5

As I was testing my web app in Chrome for iOS (both iPhone and iPad), I noticed a weird ID appended to user agent string, e.g.:

    alert(navigator.userAgent)

would produce something like this (note the "3810AC74-327F-43D7-A905-597FF9FDFEAB" part at the end):

    Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X; en-us) AppleWebKit/534.46.0 (KHTML, like Gecko) CriOS/21.0.1180.77 Mobile/9B206 Safari/7534.48.3 (3810AC74-327F-43D7-A905-597FF9FDFEAB)

This ID seems to be tab specific and persists even when going to a different site.

My question is, if anyone knows anything about this and what it may be used for?

Update:

This GUID was appended to overcome the limitations of UIWebView. Kudos to eric for pointing this out in the comments.

Community
  • 1
  • 1
chromice
  • 132
  • 1
  • 11

2 Answers2

1

That ID is not related in any way to tracking.

There is a chromium bug that goes into the details of why it is necessary: basically, it's needed in order to implement tabs.

From the bug tracker:

There is no API in iOS to know, in the network layer, from which UIWebView a network request is coming from.

[...] the solution [...] all the UIWebViews get the tabID (which is only local to the device) added to the user agent string.

You might also want to check a few twitter threads discussing this with further info.

Razor
  • 27,418
  • 8
  • 53
  • 76
0

That really, really, looks like an evil 'super cookie' (spyware putting a GUID onto your user agent string).

Strange how it's happening on both your devices if so. Is that the User Agent received by the webserver too?

Lee Kowalkowski
  • 11,591
  • 3
  • 40
  • 46
  • Nah, that ID is different on every device on every tab (incognito or normal). But it does persist through the session of each tab. New tabs get a new ID whether they have been created manually or not. – chromice Aug 29 '12 at 17:01
  • I wouldn't presume it has to be constant to track your windows/tabs (that depends on the purpose for adding it). There wouldn't be any other reason to add one, it doesn't have to be a malicious reason, but it looks like you have something that is trying to keep track of your tabs for some reason. There isn't any mention of one being appended by anything legit anywhere I can see e.g. https://developers.google.com/chrome/mobile/docs/user-agent – Lee Kowalkowski Aug 29 '12 at 18:59
  • I wouldn't immediately assume nefarious intent -- perhaps it was the only way to get iOS UIWebView to keep separate settings between tabs and incognito, or some other technical reason. But this is just speculation about a closed-source app :( – ephemient Aug 29 '12 at 19:04
  • ...and inspecting public logs on the internet doesn't appear to have any instances of a GUID on a user agent string for the same build you have: e.g: http://akb2ch.com/rrank/access.cgi?user+Host+*.plala.or.jp+Host - (and the small sample of apache logs I have access to have no GUIDs in its user agents either.) – Lee Kowalkowski Aug 29 '12 at 19:25
  • I doubt it would be required for a technical reason by the browser itself, that seems absurd. If it is being transmitted via HTTP then I would be suspicious, whether it's ignorance or malice, it's not good. If it is confined to JavaScript/DOM (and not present in the HTTP traffic), then perhaps you have some plugin/app installed that is doing it. Perhaps you can raise it with the provider because it definitely shouldn't happen. – Lee Kowalkowski Aug 29 '12 at 19:29
  • The user agent string sent to the server does not actually contain this ID. NB! I also added an example to the question. – chromice Aug 29 '12 at 20:06
  • Unfortunately, I don't have any device I can test this on. Sorry. :( – Lee Kowalkowski Aug 29 '12 at 21:13
  • 1
    I managed to look at your test page on a friends device, it also contained the GUID! So it's starting to look like out-of-the-box behaviour. There's so little information about this out there, I don't like the potential vulnerability of its presence one bit, it's definitely open to abuse. – Lee Kowalkowski Aug 31 '12 at 08:04
  • Yeah, it's very weird. My theory that it's used for debugging and somebody forgot to switch it in the production build. I asked Google, maybe they will event reply to me. ;-) – chromice Aug 31 '12 at 12:33
  • 1
    The bug concerning this issue is https://code.google.com/p/chromium/issues/detail?id=355541 – eric Mar 27 '14 at 16:59