Monday of last week, Magnet released the 2nd challenge for their weekly CTF. This weeks challenge is worth 30 points.
The question asks What domain was most recently viewed via an app that has picture-in-picture capability? Picture-in-picture is the ability for a window, typically a video or stream, to pop out of an app and stay on the screen - even when on the homescreen or in other applications. The solution to the challenge is a domain recently viewed via an app with that capability. The wording used in the question indicates it’s probably viewed by the user and not a background request by an app or something similar.
A quick Google search shows that several popular Android apps support PIP. Such as WhatsApp, Google Maps, Google Duo, Google Chrome, and Facebook. From the Extraction Summary page in Cellebrite, we can view the phone’s installed applications.
Looking through the list of apps, several with PIP support are installed. The user most likely isn’t going to view a domain through Google Maps or Google Duo. Chrome as well as Facebook can be used for visiting web pages though. Starting with Chrome, we can select the application and then hit Run App Genie. AppGenie will parse the application data it can find stored in the Chrome app.
The app contains a History database. This is found at /data/data/com.android.chrome/app_chrome/Default/History. AppGenie nicely parses the data and places it in a table for us to view. We can sort the table by the Last visited time to see the most recent link visited.
This shows at that http://malliesae.com/investor-page/ was the last visited page. The challenge question asks for the domain viewed, so our answer is http://malliesae.com. Inputting this into the answer box, and viola! #2 solved!
