Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chrome's user agent reduction results in no longer detecting Android tablets as a tablet device #942

Open
AdmDevelopment opened this issue Oct 12, 2023 · 4 comments

Comments

@AdmDevelopment
Copy link

AdmDevelopment commented Oct 12, 2023

Thanks to Chrome's "user agent reduction" the user agent in Chrome no longer contains dynamic device and operating system information. For Android the operating system is fixed as Android 10 and the device model is set to K. The only thing that appears to be dynamic is the Major Version of Chrome. They did this to combat fingerprinting.

More info: https://developer.chrome.com/blog/user-agent-reduction-android-model-and-version/

The user agents are:

Android Tablet using Chrome:
Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/{MAJOR_VERSION}.0.0.0 Safari/537.36

Android Smartphone using Chrome:
Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/{MAJOR_VERSION}.0.0.0 Mobile Safari/537.36

Replace {MAJOR_VERSION} with 117 for the user agent in Chrome 117 on android devices.

On Android tablet devices the isMobile() method currently returns true since "Android" matched, however isTablet() fails to detect the tablet device.

I added the following to $tabletDevices in MobileDetect v4.8.02 to detect the Android tablets using Chrome:
"ChromeUserAgentReductionAndroidTablet" => 'Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/(\d+).0.0.0 Safari/537.36'

I used the complete user agent since it should be static except the Major Version.

It appears they are now storing specific information inside User Agent Client Hints in the HTTP headers:
https://web.dev/articles/migrate-to-ua-ch

@serbanghita
Copy link
Owner

It appears they are now storing specific information inside User Agent Client Hints in the HTTP headers:
https://web.dev/articles/migrate-to-ua-ch

That is the most stupid solution ever proposed in the space of User-Agents and Web in general.

The original RFC 1945 from May '96 states that the field "can contain multiple product tokens", a product token being something like MyBrowser/12.3.4 or simply MyBrowser.
This has always been broad enough to offer low entropy so that an user cannot be uniquely tracked.

On the mentioned article and the specs, Google describes User-Agent as the main actor of "passive fingerprinting", "being difficult to process", "there's a lot of entropy wrapped up in the UA string", etc. This is absolute bollocks:

  1. You cannot fingerprint solely on UA, you also need HTTP headers with Cookies & friends.
  2. It's not difficult to process. See this library and others that split the tokens. Whoever needs to "process" UA strings knows that this is just a contextualized tokenization process.
  3. There is not a lot of entropy in the UA string. Take a look at our User-Agent tests https://github.com/serbanghita/Mobile-Detect/tree/4.8.x/tests/providers/vendors - the strings speak for themselves.

Related to #906 (comment)

@lcsqlpete
Copy link

This problem is worse now. The User Agent for Chrome running on my Pixel tablet is

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

It no longer contains "Android" so isMobile() returns false.

I also tried javascript navigator.userAgentData.mobile and it too returns false.

@digifa
Copy link
Contributor

digifa commented Nov 7, 2024

Like written in the initial post, this problem has been introduced by Google/Chromium. There is also the solution mentioned - these has to be integrated in Mobile-Detect.
This does not seem to be a major problem to be solved in Mobile-Detect (you have to add the Sec-CH-UA, Sec-CH-UA-Model and Sec-CH-UA-Mobile Header for analyzing) BUT to get the -Model and -Mobile Header you have to add the Accept-CH Header with the requested Headers to the Response (of the Server). (You can do that by adding it by e.g. headers_module, mod_rewrite or manually in your Code) So you get this information first time in the second Request, only per HTTPS and when the user is not blocking this! (Also it is still not supported by Safari & Firefox at least Firefox still implements the "old" behaviour.)

@digifa
Copy link
Contributor

digifa commented Nov 8, 2024

@serbanghita there is a partial fix in #962 by @kevinkimball to solve the problem for identifying mobile devices.

Next step could be identifying tablets by Model from Sec-CH-UA Header.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants