search

serbanghita / Mobile-Detect

Mobile_Detect is a lightweight PHP class for detecting mobile devices (including tablets). It uses the User-Agent string combined with specific HTTP headers to detect the mobile environment.
http://mobiledetect.net
MIT License
10.52k stars 2.67k forks source link

Chrome's user agent reduction results in no longer detecting Android tablets as a tablet device #942

Open AdmDevelopment opened 11 months ago

AdmDevelopment commented 11 months ago

Thanks to Chrome's "user agent reduction" the user agent in Chrome no longer contains dynamic device and operating system information. For Android the operating system is fixed as Android 10 and the device model is set to K. The only thing that appears to be dynamic is the Major Version of Chrome. They did this to combat fingerprinting.

More info: https://developer.chrome.com/blog/user-agent-reduction-android-model-and-version/

The user agents are:

Android Tablet using Chrome: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/{MAJOR_VERSION}.0.0.0 Safari/537.36

Android Smartphone using Chrome: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/{MAJOR_VERSION}.0.0.0 Mobile Safari/537.36

Replace {MAJOR_VERSION} with 117 for the user agent in Chrome 117 on android devices.

On Android tablet devices the isMobile() method currently returns true since "Android" matched, however isTablet() fails to detect the tablet device.

I added the following to $tabletDevices in MobileDetect v4.8.02 to detect the Android tablets using Chrome: "ChromeUserAgentReductionAndroidTablet" => 'Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/(\d+).0.0.0 Safari/537.36'

I used the complete user agent since it should be static except the Major Version.

It appears they are now storing specific information inside User Agent Client Hints in the HTTP headers: https://web.dev/articles/migrate-to-ua-ch

serbanghita commented 10 months ago

It appears they are now storing specific information inside User Agent Client Hints in the HTTP headers: https://web.dev/articles/migrate-to-ua-ch

That is the most stupid solution ever proposed in the space of User-Agents and Web in general.

The original RFC 1945 from May '96 states that the field "can contain multiple product tokens", a product token being something like MyBrowser/12.3.4 or simply MyBrowser. This has always been broad enough to offer low entropy so that an user cannot be uniquely tracked.

On the mentioned article and the specs, Google describes User-Agent as the main actor of "passive fingerprinting", "being difficult to process", "there's a lot of entropy wrapped up in the UA string", etc. This is absolute bollocks:

  1. You cannot fingerprint solely on UA, you also need HTTP headers with Cookies & friends.
  2. It's not difficult to process. See this library and others that split the tokens. Whoever needs to "process" UA strings knows that this is just a contextualized tokenization process.
  3. There is not a lot of entropy in the UA string. Take a look at our User-Agent tests https://github.com/serbanghita/Mobile-Detect/tree/4.8.x/tests/providers/vendors - the strings speak for themselves.

Related to https://github.com/serbanghita/Mobile-Detect/issues/906#issue-1461797596

lcsqlpete commented 1 month ago

This problem is worse now. The User Agent for Chrome running on my Pixel tablet is

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

It no longer contains "Android" so isMobile() returns false.

I also tried javascript navigator.userAgentData.mobile and it too returns false.