5320\"><strong data-start=\"5277\" data-end=\"5318\">\u2714 Mobile forensics &amp; expert testimony<\/strong><\/h3>\n<p data-start=\"5321\" data-end=\"5404\">This test demonstrates a reproducible blind spot in Aloha\u2019s 2020 WebView behaviour.<\/p>\n<h3 data-start=\"5406\" data-end=\"5459\"><strong data-start=\"5410\" data-end=\"5457\">\u2714 Corporate security &amp; fraud investigations<\/strong><\/h3>\n<p data-start=\"5460\" data-end=\"5539\">Popup-driven phishing or malvertising could occur without forensic persistence.<\/p>\n<hr data-start=\"5541\" data-end=\"5544\" \/>\n<h2 data-start=\"5546\" data-end=\"5580\"><strong data-start=\"5549\" data-end=\"5580\">Technical Quote for Reports<\/strong><\/h2>\n<blockquote data-start=\"5581\" data-end=\"5909\">\n<p data-start=\"5583\" data-end=\"5909\"><em data-start=\"5583\" data-end=\"5909\">\u201cIn Aloha Browser v2.x (WebView ~80), popup events triggered without user gesture do not invoke the permission callback responsible for writing to the \u2018allow_popup_sites\u2019 SQLite table. As a result, non-interactive popup behaviour leaves zero database artifacts and cannot be reconstructed from the browser\u2019s internal state.\u201d<\/em><\/p>\n<\/blockquote>\n<hr data-start=\"5911\" data-end=\"5914\" \/>\n<h2 data-start=\"5916\" data-end=\"5944\"><strong data-start=\"5919\" data-end=\"5944\">Artifacts &amp; Integrity<\/strong><\/h2>\n<p data-start=\"5945\" data-end=\"5998\">All collected artifacts were hashed using <strong data-start=\"5987\" data-end=\"5997\">SHA256<\/strong>:<\/p>\n<ul data-start=\"6000\" data-end=\"6149\">\n<li data-start=\"6000\" data-end=\"6021\">\n<p data-start=\"6002\" data-end=\"6021\">Baseline DB files<\/p>\n<\/li>\n<li data-start=\"6022\" data-end=\"6057\">\n<p data-start=\"6024\" data-end=\"6057\">All pre\/post lab DB extractions<\/p>\n<\/li>\n<li data-start=\"6058\" data-end=\"6078\">\n<p data-start=\"6060\" data-end=\"6078\">Video recordings<\/p>\n<\/li>\n<li data-start=\"6079\" data-end=\"6107\">\n<p data-start=\"6081\" data-end=\"6107\">Final zipped deliverable<\/p>\n<\/li>\n<li data-start=\"6108\" data-end=\"6149\">\n<p data-start=\"6110\" data-end=\"6149\">Manifest documenting each file\u2019s hash<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"6151\" data-end=\"6204\">These are available in the final deliverable package.<\/p>\n<hr data-start=\"6206\" data-end=\"6209\" \/>\n<h2 data-start=\"6211\" data-end=\"6241\"><strong data-start=\"6214\" data-end=\"6241\">About LTH Cybersecurity<\/strong><\/h2>\n<p data-start=\"6242\" data-end=\"6275\">LTH Cybersecurity specializes in:<\/p>\n<ul data-start=\"6277\" data-end=\"6468\">\n<li data-start=\"6277\" data-end=\"6309\">\n<p data-start=\"6279\" data-end=\"6309\">Mobile application forensics<\/p>\n<\/li>\n<li data-start=\"6310\" data-end=\"6340\">\n<p data-start=\"6312\" data-end=\"6340\">Browser behaviour analysis<\/p>\n<\/li>\n<li data-start=\"6341\" data-end=\"6367\">\n<p data-start=\"6343\" data-end=\"6367\">Digital investigations<\/p>\n<\/li>\n<li data-start=\"6368\" data-end=\"6394\">\n<p data-start=\"6370\" data-end=\"6394\">Vulnerability research<\/p>\n<\/li>\n<li data-start=\"6395\" data-end=\"6428\">\n<p data-start=\"6397\" data-end=\"6428\">Isolated testbed construction<\/p>\n<\/li>\n<li data-start=\"6429\" data-end=\"6468\">\n<p data-start=\"6431\" data-end=\"6468\">Reproducible forensic methodologies<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"6470\" data-end=\"6593\">If your organization requires high-integrity, legally defensible mobile browser analysis or expert testimony, LTH can help.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>LTH Cybersecurity conducted a controlled forensic investigation to determine whether a 2020-era build of the Aloha Browser (v2.x, Chromium\/WebView ~80) records internal database artifacts when popups are triggered without direct user interaction. Key Finding:Across all tested scenarios\u2014including redirect chains, iframe triggers, timer-based popups, and programmatic window.open() calls\u2014no automatic entries were ever written to the browser\u2019s [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":105,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-104","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-case-studies"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/posts\/104","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/comments?post=104"}],"version-history":[{"count":2,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/posts\/104\/revisions"}],"predecessor-version":[{"id":116,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/posts\/104\/revisions\/116"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/media\/105"}],"wp:attachment":[{"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/media?parent=104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/categories?post=104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/tags?post=104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}