{"id":104,"date":"2025-11-22T21:22:18","date_gmt":"2025-11-22T21:22:18","guid":{"rendered":"https:\/\/lthcybersecurity.com\/blog\/?p=104"},"modified":"2025-11-22T21:22:18","modified_gmt":"2025-11-22T21:22:18","slug":"case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build","status":"publish","type":"post","link":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/","title":{"rendered":"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build)"},"content":{"rendered":"<p data-start=\"435\" data-end=\"685\">LTH Cybersecurity conducted a controlled forensic investigation to determine whether a 2020-era build of the Aloha Browser (v2.x, Chromium\/WebView ~80) records internal database artifacts when popups are triggered <strong data-start=\"649\" data-end=\"684\">without direct user interaction<\/strong>.<\/p>\n<p data-start=\"687\" data-end=\"932\"><strong data-start=\"687\" data-end=\"703\">Key Finding:<\/strong><br data-start=\"703\" data-end=\"706\" \/>Across all tested scenarios\u2014including redirect chains, iframe triggers, timer-based popups, and programmatic window.open() calls\u2014<strong data-start=\"835\" data-end=\"877\">no automatic entries were ever written<\/strong> to the browser\u2019s internal <code data-start=\"904\" data-end=\"923\">allow_popup_sites<\/code> table.<\/p>\n<p data-start=\"934\" data-end=\"1066\">Only <strong data-start=\"939\" data-end=\"969\">user-initiated permissions<\/strong> created database artifacts.<br data-start=\"997\" data-end=\"1000\" \/>All bypass or non-gesture events produced <strong data-start=\"1042\" data-end=\"1065\">zero trace evidence<\/strong>.<\/p>\n<p data-start=\"1068\" data-end=\"1180\">This behaviour has major implications for legal investigations, digital harassment cases, and WebView forensics.<\/p>\n<hr data-start=\"1182\" data-end=\"1185\" \/>\n<h2 data-start=\"1187\" data-end=\"1217\"><strong data-start=\"1190\" data-end=\"1217\">Background &amp; Importance<\/strong><\/h2>\n<p data-start=\"1218\" data-end=\"1409\">During several real-world investigations, analysts and legal teams have relied on the presence (or absence) of popup permission entries as evidence of a user\u2019s actions or browser behaviour.<\/p>\n<p data-start=\"1411\" data-end=\"1572\">However, Chromium\/WebView engines between 2018\u20132020 had known popup-related gesture bypasses, inconsistent iframe behaviour, and exploitable redirect heuristics.<\/p>\n<p data-start=\"1574\" data-end=\"1636\">This case study sought to answer a critical forensic question:<\/p>\n<blockquote data-start=\"1638\" data-end=\"1751\">\n<p data-start=\"1640\" data-end=\"1751\"><strong data-start=\"1640\" data-end=\"1751\">Can popups be triggered in Aloha Browser without leaving any evidence inside the browser\u2019s SQLite database?<\/strong><\/p>\n<\/blockquote>\n<p data-start=\"1753\" data-end=\"1790\">The results were definitive: <strong data-start=\"1782\" data-end=\"1789\">yes<\/strong>.<\/p>\n<hr data-start=\"1792\" data-end=\"1795\" \/>\n<h2 data-start=\"1797\" data-end=\"1820\"><strong data-start=\"1800\" data-end=\"1820\">Test Environment<\/strong><\/h2>\n<p data-start=\"1821\" data-end=\"1910\">All testing was performed under strict, isolated conditions to ensure forensic integrity.<\/p>\n<h3 data-start=\"1912\" data-end=\"1927\"><strong data-start=\"1916\" data-end=\"1927\">Devices<\/strong><\/h3>\n<ul data-start=\"1928\" data-end=\"2016\">\n<li data-start=\"1928\" data-end=\"1987\">\n<p data-start=\"1930\" data-end=\"1953\"><strong data-start=\"1930\" data-end=\"1951\">Samsung Galaxy S8<\/strong><\/p>\n<ul data-start=\"1956\" data-end=\"1987\">\n<li data-start=\"1956\" data-end=\"1975\">\n<p data-start=\"1958\" data-end=\"1975\">Android 9 (Pie)<\/p>\n<\/li>\n<li data-start=\"1978\" data-end=\"1987\">\n<p data-start=\"1980\" data-end=\"1987\">ARM64<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"1988\" data-end=\"2016\">\n<p data-start=\"1990\" data-end=\"2016\"><em data-start=\"1990\" data-end=\"2016\">(S9 results coming next)<\/em><\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"2018\" data-end=\"2033\"><strong data-start=\"2022\" data-end=\"2033\">Browser<\/strong><\/h3>\n<ul data-start=\"2034\" data-end=\"2185\">\n<li data-start=\"2034\" data-end=\"2185\">\n<p data-start=\"2036\" data-end=\"2072\"><strong data-start=\"2036\" data-end=\"2070\">Aloha Browser early 2020 build<\/strong><\/p>\n<ul data-start=\"2075\" data-end=\"2185\">\n<li data-start=\"2075\" data-end=\"2099\">\n<p data-start=\"2077\" data-end=\"2099\">Approximately v2.9.x<\/p>\n<\/li>\n<li data-start=\"2102\" data-end=\"2133\">\n<p data-start=\"2104\" data-end=\"2133\">Chromium\/WebView engine ~80<\/p>\n<\/li>\n<li data-start=\"2136\" data-end=\"2185\">\n<p data-start=\"2138\" data-end=\"2185\">Full bundle installed (base + native libraries)<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3 