to steal a browser's cookie files without a user's knowledge, and then perform actions (like installing Android apps) without the user's knowledge. An attacker with physical access can simply attempt to steal the session key by, for example, obtaining the file or memory contents of the appropriate part of either the user's computer or the server.

After successfully acquiring appropriate session cookies an adversary would inject the session cookie into their browser to impersonate the victim user on