How User-Agent Spoofing Is Detected via JavaScript

[Mutt]

User-Agent spoofing is an attempt to change the User-Agent HTTP header string to make the server believe that the request is coming from another device, browser, or operating system. Anti-fraud systems use JavaScript to detect such spoofing by checking for discrepancies between the declared User-Agent and the real characteristics of the device or browser. Since your request is related to cybersecurity in the context of iPhone setup and privacy (iCloud Private Relay, OpenVPN, iCloud management), I will explain how JavaScript is used to detect User-Agent spoofing, with an emphasis on educational purposes and technical aspects. The answer will be detailed but accessible, and will not support illegal activities such as carding.

1. What is User-Agent and how is it faked?​

User-Agent is an HTTP header that a browser (like Safari on an iPhone) sends to a server to tell it about itself: device type, operating system, browser version. Example:

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Safari/605.1.15

This header indicates that the request was made from an iPhone running iOS 18.1 via Safari.

Spoofed User-Agent:

• Fraudsters or testers can change the User-Agent to imitate another device or browser. Methods:
  • Proxy tools: Burp Suite, Charles Proxy or mitmproxy to intercept and modify HTTP requests.
  • Browser extensions: Plugins like User-Agent Switcher to change the header.
  • Code modification: Using JavaScript (e.g. via navigator.userAgent) using DevTools or scripts.
  • Emulators or jailbreak: Substitution of User-Agent at the device or application level.
• Example: A scammer changes the User-Agent from iPhone to Android to match the map region or bypass regional restrictions.

The purpose of counterfeiting (in fraud): To hide the real device in order to bypass anti-fraud systems that check the User-Agent against other data (IP, device fingerprint).

2. How JavaScript detects User-Agent spoofing​

Anti-fraud systems (e.g. ThreatMetrix, Sift, FingerprintJS) use JavaScript running in the browser to collect client data and check it against the declared User-Agent. If the data does not match, it indicates a fake. Here are the main methods:

a) Collecting data via the navigator object​

The navigator object in JavaScript provides information about the browser and device that is compared with the User-Agent. Key properties:

• navigator.userAgent: Returns the User-Agent string sent in the HTTP header.
• navigator.platform: Specifies the platform (e.g. iPhone, MacIntel, Win32).
• navigator.appVersion: Contains the browser and OS version.
• navigator.vendor: Specifies the browser manufacturer (e.g. Apple Computer, Inc. for Safari).
• navigator.language: Browser language (e.g. en-US, ru-RU).

How it is used:

• JavaScript code on the site (for example, embedded via the anti-fraud SDK) collects these properties and sends them to the server.
• The server compares them with the User-Agent from the HTTP request.
• Example of anomaly:
  • User-Agent: Specifies iPhone with iOS 18.1 and Safari.
  • navigator.platform: Shows Win32 (Windows).
  • This discrepancy indicates a fake, since the iPhone does not use Win32.

b) Testing Canvas API​

The Canvas API allows you to render graphics in the browser, creating a unique fingerprint based on hardware and software characteristics.

• How it works:
  • JavaScript creates an invisible <canvas> element and draws graphics (such as text or shapes) on it.
  • Rendering depends on the GPU, drivers, fonts and browser version, creating a unique hash.
• Counterfeit detection:
  • If the User-Agent indicates Safari on iPhone, but the Canvas fingerprint matches Chrome on Windows, this signals a spoof.
  • Example: FingerprintJS library uses Canvas to create a fingerprint and compare it with User-Agent.

c) WebGL and graphics features​

WebGL is an API for 3D graphics that exposes information about the graphics processor and drivers.

• How it works:
  • JavaScript requests data through the WebGLRenderingContext (e.g. gl.getParameter(gl.RENDERER)).
  • This gives information about the GPU (eg Apple A17 Pro GPU for iPhone 15 Pro).
• Counterfeit detection:
  • If the User-Agent indicates iPhone, but WebGL reports a PC-specific GPU (e.g. NVIDIA GeForce), this is an anomaly.
  • Anti-fraud systems compare WebGL data with the expected characteristics of the device.

d) Checking the device sensors​

On mobile devices (e.g. iPhone), JavaScript can access sensor data (gyroscope, accelerometer) through APIs such as DeviceMotionEvent or DeviceOrientationEvent.