data-start=\"2187\" data-end=\"2215\"><strong data-start=\"2191\" data-end=\"2215\">Isolation &amp; Controls<\/strong><\/h3>\n<ul data-start=\"2216\" data-end=\"2443\">\n<li data-start=\"2216\" data-end=\"2233\">\n<p data-start=\"2218\" data-end=\"2233\">WiFi disabled<\/p>\n<\/li>\n<li data-start=\"2234\" data-end=\"2266\">\n<p data-start=\"2236\" data-end=\"2266\">All outbound traffic blocked<\/p>\n<\/li>\n<li data-start=\"2267\" data-end=\"2333\">\n<p data-start=\"2269\" data-end=\"2333\">Local content loaded only over <code data-start=\"2300\" data-end=\"2311\">127.0.0.1<\/code> using <code data-start=\"2318\" data-end=\"2331\">adb reverse<\/code><\/p>\n<\/li>\n<li data-start=\"2334\" data-end=\"2379\">\n<p data-start=\"2336\" data-end=\"2379\">No internet or external domains reachable<\/p>\n<\/li>\n<li data-start=\"2380\" data-end=\"2443\">\n<p data-start=\"2382\" data-end=\"2443\">Host NIC traffic monitored continuously (no packets observed)<\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"2445\" data-end=\"2458\"><strong data-start=\"2449\" data-end=\"2458\">Tools<\/strong><\/h3>\n<ul data-start=\"2459\" data-end=\"2594\">\n<li data-start=\"2459\" data-end=\"2494\">\n<p data-start=\"2461\" data-end=\"2494\">ADB (file extraction, DB pulls)<\/p>\n<\/li>\n<li data-start=\"2495\" data-end=\"2517\">\n<p data-start=\"2497\" data-end=\"2517\">SQLite3 CLI viewer<\/p>\n<\/li>\n<li data-start=\"2518\" data-end=\"2539\">\n<p data-start=\"2520\" data-end=\"2539\">Local HTTP server<\/p>\n<\/li>\n<li data-start=\"2540\" data-end=\"2566\">\n<p data-start=\"2542\" data-end=\"2566\">SHA256 hashing utility<\/p>\n<\/li>\n<li data-start=\"2567\" data-end=\"2594\">\n<p data-start=\"2569\" data-end=\"2594\">Screen recording \/ logs<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"2596\" data-end=\"2757\">Wireshark captured no traffic\u2014as expected\u2014because <strong data-start=\"2646\" data-end=\"2701\">all test traffic remained inside the Android device<\/strong> and never traversed a physical or virtual host adapter.<\/p>\n<hr data-start=\"2759\" data-end=\"2762\" \/>\n<h2 data-start=\"2764\" data-end=\"2785\"><strong data-start=\"2767\" data-end=\"2785\">Test Scenarios<\/strong><\/h2>\n<p data-start=\"2786\" data-end=\"2874\">Each scenario was repeated <strong data-start=\"2813\" data-end=\"2828\">three times<\/strong> with a clean baseline snapshot for every run.<\/p>\n<ol data-start=\"2876\" data-end=\"3346\">\n<li data-start=\"2876\" data-end=\"2954\">\n<p data-start=\"2879\" data-end=\"2901\"><strong data-start=\"2879\" data-end=\"2899\">Baseline control<\/strong><\/p>\n<ul data-start=\"2905\" data-end=\"2954\">\n<li data-start=\"2905\" data-end=\"2954\">\n<p data-start=\"2907\" data-end=\"2954\">User manually allows popups \u2192 expected DB entry<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"2956\" data-end=\"3015\">\n<p data-start=\"2959\" data-end=\"2979\"><strong data-start=\"2959\" data-end=\"2977\">Redirect chain<\/strong><\/p>\n<ul data-start=\"2983\" data-end=\"3015\">\n<li data-start=\"2983\" data-end=\"3015\">\n<p data-start=\"2985\" data-end=\"3015\">Multi-step 3xx \u2192 window.open()<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"3017\" data-end=\"3086\">\n<p data-start=\"3020\" data-end=\"3040\"><strong data-start=\"3020\" data-end=\"3038\">Nested iframes<\/strong><\/p>\n<ul data-start=\"3044\" data-end=\"3086\">\n<li data-start=\"3044\" data-end=\"3086\">\n<p data-start=\"3046\" data-end=\"3086\">Child iframe attempts to trigger a popup<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"3088\" data-end=\"3162\">\n<p data-start=\"3091\" data-end=\"3116\"><strong data-start=\"3091\" data-end=\"3114\">Programmatic popups<\/strong><\/p>\n<ul data-start=\"3120\" data-end=\"3162\">\n<li data-start=\"3120\" data-end=\"3162\">\n<p data-start=\"3122\" data-end=\"3162\">timers, onload triggers, JS-driven calls<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li data-start=\"3164\" data-end=\"3198\">\n<p data-start=\"3167\" data-end=\"3198\"><strong data-start=\"3167\" data-end=\"3198\">Prefetch \/ background fetch<\/strong><\/p>\n<\/li>\n<li data-start=\"3200\" data-end=\"3346\">\n<p data-start=\"3203\" data-end=\"3230\"><strong data-start=\"3203\" data-end=\"3228\">Restore \/ import test<\/strong><\/p>\n<ul data-start=\"3234\" data-end=\"3346\">\n<li data-start=\"3234\" data-end=\"3283\">\n<p data-start=\"3236\" data-end=\"3283\">Attempt to import previously exported DB data<\/p>\n<\/li>\n<li data-start=\"3287\" data-end=\"3346\">\n<p data-start=\"3289\" data-end=\"3346\"><em data-start=\"3289\" data-end=\"3346\">(Aloha 2.x does not support import in a meaningful way)<\/em><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p data-start=\"3348\" data-end=\"3362\">For every run:<\/p>\n<ul data-start=\"3363\" data-end=\"3504\">\n<li