User-Agent does not match correct User-Agent sent by actual app

Question

User-Agent does not match correct User-Agent sent by actual app

Closed this issue 8 years ago · 10 comments

NoOne-dev commented 8 years ago

MITM example:
"Name": "User-Agent", "Value": "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30Y)"

What API sends:
"Name": "User-Agent", "Value": "Niantic App"

Answer 1 · 2016-08-28T05:58:12.000Z

The user agent for me (on iOS) on RPCs is Niantic App.

For other domains, like panoramio.com and upsight-api.com it's pokemongo/2 CFNetwork/758.5.3 Darwin/15.6.0.

Answer 2 · 2016-08-28T18:53:45.000Z

The User-Agent appears to be set in pgoapi/pgoapi.py:L65

self._session.headers.update({'User-Agent': 'Niantic App'})

This has been in the codebase since #77, where the setting of User-Agent was moved to pgoapi.py from rpc_api.py. Is there a bug with this or am I missing something?

Answer 3 · 2016-08-28T19:05:48.000Z

Should be a parameter defaulting to the Android version

Answer 4 · 2016-08-30T10:32:44.000Z

Should it? Can I get some feedback and I can make it happen :D May I propose a boolean for this purpose?

Answer 5 · 2016-08-30T18:37:57.000Z

I'm not against allowing configuration, but I would think that defaulting to iOS would be better. iOS seems to be easier to spoof: generic user agent, less satellite info, smaller selection of devices with larger individual user bases (to blend in with), etc.

Answer 6 · 2016-08-30T21:18:28.000Z

I think defaulting to iOS is much much worse. First of all ActivityStatus I believe is still pending to be explored. Then, the device base is SO large in android devices that device_info is pretty meaningless. There are many many brands, and thousands of sensors types that are used, therefore, again, sensor values become meaningless for detection. GpsInfo has been pretty much solved : https://talk.pogodev.org/d/20-class-for-androidgpsinfo-proto and gps hardware variability is also large.

EDIT: to give you an example, my Moto device doesnt have gyro, doesnt have magn, and has only 2 axis acc with the third value missing. Isn`t that simpler?

Answer 7 · 2016-09-01T06:06:22.000Z

@vosk My thinking is that while the variation with Android devices may make it a little harder for Niantic to check validity, the relative uniformity of iOS makes it easier to craft actually valid requests. And for our API code, it can largely be as simple as "do what all iPhones do" (and if there is variation, there are only a handful of devices to check) instead of "if device is some_model, include these fields, but not these, and set the user agent to this, etc." for hundreds of configurations.

So for your example, if we're emulating iOS all we have to do is set the gyroscope fields and it's valid for all of Apple's many millions of compatible devices. If we just set it without checking the device info, it'll be valid for some Android models and not others. So if Niantic scans their database for that particular model and sees that some requests are impossibly providing gyroscope data, that'll act as a big red sign saying "I'm fake!"

Perhaps we could provide options to customize which fields are included and such (for the few applications and users that will meticulously customize such things), or base some things on the device information passed by the user, but when it comes to setting defaults that will be the most widely applicable: it's my opinion that iOS is a better candidate.

Answer 8 · 2016-09-01T06:07:45.000Z

Also, I finally got around to confirming this issue on an Android device.

User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 7 Build/MOB30X)

Answer 9 · 2016-09-08T11:52:55.000Z

Why priority lowered?

Answer 10 · 2016-09-09T09:32:21.000Z

My solution is available at :
https://github.com/vosk/pgoapi/blob/voskmaster/pgoapi/pgoapi.py#L49
And my custom android class override is available at:
https://github.com/vosk/PokemonGo-Bot/blob/dev/pokemongo_bot/api_wrapper.py#L20