The Duck Hunters Guide - Blog #6 - DuckDuckGo Fireproof Sites (Android)

By -

In this post I want to talk about fireproof sites in the Android version of the DuckDuckGo web browser and what information is immune to the fire button when a site is fireproofed.

The concept of Fireproofing a site is a little misleading and when I searched online there is not much chatter about what this feature in the browser actually does. One would think that fireproofing a site would make browsing relating artifacts immune to the fire button, but this is not true.

As part of my research process, I fireproofed a site and then examined what data remained after clearing browsing data using the Fire Button.

What I found is that the Fireproof feature preserves cookies for the selected site so users don’t need to log in again after clearing data (session cookies remain intact). However, browsing history, cache, and other site data are still cleared, even for fireproofed sites.

We will start with determining what sites the user has fireproofed. This information can be found in the app.db

app.db location: data\data\com.duckduckgo.mobile.android\databases\

The table of interest here is the fireproofWebsites table. It is a very easy table to decipher as it just has one column called "Domain". Each record in this table refers to a domain that the user has fireproofed.

In my example, I just have 1 fireproofed site: formula1.com


Cookies are the only artifact left intact for fireproof sites. While the mechanics of cookies are well documented elsewhere, it is useful to note that the cookies database records both the creation time and the last access time for each cookie.

As DuckDuckGo blocks third-party cookies by default, cookies stored in the database will generally be first-party cookies (with a few exceptions). Therefore, the creation date and last access date of a cookie can indicate that the user visited or interacted with the site at those specific times.

DuckDuckGo has 2 cookies SQLite databases; however, throughout my research I have only seen the one in the app_webview directory being used.

Cookies location: data\data\com.duckduckgo.mobile.android\app_webview\Default\Cookies

This database is the same structure as the standard chromium cookies database that you see with Google Chrome, Edge, Brave etc.. where all the information is stored in the Cookies table.

In my example, all the cookies for formula1.com still persist after clearing data and looking at the dates, the cookies were created between 2025-04-06 16:23:08 and 16:25:13 UTC and the last accessed time was between 2025-04-06 16:25:03 and 2025-04-06 16:25:46 UTC


Conclusion

Whilst the Fireproof feature was less fruitful than I expected, it did yield an artifact that we can tie back to browsing history.

As is often the case when examining privacy-centric applications, you're sometimes left with only scraps, but even then.... something is better than nothing!

Another successful day of hunting Android DuckDuckGo artifacts 🍻








Comments

Post a Comment

Popular posts from this blog

The Duck Hunters Guide - Blog #1 - DuckDuckGo Privacy Browser Research Project

By -
Image
One of my passions in Digital Forensics is ripping apart applications and trying to figure out how they work and how they store data. Over the past 5 years as part of my job, I have had what some may call an "unhealthy" obsession with Dark Web applications. I have looked into Tor, I2P, Hyphanet (Formerly Freenet) and ZeroNet on multiple platforms, examining the features as new updates come out, in an attempt to uncover usage artifacts.  So, for a new research project (in my personal time) and for my first blog series I will be following a similar methodology to track down user artifacts associated with the DuckDuckGo privacy browser. This project has been on my research list for some time, and what sparked my interest was a blog I read in early 2024 that compares the application decoding capabilities of forensics tools.  Link:   iOS 15 Image Forensics Analysis and Tools Comparison - Browsers, Mail Clients, and Productivity apps I wasn't entirely shocked about the differe...
Read more

The Duck Hunters Guide - DuckDuckGo Android Cheat Sheet

By -
Image
This cheat sheet contains the locations of forensic artifacts associated with the DuckDuckGo Android Browser.  It will be periodically updated as research is conducted History.db Location:  data\data\com.duckduckgo.mobile.android\databases\ Artifacts:  Browsing History App.db Location:  data\data\com.duckduckgo.mobile.android\databases\ Artifacts:  Open Tabs Bookmarks/Favorites Fireproof Sites Cookies Location:  data\data\com.duckduckgo.mobile.android\app_webview\default Artifacts:  Cookies com.duckduckgo.app.settings_activity.settings.xml Location:  data\data\com.duckduckgo.mobile.android\shared_prefs\ Artifacts:  Automatic Clearing Settings com.duckduckgo.app.fire.unsentpixels.settings.xml Location:   data\data\com.duckduckgo.mobile.android\shared_prefs\ Artifacts:  Datetime when data was last cleared tabPreviews Cache Folder Location:  data\data\com.duckduckgo.mobile.android\cache\ Artifacts:  Open Tab Preview Files Clo...
Read more