data-start=\"3363\" data-end=\"3394\">\n<p data-start=\"3365\" data-end=\"3394\">Pre-test DB pulled + hashed<\/p>\n<\/li>\n<li data-start=\"3395\" data-end=\"3412\">\n<p data-start=\"3397\" data-end=\"3412\">Test executed<\/p>\n<\/li>\n<li data-start=\"3413\" data-end=\"3445\">\n<p data-start=\"3415\" data-end=\"3445\">Post-test DB pulled + hashed<\/p>\n<\/li>\n<li data-start=\"3446\" data-end=\"3473\">\n<p data-start=\"3448\" data-end=\"3473\">SHA256 digests compared<\/p>\n<\/li>\n<li data-start=\"3474\" data-end=\"3504\">\n<p data-start=\"3476\" data-end=\"3504\">DB inspected for new entries<\/p>\n<\/li>\n<\/ul>\n<hr data-start=\"3506\" data-end=\"3509\" \/>\n<h2 data-start=\"3511\" data-end=\"3534\"><strong data-start=\"3514\" data-end=\"3534\">Results Overview<\/strong><\/h2>\n<h3 data-start=\"3536\" data-end=\"3564\"><strong data-start=\"3540\" data-end=\"3564\">Scenario 1: Baseline<\/strong><\/h3>\n<p data-start=\"3565\" data-end=\"3657\">User manually allowed popups \u2192<br data-start=\"3595\" data-end=\"3598\" \/><strong data-start=\"3598\" data-end=\"3619\">1 new entry added<\/strong> to <code data-start=\"3623\" data-end=\"3642\">allow_popup_sites<\/code> (as expected).<\/p>\n<h3 data-start=\"3659\" data-end=\"3694\"><strong data-start=\"3663\" data-end=\"3694\">Scenario 2: Redirect Chains<\/strong><\/h3>\n<p data-start=\"3695\" data-end=\"3713\">In all three runs:<\/p>\n<ul data-start=\"3714\" data-end=\"3775\">\n<li data-start=\"3714\" data-end=\"3747\">\n<p data-start=\"3716\" data-end=\"3747\">Popups triggered successfully<\/p>\n<\/li>\n<li data-start=\"3748\" data-end=\"3775\">\n<p data-start=\"3750\" data-end=\"3775\"><strong data-start=\"3750\" data-end=\"3775\">No DB entries created<\/strong><\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"3777\" data-end=\"3811\"><strong data-start=\"3781\" data-end=\"3811\">Scenario 3: Nested Iframes<\/strong><\/h3>\n<ul data-start=\"3812\" data-end=\"3929\">\n<li data-start=\"3812\" data-end=\"3842\">\n<p data-start=\"3814\" data-end=\"3842\">Popups <strong data-start=\"3821\" data-end=\"3840\">never triggered<\/strong><\/p>\n<\/li>\n<li data-start=\"3843\" data-end=\"3871\">\n<p data-start=\"3845\" data-end=\"3871\">DB unchanged in all runs<\/p>\n<\/li>\n<li data-start=\"3872\" data-end=\"3929\">\n<p data-start=\"3874\" data-end=\"3929\">Matches known WebView limitations from Chromium 70\u201380<\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"3931\" data-end=\"3972\"><strong data-start=\"3935\" data-end=\"3972\">Scenario 4: Programmatic Triggers<\/strong><\/h3>\n<ul data-start=\"3973\" data-end=\"4057\">\n<li data-start=\"3973\" data-end=\"4003\">\n<p data-start=\"3975\" data-end=\"4003\">Timers and JS events fired<\/p>\n<\/li>\n<li data-start=\"4004\" data-end=\"4021\">\n<p data-start=\"4006\" data-end=\"4021\">Popups opened<\/p>\n<\/li>\n<li data-start=\"4022\" data-end=\"4057\">\n<p data-start=\"4024\" data-end=\"4057\"><strong data-start=\"4024\" data-end=\"4057\">No permission entries created<\/strong><\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"4059\" data-end=\"4106\"><strong data-start=\"4063\" data-end=\"4106\">Scenario 5: Prefetch \/ Background Fetch<\/strong><\/h3>\n<ul data-start=\"4107\" data-end=\"4160\">\n<li data-start=\"4107\" data-end=\"4140\">\n<p data-start=\"4109\" data-end=\"4140\">No user gesture \u2192 no UI event<\/p>\n<\/li>\n<li data-start=\"4141\" data-end=\"4160\">\n<p data-start=\"4143\" data-end=\"4160\"><strong data-start=\"4143\" data-end=\"4160\">No DB changes<\/strong><\/p>\n<\/li>\n<\/ul>\n<h3 data-start=\"4162\" data-end=\"4198\"><strong data-start=\"4166\" data-end=\"4198\">Scenario 6: Restore \/ Import<\/strong><\/h3>\n<ul data-start=\"4199\" data-end=\"4366\">\n<li data-start=\"4199\" data-end=\"4282\">\n<p data-start=\"4201\" data-end=\"4282\">Aloha 2.x does not support importing data in a way that affects popup artifacts<\/p>\n<\/li>\n<li data-start=\"4283\" data-end=\"4341\">\n<p data-start=\"4285\" data-end=\"4341\">Re-importing the DB produced <strong data-start=\"4314\" data-end=\"4339\">no behavioural change<\/strong><\/p>\n<\/li>\n<li data-start=\"4342\" data-end=\"4366\">\n<p data-start=\"4344\" data-end=\"4366\"><strong data-start=\"4344\" data-end=\"4366\">Zero entries added<\/strong><\/p>\n<\/li>\n<\/ul>\n<hr data-start=\"4368\" data-end=\"4371\" \/>\n<h1 data-start=\"4373\" data-end=\"4406\">\ud83d\udd0d <strong data-start=\"4378\" data-end=\"4406\">Core Forensic Conclusion<\/strong><\/h1>\n<p data-start=\"4407\" data-end=\"4665\"><strong data-start=\"4407\" data-end=\"4476\">Bypass popups do not trigger Aloha Browser\u2019s permission pipeline.<\/strong><br data-start=\"4476\" data-end=\"4479\" \/>And because the permission pipeline is the <em data-start=\"4522\" data-end=\"4528\">only<\/em> mechanism that writes to <code data-start=\"4554\" data-end=\"4573\">allow_popup_sites<\/code>, the SQLite database shows <strong data-start=\"4601\" data-end=\"4627\">no evidence whatsoever<\/strong>, even though visible popups occurred.