Spoof "Android 10" OS version in Firefox Android’s User-Agent string on Android versions <= 10
Categories
(Core :: Networking: HTTP, task, P3)
Tracking
()
People
(Reporter: cpeterson, Assigned: cpeterson)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged])
Attachments
(2 files)
In bug 1865766, I tried to freeze the Android OS version exposed in Firefox Android's UA string at "Android 10", to reduce fingerprintable user information passively exposed to the web and to match Chrome. As part of Chrome’s UA reduction, Google froze the Android version exposed in Chrome’s UA string at "Android 10" (in Chrome 110, May 2023): https://www.chromium.org/updates/ua-reduction
However, we ran into a webcompat problem (bug 1876742) where Firefox users couldn't log into some work websites because Duo authentication's "Trusted Endpoint" OS version checks blocked users with Android versions < 11. Enterprise admins can configure Duo authentication to only permit client OS versions they consider secure enough to log into their work websites. This problem didn't affect Chrome because Duo can use Chrome's User-Agent Client Hints API to query the real OS version. Adding Firefox support for User-Agent Client Hints API is bug 1750143.
In this bug, I propose we try freezing the UA string at "Android 10" for Android versions <= 10. Duo's "Trusted Endpoint" OS version checks should still work because websites will see real version numbers for Android versions >= 11, whereas Firefox on Android versions 5.0, 5.1, 6.0, 7.0, 7.1, 8.0, 8.1, and 9 will pretend to be "Android 10". This change already rode the trains when I tried to freeze the Android version for all versions (in bug 1865766) and the only webcompat problem we found only affected users with Android versions >= 11 and will benefit from reduced fingerprintable information.
Example UA strings:
BEFORE: Mozilla/5.0 (Android 5.0; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0
BEFORE: Mozilla/5.0 (Android 5.1; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0
BEFORE: Mozilla/5.0 (Android 14; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0
AFTER: Mozilla/5.0 (Android 10; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0
|
||
Updated•1 years ago
|
|
Assignee | |
Comment 1•1 years ago
|
||
% of Firefox Android users with different Android OS versions:
https://sql.telemetry.mozilla.org/queries/80030
- Android 11-14 = 42%
- Android 10 = 12%
- Android 5-9 = 46% (With my patch, these users would spoof "Android 10", thus making a total of 58% of all Firefox users reporting "Android 10".)
|
|
Assignee | |
Updated•1 years ago
|
|
||
Comment 2•1 year ago
|
||
I still deem exposing "general.useragent.override" the most viable solution:
https://bugzilla.mozilla.org/show_bug.cgi?id=1860417#c29
|
|
Assignee | |
Comment 3•1 year ago
|
||
|
|
Assignee | |
Comment 4•1 year ago
|
||
In bug 1865766, I tried to freeze the Android OS version exposed in Firefox Android's UA string at "Android 10", to reduce fingerprintable user information exposed to the web and to match Chrome. However, we ran into a webcompat problem (bug 1876742) where Firefox users couldn't log into at least one work website because the website's admin configured Duo authentication's "Trusted Endpoint" OS version checks to block users with Android versions < 11.
To work around that problem, spoof "Android 10" only for Android versions < 10. Duo's "Trusted Endpoint" OS version checks should still work because websites will see real version numbers for Android versions >= 10, whereas Firefox on Android versions < 10 will pretend to be "Android 10" and benefit from reduced fingerprintable user information.
Depends on D209626
|
||
Comment 6•1 year ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/5564460104a3
https://hg.mozilla.org/mozilla-central/rev/fbede2469d1e
|
||
Comment 7•1 year ago
|
||
Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Updated•1 year ago
|
Description
•