3

I was looking into spoofing a user agent, but all that has come up so far is spoofing the browser type. However, I can still see what kind of device I am using (tbh I'm not really even sure why someone would want to spoof the browser type).

I wanted to know if I can spoof my user agent so that it can become another device, or if there are any other methods so that when I use a browser, my device isn't shown. For example, if I own a Mac, does using Tor along with a proxy protect me from a website, like Gmail, finding the type of device I am using?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user81864
  • 31
  • 1
  • 1
  • 4
  • Spoofing the browser type, as in the user-agent, includes both the specific browser and which operating system / device is running it – PunPun1000 Feb 19 '18 at 19:04
  • Tor will only protect you if you use **Tor Browser**, which uses a default user agent and quite effectively prevents fingerprinting. Plain Tor with your own browser will not. – forest Feb 20 '18 at 03:16
  • What do you mean by "device" if you mean something other than information represented in the user-agent? – symcbean Feb 20 '18 at 09:28

2 Answers2

3

Your device type is explicitly encoded in the user-agent string. Compare these UAs:

Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1
Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

In this example iPhone idicates, well, an iPhone, and SCH-I535 is the model number of a Galaxy S3. Consequently, if you change the UA to a custom string, most websites will identify you as a different device. However, there are also many advanced device fingerprinting techniques which are potentially less accurate but also harder to block.

if I own a Mac, does using TOR along with a proxy protecting me from a website like Gmail finding the type of device I am using?

The Tor browser aims for a design that minimizes possibilites for device fingerprinting. However, it can't stop everything. For example, if you're running the browser in full-screen mode, you're giving away your device's screen resolution. You can read the Tor browser docs chapter on fingerprinting for an extensive list of what exact measures they take.

Arminius
  • 43,922
  • 13
  • 140
  • 136
3

The user-agent header can be used to determine what type of machine device you are running. By default, most browsers will send some type of identifying information in that header which includes what browser you are using as well as your machine. For example, using chrome on a MacBook running OSX might cause your user agent to look something like this:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36

Notice how not only is the web browser identified (Chrome) but also the machine (Intel Mac OS X). If you were to change the user-agent to imitate another operating system it might look like this:

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36

In this case, the target website might assume you are running windows as a base operating system, still using chrome.

Using Tor or a proxy will not keep a website such as Gmail from knowing what type of device you are using as long as your browser is sending the user-agent header which identifies it. Browsers will sometimes allow you to send a custom user-agent if you want. Firefox / Tor support this natively while I believe Chrome requires you to use an add-on to do so.

forest
  • 64,616
  • 20
  • 206
  • 257
PunPun1000
  • 1,385
  • 1
  • 9
  • 7
  • Thank you! How can I change the user-agent to imitate another operating system like you showed me, so that the website assumes I am running for example Windows instead of MacOS? And when i am using Mac OS X, my user-agent shows my exact device, however when you changed it to look as a windows OS, there is no device attached to it... meaning I can only see the OS being used wheras w MacOS, I know that I am using a Macintosh – user81864 Feb 19 '18 at 19:51
  • @user81864 That's going to depend on your browser. There's a summary of ways you can do it for the different browsers on [osxdaily](http://osxdaily.com/2013/01/16/change-user-agent-chrome-safari-firefox/) from 2013, but that might be a bit outdated. – PunPun1000 Feb 19 '18 at 20:01
  • I meant if I was going to use TOR browser. sorry for not specifying – user81864 Feb 19 '18 at 20:08
  • @user81864 There's a question over on the tor stackexhange about this. Tor is built on Firefox so it's going to be basically the same steps: https://tor.stackexchange.com/questions/1239/have-tor-appear-to-be-a-different-browser – PunPun1000 Feb 19 '18 at 20:10
  • You cannot change your user agent to spoof your device, because device fingerprinting will still give away what device you are using, regardless of UA. See the AmIUnique paper and PoC. – forest Feb 20 '18 at 02:57