<\/p>\n<p data-start=\"4667\" data-end=\"4678\">This means:<\/p>\n<ul data-start=\"4680\" data-end=\"4827\">\n<li data-start=\"4680\" data-end=\"4715\">\n<p data-start=\"4682\" data-end=\"4715\">The absence of database entries<\/p>\n<\/li>\n<li data-start=\"4716\" data-end=\"4768\">\n<p data-start=\"4718\" data-end=\"4768\"><strong data-start=\"4718\" data-end=\"4728\">cannot<\/strong> be used to prove popups did not occur<\/p>\n<\/li>\n<li data-start=\"4769\" data-end=\"4827\">\n<p data-start=\"4771\" data-end=\"4827\">and <strong data-start=\"4775\" data-end=\"4785\">cannot<\/strong> be used to infer user action or consent<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"4829\" data-end=\"4871\">This is a significant forensic limitation.<\/p>\n<hr data-start=\"4873\" data-end=\"4876\" \/>\n<h2 data-start=\"4878\" data-end=\"4932\"><strong data-start=\"4881\" data-end=\"4932\">Why This Matters for Legal &amp; Investigative Work<\/strong><\/h2>\n<p data-start=\"4933\" data-end=\"4961\">This finding is crucial for:<\/p>\n<h3 data-start=\"4963\" data-end=\"4999\"><strong data-start=\"4967\" data-end=\"4997\">\u2714 Digital harassment cases<\/strong><\/h3>\n<p data-start=\"5000\" data-end=\"5120\">An attacker could trigger popups without leaving trace artifacts, meaning the victim\u2019s browser logs won&#8217;t show anything.<\/p>\n<h3 data-start=\"5122\" data-end=\"5180\"><strong data-start=\"5126\" data-end=\"5178\">\u2714 Criminal defence &amp; digital evidence challenges<\/strong><\/h3>\n<p data-start=\"5181\" data-end=\"5271\">A missing DB entry does <strong data-start=\"5205\" data-end=\"5212\">not<\/strong> imply the user did not experience unwanted popup activity.<\/p>\n<h3 data-start=\"5273\" data-end=\"5320\"><strong data-start=\"5277\" data-end=\"5318\">\u2714 Mobile forensics &amp; expert testimony<\/strong><\/h3>\n<p data-start=\"5321\" data-end=\"5404\">This test demonstrates a reproducible blind spot in Aloha\u2019s 2020 WebView behaviour.<\/p>\n<h3 data-start=\"5406\" data-end=\"5459\"><strong data-start=\"5410\" data-end=\"5457\">\u2714 Corporate security &amp; fraud investigations<\/strong><\/h3>\n<p data-start=\"5460\" data-end=\"5539\">Popup-driven phishing or malvertising could occur without forensic persistence.<\/p>\n<hr data-start=\"5541\" data-end=\"5544\" \/>\n<h2 data-start=\"5546\" data-end=\"5580\"><strong data-start=\"5549\" data-end=\"5580\">Technical Quote for Reports<\/strong><\/h2>\n<blockquote data-start=\"5581\" data-end=\"5909\">\n<p data-start=\"5583\" data-end=\"5909\"><em data-start=\"5583\" data-end=\"5909\">\u201cIn Aloha Browser v2.x (WebView ~80), popup events triggered without user gesture do not invoke the permission callback responsible for writing to the \u2018allow_popup_sites\u2019 SQLite table. As a result, non-interactive popup behaviour leaves zero database artifacts and cannot be reconstructed from the browser\u2019s internal state.\u201d<\/em><\/p>\n<\/blockquote>\n<hr data-start=\"5911\" data-end=\"5914\" \/>\n<h2 data-start=\"5916\" data-end=\"5944\"><strong data-start=\"5919\" data-end=\"5944\">Artifacts &amp; Integrity<\/strong><\/h2>\n<p data-start=\"5945\" data-end=\"5998\">All collected artifacts were hashed using <strong data-start=\"5987\" data-end=\"5997\">SHA256<\/strong>:<\/p>\n<ul data-start=\"6000\" data-end=\"6149\">\n<li data-start=\"6000\" data-end=\"6021\">\n<p data-start=\"6002\" data-end=\"6021\">Baseline DB files<\/p>\n<\/li>\n<li data-start=\"6022\" data-end=\"6057\">\n<p data-start=\"6024\" data-end=\"6057\">All pre\/post lab DB extractions<\/p>\n<\/li>\n<li data-start=\"6058\" data-end=\"6078\">\n<p data-start=\"6060\" data-end=\"6078\">Video recordings<\/p>\n<\/li>\n<li data-start=\"6079\" data-end=\"6107\">\n<p data-start=\"6081\" data-end=\"6107\">Final zipped deliverable<\/p>\n<\/li>\n<li data-start=\"6108\" data-end=\"6149\">\n<p data-start=\"6110\" data-end=\"6149\">Manifest documenting each file\u2019s hash<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"6151\" data-end=\"6204\">These are available in the final deliverable package.