I recently discovered a secret browser located inside the “Manage my account” popup that Android has in various apps (quite important apps, such as Settings, and all Google suite apps). The browser even bypasses parental control!

My site open inside Settings app in my Android phone

How to get there?

Getting there…. takes some work:

1. Go into Settings→Google (or any app that lets you choose your account) and click on “Manage my account”.

2. Then go to the “Security” tab. In there, scroll down until you find “Password Manager”. Click on it.

3. Click on the ‘Settings’ icon in the top-right.

4. Scroll down until “Set up on-device encryption” appears. Click on it, then click on “Learn more about on-device encryption”.

5. Now you are in the browser. But you want to go to Google.com! So click on the hamburger menu, then click “Privacy Policy”.

6. Tap the nine dots at the top, wait 5 seconds (it takes some time to load) and click “Search” (If you don’t find the search icon, you can also scroll down until ‘Google’ and click on that)

7. Logout from your Google account.

8. You got the secret browser ! You can go anywhere. You can also play YouTube videos (with ads, unfortunately), and all of this is in the settings app (or whatever app you choose) !

LiveOverflow in Settings app

Browser overview:

Pros: It’s a pretty private browser : it has no history and it auto logs out of all Google accounts that were logged-in, at the end of the session.

Cons: the most obvious one is the back key, which means every time you press the back key, instead of going back one address in the history, it goes back into the password manage settings, but I guess it could be considered an advantage – as an emergency key for privacy.

The same goes for no address bar. (But look at the glass half full: it still doesn’t advertise itself on the installation page of other browsers).

But there are another things that prevent this browser from being a secure browser: The dangerous functions.

The dangerous functions:

As I was using this browser, I discovered a strange thing. A weird JavaScript object named mm. To see this, go to eruda, (just because it’s the best mobile JavaScript console I know) and type mm

Screenshot of eruda expend the `mm` object
Screenshot of eruda expend the mm object

As you see, there are three functions:

Let’s start with closeView() function, because it’s the only clear function: it just closes your browser, as would happen if you press the back key. Not a standard JavaScript function, but nothing to worry about. (you can try it right there by typing into eruda ‘mm.closeView()‘)

Then you have two methods which I don’t know what they do, but they sound scary. As this is a secret-browser of the ‘on-device encryption’ feature, I can guess, they are both used to set your local encryption keys. So it looks like a malicious website can put their keys there, and try to make you pay for them!

I think this is the time to tell you that I already reported this to Google, and they say this is not a security vulnerability (probably because this secret browser is not very popular), and that the parental control bypass is the “Intended Behavior” 🙂

Google’s answer to my report

If you enjoy using it, please let me know in the comments what you did with it.

Hope you enjoy your (new?) browser that you didn’t know you had !

Read More