• How it works:
  • JavaScript requests data about the device's motion or orientation.
  • iPhone provides unique data (such as iOS-specific sensor refresh rates).
• Counterfeit detection:
  • If the User-Agent indicates iPhone, but there are no sensors (like in emulators or PCs), this indicates a fake.
  • Example: The Xcode emulator does not emulate physical sensors, and JavaScript will detect their absence.

e) Analysis of fonts and plugins​

JavaScript can check installed fonts and plugins, which depend on the OS and browser.

• How it works:
  • Uses the document.fonts API or indirect methods (e.g. measuring text sizes for different fonts).
  • The list of plugins is checked via navigator.plugins.
• Counterfeit detection:
  • iPhone with Safari has a limited set of fonts (like San Francisco) and doesn't support plugins like Chrome on PC.
  • If the User-Agent indicates Safari, but the fonts or plugins match Chrome, this is an anomaly.

f) Checking the time and time zone​

JavaScript can obtain the time zone via Intl.DateTimeFormat().resolvedOptions().timeZone.

• How it works:
  • The time zone is compared with the IP geolocation and Accept-Language from the HTTP headers.
• Counterfeit detection:
  • If the User-Agent indicates an iPhone from the US, but the time zone is Europe/Moscow, this is a mismatch.
  • Frequent time zone changes (for example, by changing the iPhone region) are also flagged.

g) Behavior analysis via JavaScript​

Anti-fraud systems track user behavior using JavaScript:

• Input speed: Time to fill out forms (e.g. card data in 2 seconds instead of 20).
• Mouse movement/taps: Checks how the user interacts with the site (e.g. random taps or no movement indicates a bot).
• Events: Frequency of clicks, scrolls or transitions.
• Counterfeit detection:
  • If the User-Agent is spoofed, but the behavior (such as automated bot actions) does not match what is typical for an iPhone, it is an anomaly.
  • Example: Fast card entry and no finger movement indicates a script, not a real user.

3. How anti-fraud systems integrate JavaScript data​

Anti-fraud systems (e.g. Sift, Kount) use JavaScript to create a Device Fingerprint and compare it with the User-Agent. The process:

1. Data collection:
   • JavaScript code embedded on the site (via SDK or script) collects data from navigator, Canvas, WebGL, sensors and behavior.
   • This data is sent to the server along with HTTP headers.
2. Comparison:
   • The server checks if the User-Agent matches the JavaScript data:
     • User-Agent (iPhone, Safari) vs. navigator.platform (iPhone).
     • Canvas/WebGL vs. expected iPhone specs (e.g. Apple GPU).
     • Time Zone vs. IP Geolocation.
3. Risk assessment:
   • Machine learning assigns a risk rating (0–100) based on discrepancies.
   • Example: If the User-Agent indicates iPhone, but the Canvas Fingerprint indicates PC, the risk rating increases (e.g. 90/100).
4. Actions:
   • Low Risk: Transaction is approved.
   • Medium risk: 3D-Secure or additional verification required.
   • High Risk: Transaction is blocked, device is blacklisted.

4. Why User-Agent Spoofing Is Ineffective​

Fraudsters can forge User-Agent to bypass anti-fraud systems (for example, during carding), but JavaScript makes this difficult:

1. Multi-trait analysis:
   • Anti-fraud systems do not rely only on User-Agent. They compare it with JavaScript data (Canvas, WebGL, sensors), IP, device fingerprint (UDID) and behavior.
   • Example: Spoofed User-Agent (iPhone) does not match Canvas Fingerprint (PC) or no sensors.
2. Machine learning:
   • ML models detect anomalies by analyzing discrepancies between User-Agent and other features.
   • Example: If the User-Agent changes between requests (Safari → Chrome), the model flags this as suspicious.
3. Cross-platform databases:
   • Platforms (ThreatMetrix, FingerprintJS) store fingerprints and share them between banks and stores.
   • If a device with a fake User-Agent is associated with fraud, it is blocked everywhere.
4. Safari Limitations on iPhone:
   • Safari is difficult to modify to spoof JavaScript data (such as Canvas or sensors) without jailbreaking.
   • Jailbroken devices are easily detected (eg non-standard version of iOS).
5. Data Leaks:
   • An incorrect configuration (e.g. WebRTC enabled) may reveal the real IP or device details despite the fake User-Agent.

Example scenario:

• The scammer spoofs the User Agent on the iPhone to indicate Android.
• JavaScript detects:
  • navigator.platform = iPhone (not Android).
  • The canvas fingerprint corresponds to an Apple GPU, not an Android device.
  • Lack of plugins (typical for Safari, not Chrome on Android).
• The anti-fraud system assigns a high risk rating and blocks the transaction.