<\/p>\n<hr data-start=\"6206\" data-end=\"6209\" \/>\n<h2 data-start=\"6211\" data-end=\"6241\"><strong data-start=\"6214\" data-end=\"6241\">About LTH Cybersecurity<\/strong><\/h2>\n<p data-start=\"6242\" data-end=\"6275\">LTH Cybersecurity specializes in:<\/p>\n<ul data-start=\"6277\" data-end=\"6468\">\n<li data-start=\"6277\" data-end=\"6309\">\n<p data-start=\"6279\" data-end=\"6309\">Mobile application forensics<\/p>\n<\/li>\n<li data-start=\"6310\" data-end=\"6340\">\n<p data-start=\"6312\" data-end=\"6340\">Browser behaviour analysis<\/p>\n<\/li>\n<li data-start=\"6341\" data-end=\"6367\">\n<p data-start=\"6343\" data-end=\"6367\">Digital investigations<\/p>\n<\/li>\n<li data-start=\"6368\" data-end=\"6394\">\n<p data-start=\"6370\" data-end=\"6394\">Vulnerability research<\/p>\n<\/li>\n<li data-start=\"6395\" data-end=\"6428\">\n<p data-start=\"6397\" data-end=\"6428\">Isolated testbed construction<\/p>\n<\/li>\n<li data-start=\"6429\" data-end=\"6468\">\n<p data-start=\"6431\" data-end=\"6468\">Reproducible forensic methodologies<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"6470\" data-end=\"6593\">If your organization requires high-integrity, legally defensible mobile browser analysis or expert testimony, LTH can help.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>LTH Cybersecurity conducted a controlled forensic investigation to determine whether a 2020-era build of the Aloha Browser (v2.x, Chromium\/WebView ~80) records internal database artifacts when popups are triggered without direct user interaction. Key Finding:Across all tested scenarios\u2014including redirect chains, iframe triggers, timer-based popups, and programmatic window.open() calls\u2014no automatic entries were ever written to the browser\u2019s [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":105,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[10],"tags":[],"class_list":["post-104","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-case-studies"],"aioseo_notices":[],"aioseo_head":"\n\t\t<!-- All in One SEO 4.9.9 - aioseo.com -->\n\t<meta name=\"description\" content=\"LTH Cybersecurity conducted a controlled forensic investigation to determine whether a 2020-era build of the Aloha Browser (v2.x, Chromium\/WebView ~80) records internal database artifacts when popups are triggered without direct user interaction. Key Finding:Across all tested scenarios\u2014including redirect chains, iframe triggers, timer-based popups, and programmatic window.open() calls\u2014no automatic entries were ever written to the browser\u2019s\" \/>\n\t<meta name=\"robots\" content=\"max-image-preview:large\" \/>\n\t<meta name=\"author\" content=\"LTH\"\/>\n\t<link rel=\"canonical\" href=\"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/\" \/>\n\t<meta name=\"generator\" content=\"All in One SEO (AIOSEO) 4.9.9\" \/>\n\t\t<meta property=\"og:locale\" content=\"en_US\" \/>\n\t\t<meta property=\"og:site_name\" content=\"LTH Blog - LTH Cybersecurity Blog\" \/>\n\t\t<meta property=\"og:type\" content=\"article\" \/>\n\t\t<meta property=\"og:title\" content=\"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build) - LTH Blog\" \/>\n\t\t<meta property=\"og:description\" content=\"LTH Cybersecurity conducted a controlled forensic investigation to determine whether a 2020-era build of the Aloha Browser (v2.x, Chromium\/WebView ~80) records internal database artifacts when popups are triggered without direct user interaction. Key Finding:Across all tested scenarios\u2014including redirect chains, iframe triggers, timer-based popups, and programmatic window.open() calls\u2014no automatic entries were ever written to the browser\u2019s\" \/>\n\t\t<meta property=\"og:url\" content=\"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/\" \/>\n\t\t<meta property=\"article:published_time\" content=\"2025-11-22T21:22:18+00:00\" \/>\n\t\t<meta property=\"article:modified_time\" content=\"2025-11-22T21:22:18+00:00\" \/>\n\t\t<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n\t\t<meta name=\"twitter:title\" content=\"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build) - LTH Blog\" \/>\n\t\t<meta name=\"twitter:description\" content=\"LTH Cybersecurity conducted a controlled forensic investigation to determine whether a 2020-era build of the Aloha Browser (v2.x, Chromium\/WebView ~80) records internal database artifacts when popups are triggered without direct user interaction. Key Finding:Across all tested scenarios\u2014including redirect chains, iframe triggers, timer-based popups, and programmatic window.open() calls\u2014no automatic entries were ever written to the browser\u2019s\" \/>\n\t\t<script type=\"application\/ld+json\" class=\"aioseo-schema\">\n\t\t\t{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"BlogPosting\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/#blogposting\",\"name\":\"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build) - LTH Blog\",\"headline\":\"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build)\",\"author\":{\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/author\\\/lthadmin4545\\\/#author\"},\"publisher\":{\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/#organization\"},\"image\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/11\\\/alohaimage.png\",\"width\":1024,\"height\":1024,\"caption\":\"Case Study