Closed Bug 1876742 Opened 8 months ago Closed 7 months ago

User-Agent String default to reporting "Android 10" breaks Duo's Trusted Endpoint OS version checks

Categories

(Fenix :: Browser Engine, defect, P2)

Firefox 122
Unspecified
Android
defect

Tracking

(firefox122+ disabled, firefox123+ disabled, firefox124+ disabled)

RESOLVED FIXED
124 Branch
Tracking Status
firefox122 + disabled
firefox123 + disabled
firefox124 + disabled

People

(Reporter: Deltadoc333, Assigned: cpeterson)

References

(Regression, )

Details

(Keywords: regression)

Attachments

(2 files)

User Agent: Mozilla/5.0 (Android 10; Mobile; rv:122.0) Gecko/122.0 Firefox/122.0
Firefox for Android

Steps to reproduce:

Attempted to log into a Citrix webportal via Firefox on an Android.

Actual results:

Since the latest update of Firefox on my Android to version 122.0 an important work application no longer works because of the changes you have made to the User-Agent string.

Specifically, reporting the OS version as "Android 10" blocks critical security protocols which require Users with Duo authentication to have the up to date version of Android on their phones.

Please consider disabling this new feature or at least making it optional.

Expected results:

Generally, the correct version of Android is reported and access is granted.

The Bugbug bot thinks this bug should belong to the 'Fenix::General' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → General
Product: Firefox → Fenix
See Also: → 1865766

Thanks for the report.
:cpeterson could this be triaged?

Flags: needinfo?(cpeterson)

Deltadoc333, thanks for reporting this bug!

What version of Android is your device using?

Can you successfully log into the Citrix webportal using your device's Chrome browser? I believe Chrome also hard coded its User-Agent string to report "Android 10", so Citrix or Duo might be checking the Android version for Firefox but not Chrome.

Can you please share your device's Chrome User-Agent string? An easy way to check your browser's User-Agent string by Googling for "my user agent".

Assignee: nobody → cpeterson
Severity: -- → S2
Component: General → Browser Engine
Flags: needinfo?(cpeterson) → needinfo?(Deltadoc333)
Keywords: regression
OS: Unspecified → Android
Priority: -- → P2
Regressed by: 1865766
See Also: 1865766

(In reply to Chris Peterson [:cpeterson] from comment #3)

Deltadoc333, thanks for reporting this bug!

What version of Android is your device using?

Can you successfully log into the Citrix webportal using your device's Chrome browser? I believe Chrome also hard coded its User-Agent string to report "Android 10", so Citrix or Duo might be checking the Android version for Firefox but not Chrome.

Can you please share your device's Chrome User-Agent string? An easy way to check your browser's User-Agent string by Googling for "my user agent".

Hi! Sure thing, and thanks for working to fix it.

My Samsung Galaxy S23 ultra is running Android 14. I have a screenshot with all my software info from settings if that would help
But I am not sure how to add a picture to this thread.

Yes I have successfully been able to log into the Citrix workspace using Google Chrome.

Here is my Google Chrome user-agent string.
Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Mobile Safari/537.36

Here is my Firefox user-agent string.
Mozilla/5.0 (Android 10; Mobile; rv:122.0) Gecko/122.0 Firefox/122.0

Hope this helps!

Flags: needinfo?(Deltadoc333)

Current software info for my phone. Just in case it helps.

Here is my Google Chrome user-agent string.
Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Mobile Safari/537.36

Thanks! Looks like Chrome is also pretending to be "Android 10", so this is a Firefox-specific problem. Citrix presumably removed their Android version check for Chrome users after Google froze Chrome's Android version last year, but kept the check for Firefox.

I don't have a Citrix account, so I'm trying to find a way to test or contact to them. In the meantime, I will revert this Firefox change.

I'm able to use Mozilla's Duo authentication in Firefox Android, so I suspect this error is reported by Citrix.

When we froze Firefox's macOS version at "10.15", a user reported a similar problem (bug 1812551) about Duo authentication not working with macOS versions < 10.15.7. That problem was caused by a custom macOS version check that the user's employer had added.

It looks like a feature[1] from Duo and could be controlled by your organization's admin.

If your Duo administrator has enabled this feature, we'll check your operating system and browser version — as well as the version of the Java and Flash plugins enabled in your browser — when you log into your Duo protected service. If any of them are out of date we'll let you know, and give you the option to update your software before you finish logging in to the service.

[1] https://guide.duo.com/software-update

The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.

Status: UNCONFIRMED → NEW
Ever confirmed: true

Setting 122 as disabled since the regressor was partially backed out of release https://hg.mozilla.org/releases/mozilla-release/rev/94baf6c37065dcf65070f50d10472d9dd6108c4c
Fenix/Focus 122.0.1 will include a version of GeckView with this backed out.

An investigation is underway to address this in time for Fx123.

(In reply to Donal Meehan [:dmeehan] from comment #9)

Setting 122 as disabled since the regressor was partially backed out of release https://hg.mozilla.org/releases/mozilla-release/rev/94baf6c37065dcf65070f50d10472d9dd6108c4c
...
An investigation is underway to address this in time for Fx123.

Donal, I don't think I will have a fix ready for uplift to Beta 123. Can you please back out the same changeset 963b7e553ef0 from Beta 123, too?

If I find a new approach, it should probably ride the trains with 124 so it has enough test time in Nightly and Beta.

Flags: needinfo?(dmeehan)

Redirecting the NI to Pascal to take care of Beta for Fx123.

Flags: needinfo?(dmeehan) → needinfo?(pascalc)
Flags: needinfo?(pascalc)

(In reply to Pascal Chevrel:pascalc from comment #12)

Backed out in 123 beta:

Thanks, Pascal!

@ Dianna, as release owner for 124, do you mind backing out changeset 963b7e553ef0 (bug 1865766) from Nightly 124? This will entirely remove my original code change from Firefox. Then I can resolve this bug as fixed and explore alternative approaches for Android UA freezing (bug 1865766) at a later time instead of trying to rush a fix for 124.

Flags: needinfo?(dsmith)

Duo's docs confirm that their OS version check uses the User-Agent Client Hints API when available, which Firefox doesn't support (bug 1750143). That explains why Duo's OS version check doesn't block Chrome even though Chrome's UA reports "Android 10".

Improved browser and OS version visibility for policy enforcement
Added support for the User-Agent Client Hints API, which improves the accuracy of browser and OS version information provided by the browser to the Duo Prompt for use with policy enforcement. The User-Agent Client Hints API is available in the following browsers: Chrome on all platforms, and Edge Chromium on macOS.

https://community.cisco.com/t5/duo-release-notes/d238-duo-release-notes-for-april-15-2022/ta-p/4878082

https://help.duo.com/s/article/4154

Summary: User-Agent String default to reporting "Android 10" breaks security protocols. → User-Agent String default to reporting "Android 10" breaks Duo's Trusted Endpoint OS version checks
See Also: → 1750143
Flags: needinfo?(dsmith)

Thanks. The regressing bug has now been backed out of Nightly 124, Beta 123, and Release 122 so I'll resolve this regression as fixed.

Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: