Google has a secret browser hidden inside the settings

3 minute read

Important Update: google reopen my report

Today, 3 days after I posted this blog, and it got extensive media coverage (mainly in English and in the mainstream Russian news), Google announced that they will reconsider my report

a

Google message about reopening my report

I recently discovered a secret browser located inside the “Manage my account” popup that Android has in various apps (quite important apps, such as Settings, and all Google suite apps). The browser even bypasses parental control!

My site open inside Settings app in my Android phone

How to get there?

Getting there…. takes some work:

  1. Go into Settings→Google (or any app that lets you choose your account) and click on “Manage my account”.
  2. Then go to the “Security” tab. In there, scroll down until you find “Password Manager”. Click on it.
  3. Click on the Settings icon in the top-right.
  4. Scroll down until “Set up on-device encryption” appears. Click on it, then click on “Learn more about on-device encryption”.
  5. Now you are in the browser. But you want to go to Google.com! So click on the hamburger menu, then click “Privacy Policy”.
  6. Tap the nine dots at the top, wait 5 seconds (it takes some time to load) and click “Search” (If you don’t find the search icon, you can also scroll down until Google and click on that)
  7. Logout from your Google account.
  8. You got the secret browser ! You can go anywhere. You can also play YouTube videos (with ads, unfortunately), and all of this is in the settings app (or whatever app you choose) !

LiveOverflow in Settings app

Browser overview:

Pros: It’s a pretty private browser : it has no history and it auto logs out of all Google accounts that were logged-in, at the end of the session.

Cons: the most obvious one is the back key, which means every time you press the back key, instead of going back one address in the history, it goes back into the password manage settings, but I guess it could be considered an advantage – as an emergency key for privacy.

The same goes for no address bar. (But look at the glass half full: it still doesn’t advertise itself on the installation page of other browsers).

But there are another things that prevent this browser from being a secure browser: The dangerous functions.

The dangerous functions:

As I was using this browser, I discovered a strange thing. A weird JavaScript object named mm. To see this, go to eruda, (just because it’s the best mobile JavaScript console I know) and type mm

Screenshot of eruda expend the `mm` object

Screenshot of eruda expend the 'mm' object

As you see, there are three functions:

Let’s start with closeView() function, because it’s the only clear function: it just closes your browser, as would happen if you press the back key. Not a standard JavaScript function, but nothing to worry about. (you can try it right there by typing into eruda mm.closeView())

Then you have two methods which I don’t know what they do, but they sound scary. As this is a secret-browser of the on-device encryption feature, I can guess, they are both used to set your local encryption keys. So it looks like a malicious website can put their keys there, and try to make you pay for them!

I think this is the time to tell you that I already reported this to Google, and they say this is not a security vulnerability (probably because this secret browser is not very popular), and that the parental control bypass is the “Intended Behavior” 🙂

Google’s answer to my report

If you enjoy using it, please let me know in the comments what you did with it.

Hope you enjoy your (new?) browser that you didn’t know you had !

There is a cool Hacker News discussion on this article.

Since I posted this blog, It received a lot of media attention, here are some of the websites that shared this blog

English (click to expand)
  • winaero (the company that created “Winaero Tweaker”)
  • techweekmag(They managed to get through this article without talking about parental controls at all)
  • cross-post to beehaw(an alternative reddit)
  • socialbites
  • gamingdeputy (looks like translation of the Russian news. It kind of misunderstood the last paragraph:”he was told that the browser is indeed safe”)
Russian (click to expand)
Other (click to expand)

Comments:

History Game

4 minute read

I made a game that detect browser history.