User agent

[vershinin]

Default user agent can contain too much sensitive information, such as mobile phone model number and browser build version. This is not secure, i think orweb surely should change user agent to some anonymous format.

[n8fr8]

If you set it to "Android" in the Settings, it will switch to Samsung Galaxy S2 user-agent.

You can also set to iPhone and other devices.

[vershinin]

Yes i see, but it should be default behaviour.

[vershinin]

Sorry, i haven't seen already closed bugs, there are already exist bugs concerning this issue. My bad. I think i should present a pull request.

[Macil]

I've got a relatively uncommon phone model which is in the user agent. Orweb defaults to using Tor, but announces something that identifiable by default? That ought to be fixed.

[Macil]

n8fr8: I just picked "Android (Default)" in the user agent menu (it says it's default but it wasn't already selected; in fact, nothing in the menu was selected), but it still shows my phone's specific model name in the user agent.

[n8fr8]

The WebView API says that our setting should be overriding it. If it is not, then yes that is a definite bug.

Which version of Orweb are you using, and where did you install it from?

[L2sGeOpfuaaoa8o]

I also see this behavior, per https://panopticlick.eff.org, even when Android (default) is the user agent. Orweb v2 0.4.4a (bin) from the F-Droid store + Orbot 12.0.3 from the F-Droid store.

This flaw completely destroys any semblance of anonymity, rendering Orbot+Orweb to the level of keeping one's ISP from listening in, but allowing everyone in the world to track you if you're on a rare OS (nightly builds, for example).

Orweb team, please use Panopticlick and the other services like it to check releases on at least one OS from a community group.