Forensics\"},\"datePublished\":\"2025-11-22T21:22:18+00:00\",\"dateModified\":\"2025-11-22T21:22:18+00:00\",\"inLanguage\":\"en-US\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/#webpage\"},\"isPartOf\":{\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/#webpage\"},\"articleSection\":\"Case Studies\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/#breadcrumblist\",\"itemListElement\":[{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog#listItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/category\\\/case-studies\\\/#listItem\",\"name\":\"Case Studies\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/category\\\/case-studies\\\/#listItem\",\"position\":2,\"name\":\"Case Studies\",\"item\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/category\\\/case-studies\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/#listItem\",\"name\":\"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build)\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog#listItem\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/#listItem\",\"position\":3,\"name\":\"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build)\",\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/category\\\/case-studies\\\/#listItem\",\"name\":\"Case Studies\"}}]},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/#organization\",\"name\":\"LTH Blog LTH Cybersecurity\",\"description\":\"LTH Cybersecurity Blog Secure your business today with managed cybersecurity services by LTH Cybersecurity. Saskatchewan based, indigenous owned\",\"url\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/07\\\/logo.png\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/#organizationLogo\",\"width\":726,\"height\":395},\"image\":{\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/#organizationLogo\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/company\\\/lthcybersecurity\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/author\\\/lthadmin4545\\\/#author\",\"url\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/author\\\/lthadmin4545\\\/\",\"name\":\"LTH\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/#authorImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d9f877c84138adfccf22dcb5e6caae04e41d7d0b51444b228b99084367aa44de?s=96&d=mm&r=g\",\"width\":96,\"height\":96,\"caption\":\"LTH\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/#webpage\",\"url\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/\",\"name\":\"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build) - LTH Blog\",\"description\":\"LTH Cybersecurity conducted a controlled forensic investigation to determine whether a 2020-era build of the Aloha Browser (v2.x, Chromium\\\/WebView ~80) records internal database artifacts when popups are triggered without direct user interaction. Key Finding:Across all tested scenarios\\u2014including redirect chains, iframe triggers, timer-based popups, and programmatic window.open() calls\\u2014no automatic entries were ever written to the browser\\u2019s\",\"inLanguage\":\"en-US\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/#website\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/#breadcrumblist\"},\"author\":{\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/author\\\/lthadmin4545\\\/#author\"},\"creator\":{\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/author\\\/lthadmin4545\\\/#author\"},\"image\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/11\\\/alohaimage.png\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/#mainImage\",\"width\":1024,\"height\":1024,\"caption\":\"Case Study Forensics\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\\\/#mainImage\"},\"datePublished\":\"2025-11-22T21:22:18+00:00\",\"dateModified\":\"2025-11-22T21:22:18+00:00\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/\",\"name\":\"LTH Blog\",\"description\":\"LTH Cybersecurity Blog\",\"inLanguage\":\"en-US\",\"publisher\":{\"@id\":\"https:\\\/\\\/lthcybersecurity.com\\\/blog\\\/#organization\"}}]}\n\t\t<\/script>\n\t\t<!-- All in One SEO -->\n\n","aioseo_head_json":{"title":"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build) - LTH Blog","description":"LTH Cybersecurity conducted a controlled forensic investigation to determine whether a 2020-era build of the Aloha Browser (v2.x, Chromium\/WebView ~80) records internal database artifacts when popups are triggered without direct user interaction. Key Finding:Across all tested scenarios\u2014including redirect chains, iframe triggers, timer-based popups, and programmatic window.open() calls\u2014no automatic entries were ever written to the browser\u2019s","canonical_url":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/","robots":"max-image-preview:large","keywords":"","webmasterTools":{"miscellaneous":""},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"BlogPosting","@id":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/#blogposting","name":"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build) - LTH