5. Link to iPhone Setup and Privacy​

Your questions about iCloud Private Relay, OpenVPN, and iCloud management are privacy-related. Here's how User-Agent spoofing and JavaScript detection affect this:

1. iCloud Private Relay:
   • Impact: Hides IP, but does not change User-Agent or JavaScript data (e.g. navigator.platform, Canvas).
   • Detection: Anti-fraud systems can recognize Private Relay IPs as “trusted”, but check the User-Agent for compliance with JavaScript data.
   • Example: If the User-Agent is spoofed (e.g. indicates Android) but the Canvas shows iPhone, the transaction is flagged.
2. OpenVPN:
   • Impact: Spoofs IP, but User-Agent and JavaScript data remain unchanged unless spoofed.
   • Detection: VPN IP can be flagged as risky and fake User-Agent detected through mismatch with Canvas or sensors.
   • Example: If the VPN IP is from the US, and the User-Agent is spoofed as iPhone, but navigator.language = ru-RU, this is an anomaly.
3. Cleaning Safari:
   • Impact: Deleting cookies (Settings → Safari → Clear History and Website Data) does not affect User-Agent or JavaScript data.
   • Detection: Frequent cookie clearing is flagged as an attempt to avoid tracking, and the fake User-Agent is still checked via JavaScript.
4. Change iPhone region:
   • Impact: Changing the region ( Settings → General → Language & Region ) changes navigator.language and timezone, but not hardware data (Canvas, UDID).
   • Detection: A sudden change of region without changing IP or a discrepancy with User-Agent is flagged as an anomaly.

6. Recommendations for legal study (cybersecurity)​

For educational purposes (cybersecurity, testing, development):

1. JavaScript data analysis:
   • Use Burp Suite or Charles Proxy(for legitimate purposes) to intercept HTTP requests and JavaScript data:
     • Set up a proxy on your iPhone ( Settings → Wi-Fi → HTTP Proxy ).
     • Explore how User-Agent compares to navigator.platform, Canvas, or WebGL.
   • Example: Change User-Agent in Burp Suite and check how the site responds.
2. Sandbox testing:
   • Create a test payment system (for example, Stripe Sandbox) and experiment:
     • Change the User-Agent via DevTools or a proxy.
     • Watch as anti-fraud systems flag inconsistencies with JavaScript data.
   • Use test cards (eg 4242 4242 4242 4242 from Stripe).
3. Studying libraries:
   • Read the documentation of FingerprintJS (an open source library for creating fingerprints).
   • Test how Canvas, WebGL, and navigator create a device fingerprint.
   • Example: Run the FingerprintJS script on your site to see what data is collected.
4. Privacy Protection:
   • Disable WebRTC ( Settings → Safari → Advanced → Experimental Features → disable WebRTC) to avoid IP leaks.
   • Turn on iCloud Private Relay ( Settings → [Your Name] → iCloud → Private Relay ) to protect your IP in Safari.
   • Use OpenVPN with a trusted provider (NordVPN, ExpressVPN) to encrypt your traffic.
   • Reset your IDFA regularly ( Settings → Privacy → Advertising → Reset Advertising Identifier ).
   • Use Hide My Email (iCloud+) for temporary emails when creating an Apple ID.
5. Training:
   • Take cybersecurity courses (Coursera, Udemy) or certification (Certified Fraud Examiner).
   • Study OWASP, Stripe/PayPal documentation or articles about JavaScript in anti-fraud systems.

7. Why User-Agent Spoofing Is Ineffective​

• Multi-feature analysis: JavaScript collects data (Canvas, WebGL, sensors) that is difficult to fake, especially on iPhone with Safari.
• Machine learning: ML models detect discrepancies between User-Agent and other features (IP, UDID, behavior).
• Cross-platform: Fingerprint data is stored in databases (ThreatMetrix, Sift) and shared between platforms.
• iPhone restrictions: Safari and iOS restrict modification of JavaScript data without jailbreaking, which itself is flagged as risky.
• Legal risks: Logs (IP, UDID, JavaScript data) are stored and may be transferred to law enforcement agencies.

If you want to dive deeper into a specific method (like how the Canvas API creates a fingerprint or how to test User-Agent spoofing in a sandbox), let me know and I'll provide more details.