Important Update: google reopen my report
I recently discovered a secret browser located inside the “Manage my account” popup that Android has in various apps (quite important apps, such as Settings, and all Google suite apps). The browser even bypasses parental control!
How to get there?
Getting there…. takes some work:
- Go into Settings→Google (or any app that lets you choose your account) and click on “Manage my account”.
- Then go to the “Security” tab. In there, scroll down until you find “Password Manager”. Click on it.
- Click on the
Settingsicon in the top-right.
- Scroll down until “Set up on-device encryption” appears. Click on it, then click on “Learn more about on-device encryption”.
- Tap the nine dots at the top, wait 5 seconds (it takes some time to load) and click “Search” (If you don’t find the search icon, you can also scroll down until
- Logout from your Google account.
- You got the secret browser ! You can go anywhere. You can also play YouTube videos (with ads, unfortunately), and all of this is in the settings app (or whatever app you choose) !
Pros: It’s a pretty private browser : it has no history and it auto logs out of all Google accounts that were logged-in, at the end of the session.
Cons: the most obvious one is the back key, which means every time you press the back key, instead of going back one address in the history, it goes back into the password manage settings, but I guess it could be considered an advantage – as an emergency key for privacy.
The same goes for no address bar. (But look at the glass half full: it still doesn’t advertise itself on the installation page of other browsers).
But there are another things that prevent this browser from being a secure browser: The dangerous functions.
The dangerous functions:
As you see, there are three functions:
Let’s start with
Then you have two methods which I don’t know what they do, but they sound scary. As this is a secret-browser of the
on-device encryption feature, I can guess, they are both used to set your local encryption keys. So it looks like a malicious website can put their keys there, and try to make you pay for them!
I think this is the time to tell you that I already reported this to Google, and they say this is not a security vulnerability (probably because this secret browser is not very popular), and that the parental control bypass is the “Intended Behavior” 🙂
If you enjoy using it, please let me know in the comments what you did with it.
Hope you enjoy your (new?) browser that you didn’t know you had !
There is a cool Hacker News discussion on this article.
Since I posted this blog, It received a lot of media attention, here are some of the websites that shared this blog
English (click to expand)
- winaero (the company that created “Winaero Tweaker”)
- techweekmag(They managed to get through this article without talking about parental controls at all)
- cross-post to beehaw(an alternative reddit)
- gamingdeputy (looks like translation of the Russian news. It kind of misunderstood the last paragraph:”he was told that the browser is indeed safe”)