Blog","headline":"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build)","author":{"@id":"https:\/\/lthcybersecurity.com\/blog\/author\/lthadmin4545\/#author"},"publisher":{"@id":"https:\/\/lthcybersecurity.com\/blog\/#organization"},"image":{"@type":"ImageObject","url":"https:\/\/lthcybersecurity.com\/blog\/wp-content\/uploads\/2025\/11\/alohaimage.png","width":1024,"height":1024,"caption":"Case Study Forensics"},"datePublished":"2025-11-22T21:22:18+00:00","dateModified":"2025-11-22T21:22:18+00:00","inLanguage":"en-US","mainEntityOfPage":{"@id":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/#webpage"},"isPartOf":{"@id":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/#webpage"},"articleSection":"Case Studies"},{"@type":"BreadcrumbList","@id":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/lthcybersecurity.com\/blog#listItem","position":1,"name":"Home","item":"https:\/\/lthcybersecurity.com\/blog","nextItem":{"@type":"ListItem","@id":"https:\/\/lthcybersecurity.com\/blog\/category\/case-studies\/#listItem","name":"Case Studies"}},{"@type":"ListItem","@id":"https:\/\/lthcybersecurity.com\/blog\/category\/case-studies\/#listItem","position":2,"name":"Case Studies","item":"https:\/\/lthcybersecurity.com\/blog\/category\/case-studies\/","nextItem":{"@type":"ListItem","@id":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/#listItem","name":"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build)"},"previousItem":{"@type":"ListItem","@id":"https:\/\/lthcybersecurity.com\/blog#listItem","name":"Home"}},{"@type":"ListItem","@id":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/#listItem","position":3,"name":"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build)","previousItem":{"@type":"ListItem","@id":"https:\/\/lthcybersecurity.com\/blog\/category\/case-studies\/#listItem","name":"Case Studies"}}]},{"@type":"Organization","@id":"https:\/\/lthcybersecurity.com\/blog\/#organization","name":"LTH Blog LTH Cybersecurity","description":"LTH Cybersecurity Blog Secure your business today with managed cybersecurity services by LTH Cybersecurity. Saskatchewan based, indigenous owned","url":"https:\/\/lthcybersecurity.com\/blog\/","logo":{"@type":"ImageObject","url":"https:\/\/lthcybersecurity.com\/blog\/wp-content\/uploads\/2025\/07\/logo.png","@id":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/#organizationLogo","width":726,"height":395},"image":{"@id":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/#organizationLogo"},"sameAs":["https:\/\/www.linkedin.com\/company\/lthcybersecurity"]},{"@type":"Person","@id":"https:\/\/lthcybersecurity.com\/blog\/author\/lthadmin4545\/#author","url":"https:\/\/lthcybersecurity.com\/blog\/author\/lthadmin4545\/","name":"LTH","image":{"@type":"ImageObject","@id":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/#authorImage","url":"https:\/\/secure.gravatar.com\/avatar\/d9f877c84138adfccf22dcb5e6caae04e41d7d0b51444b228b99084367aa44de?s=96&d=mm&r=g","width":96,"height":96,"caption":"LTH"}},{"@type":"WebPage","@id":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/#webpage","url":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/","name":"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build) - LTH Blog","description":"LTH Cybersecurity conducted a controlled forensic investigation to determine whether a 2020-era build of the Aloha Browser (v2.x, Chromium\/WebView ~80) records internal database artifacts when popups are triggered without direct user interaction. Key Finding:Across all tested scenarios\u2014including redirect chains, iframe triggers, timer-based popups, and programmatic window.open() calls\u2014no automatic entries were ever written to the browser\u2019s","inLanguage":"en-US","isPartOf":{"@id":"https:\/\/lthcybersecurity.com\/blog\/#website"},"breadcrumb":{"@id":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/#breadcrumblist"},"author":{"@id":"https:\/\/lthcybersecurity.com\/blog\/author\/lthadmin4545\/#author"},"creator":{"@id":"https:\/\/lthcybersecurity.com\/blog\/author\/lthadmin4545\/#author"},"image":{"@type":"ImageObject","url":"https:\/\/lthcybersecurity.com\/blog\/wp-content\/uploads\/2025\/11\/alohaimage.png","@id":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/#mainImage","width":1024,"height":1024,"caption":"Case Study Forensics"},"primaryImageOfPage":{"@id":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/#mainImage"},"datePublished":"2025-11-22T21:22:18+00:00","dateModified":"2025-11-22T21:22:18+00:00"},{"@type":"WebSite","@id":"https:\/\/lthcybersecurity.com\/blog\/#website","url":"https:\/\/lthcybersecurity.com\/blog\/","name":"LTH Blog","description":"LTH Cybersecurity Blog","inLanguage":"en-US","publisher":{"@id":"https:\/\/lthcybersecurity.com\/blog\/#organization"}}]},"og:locale":"en_US","og:site_name":"LTH Blog - LTH Cybersecurity Blog","og:type":"article","og:title":"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build) - LTH Blog","og:description":"LTH Cybersecurity conducted a controlled forensic investigation to determine whether a 2020-era build of the Aloha Browser (v2.x, Chromium\/WebView ~80) records internal database artifacts when popups are triggered without direct user interaction. Key Finding:Across all tested scenarios\u2014including redirect chains, iframe triggers, timer-based popups, and programmatic window.open() calls\u2014no automatic entries were ever written to the browser\u2019s","og:url":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/","article:published_time":"2025-11-22T21:22:18+00:00","article:modified_time":"2025-11-22T21:22:18+00:00","twitter:card":"summary_large_image","twitter:title":"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build) - LTH Blog","twitter:description":"LTH Cybersecurity conducted a controlled forensic investigation to determine whether a 2020-era build of the Aloha Browser (v2.x, Chromium\/WebView ~80) records internal database artifacts when popups are triggered without direct user interaction. Key Finding:Across all tested scenarios\u2014including redirect chains, iframe triggers, timer-based popups, and programmatic window.open() calls\u2014no automatic entries were ever written to the browser\u2019s"},"aioseo_meta_data":{"post_id":"104","title":null,"description":null,"keywords":null,"keyphrases":{"focus":{"keyphrase":"","score":0,"analysis":{"keyphraseInTitle":{"score":0,"maxScore":9,"error":1}}},"additional":[]},"primary_term":null,"canonical_url":null,"og_title":null,"og_description":null,"og_object_type":"default","og_image_type":"default","og_image_url":null,"og_image_width":null,"og_image_height":null,"og_image_custom_url":null,"og_image_custom_fields":null,"og_video":"","og_custom_url":null,"og_article_section":null,"og_article_tags":null,"twitter_use_og":false,"twitter_card":"default","twitter_image_type":"default","twitter_image_url":null,"twitter_image_custom_url":null,"twitter_image_custom_fields":null,"twitter_title":null,"twitter_description":null,"schema":{"blockGraphs":[],"customGraphs":[],"default":{"data":{"Article":[],"Course":[],"Dataset":[],"FAQPage":[],"Movie":[],"Person":[],"Product":[],"ProductReview":[],"Car":[],"Recipe":[],"Service":[],"SoftwareApplication":[],"WebPage":[]},"graphName":"BlogPosting","isEnabled":true},"graphs":[]},"schema_type":"default","schema_type_options":null,"pillar_content":false,"robots_default":true,"robots_noindex":false,"robots_noarchive":false,"robots_nosnippet":false,"robots_nofollow":false,"robots_noimageindex":false,"robots_noodp":false,"robots_notranslate":false,"robots_max_snippet":"-1","robots_max_videopreview":"-1","robots_max_imagepreview":"large","priority":null,"frequency":"default","local_seo":null,"breadcrumb_settings":null,"limit_modified_date":false,"ai":{"faqs":[],"keyPoints":[],"titles":[],"descriptions":[],"socialPosts":{"email":[],"linkedin":[],"twitter":[],"facebook":[],"instagram":[]}},"created":"2025-11-22 21:22:18","updated":"2025-11-22 21:31:11","seo_analyzer_scan_date":null},"aioseo_breadcrumb":"<div class=\"aioseo-breadcrumbs\"><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/lthcybersecurity.com\/blog\" title=\"Home\">Home<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/lthcybersecurity.com\/blog\/category\/case-studies\/\" title=\"Case Studies\">Case Studies<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\tCase Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build)\n\t\t<\/span><\/div>","aioseo_breadcrumb_json":[{"label":"Home","link":"https:\/\/lthcybersecurity.com\/blog"},{"label":"Case Studies","link":"https:\/\/lthcybersecurity.com\/blog\/category\/case-studies\/"},{"label":"Case Study: Forensic Analysis of Popup Artifact Persistence in Aloha Browser (Android, 2020 Build)","link":"https:\/\/lthcybersecurity.com\/blog\/case-study-forensic-analysis-of-popup-artifact-persistence-in-aloha-browser-android-2020-build\/"}],"_links":{"self":[{"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/posts\/104","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/comments?post=104"}],"version-history":[{"count":2,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/posts\/104\/revisions"}],"predecessor-version":[{"id":116,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/posts\/104\/revisions\/116"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/media\/105"}],"wp:attachment":[{"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/media?parent=104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/categories?post=104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lthcybersecurity.com\/blog\/wp-json\/wp\/v2\/tags?post=104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}