User-Agent String default to reporting "Android 10" breaks Duo's Trusted Endpoint OS version checks
Categories
(Fenix :: Browser Engine, defect, P2)
Tracking
(firefox122+ disabled, firefox123+ disabled, firefox124+ disabled)
People
(Reporter: Deltadoc333, Assigned: cpeterson)
References
(Regression, )
Details
(Keywords: regression)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Android 10; Mobile; rv:122.0) Gecko/122.0 Firefox/122.0
Firefox for Android
Steps to reproduce:
Attempted to log into a Citrix webportal via Firefox on an Android.
Actual results:
Since the latest update of Firefox on my Android to version 122.0 an important work application no longer works because of the changes you have made to the User-Agent string.
Specifically, reporting the OS version as "Android 10" blocks critical security protocols which require Users with Duo authentication to have the up to date version of Android on their phones.
Please consider disabling this new feature or at least making it optional.
Expected results:
Generally, the correct version of Android is reported and access is granted.
Comment 1•8 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Fenix::General' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 2•8 months ago
|
||
Thanks for the report.
:cpeterson could this be triaged?
Assignee | ||
Comment 3•8 months ago
•
|
||
Deltadoc333, thanks for reporting this bug!
What version of Android is your device using?
Can you successfully log into the Citrix webportal using your device's Chrome browser? I believe Chrome also hard coded its User-Agent string to report "Android 10", so Citrix or Duo might be checking the Android version for Firefox but not Chrome.
Can you please share your device's Chrome User-Agent string? An easy way to check your browser's User-Agent string by Googling for "my user agent".
Reporter | ||
Comment 4•8 months ago
|
||
(In reply to Chris Peterson [:cpeterson] from comment #3)
Deltadoc333, thanks for reporting this bug!
What version of Android is your device using?
Can you successfully log into the Citrix webportal using your device's Chrome browser? I believe Chrome also hard coded its User-Agent string to report "Android 10", so Citrix or Duo might be checking the Android version for Firefox but not Chrome.
Can you please share your device's Chrome User-Agent string? An easy way to check your browser's User-Agent string by Googling for "my user agent".
Hi! Sure thing, and thanks for working to fix it.
My Samsung Galaxy S23 ultra is running Android 14. I have a screenshot with all my software info from settings if that would help
But I am not sure how to add a picture to this thread.
Yes I have successfully been able to log into the Citrix workspace using Google Chrome.
Here is my Google Chrome user-agent string.
Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Mobile Safari/537.36
Here is my Firefox user-agent string.
Mozilla/5.0 (Android 10; Mobile; rv:122.0) Gecko/122.0 Firefox/122.0
Hope this helps!
Assignee | ||
Comment 6•8 months ago
|
||
Here is my Google Chrome user-agent string.
Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Mobile Safari/537.36
Thanks! Looks like Chrome is also pretending to be "Android 10", so this is a Firefox-specific problem. Citrix presumably removed their Android version check for Chrome users after Google froze Chrome's Android version last year, but kept the check for Firefox.
I don't have a Citrix account, so I'm trying to find a way to test or contact to them. In the meantime, I will revert this Firefox change.
I'm able to use Mozilla's Duo authentication in Firefox Android, so I suspect this error is reported by Citrix.
When we froze Firefox's macOS version at "10.15", a user reported a similar problem (bug 1812551) about Duo authentication not working with macOS versions < 10.15.7. That problem was caused by a custom macOS version check that the user's employer had added.
Comment 7•8 months ago
|
||
It looks like a feature[1] from Duo and could be controlled by your organization's admin.
If your Duo administrator has enabled this feature, we'll check your operating system and browser version — as well as the version of the Java and Flash plugins enabled in your browser — when you log into your Duo protected service. If any of them are out of date we'll let you know, and give you the option to update your software before you finish logging in to the service.
Comment 8•8 months ago
|
||
The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.
Updated•8 months ago
|
Comment 9•8 months ago
|
||
Setting 122 as disabled since the regressor was partially backed out of release https://hg.mozilla.org/releases/mozilla-release/rev/94baf6c37065dcf65070f50d10472d9dd6108c4c
Fenix/Focus 122.0.1 will include a version of GeckView with this backed out.
An investigation is underway to address this in time for Fx123.
Assignee | ||
Comment 10•7 months ago
|
||
(In reply to Donal Meehan [:dmeehan] from comment #9)
Setting 122 as disabled since the regressor was partially backed out of release https://hg.mozilla.org/releases/mozilla-release/rev/94baf6c37065dcf65070f50d10472d9dd6108c4c
...
An investigation is underway to address this in time for Fx123.
Donal, I don't think I will have a fix ready for uplift to Beta 123. Can you please back out the same changeset 963b7e553ef0 from Beta 123, too?
If I find a new approach, it should probably ride the trains with 124 so it has enough test time in Nightly and Beta.
Comment 11•7 months ago
|
||
Redirecting the NI to Pascal to take care of Beta for Fx123.
Comment 12•7 months ago
|
||
Backed out in 123 beta:
https://hg.mozilla.org/releases/mozilla-beta/rev/bb9a936c0644ab6ea6d8e6b8f62fa7787b809a5e
Assignee | ||
Comment 13•7 months ago
|
||
(In reply to Pascal Chevrel:pascalc from comment #12)
Backed out in 123 beta:
Thanks, Pascal!
@ Dianna, as release owner for 124, do you mind backing out changeset 963b7e553ef0 (bug 1865766) from Nightly 124? This will entirely remove my original code change from Firefox. Then I can resolve this bug as fixed and explore alternative approaches for Android UA freezing (bug 1865766) at a later time instead of trying to rush a fix for 124.
Assignee | ||
Comment 14•7 months ago
|
||
Duo's docs confirm that their OS version check uses the User-Agent Client Hints API when available, which Firefox doesn't support (bug 1750143). That explains why Duo's OS version check doesn't block Chrome even though Chrome's UA reports "Android 10".
Improved browser and OS version visibility for policy enforcement
Added support for the User-Agent Client Hints API, which improves the accuracy of browser and OS version information provided by the browser to the Duo Prompt for use with policy enforcement. The User-Agent Client Hints API is available in the following browsers: Chrome on all platforms, and Edge Chromium on macOS.
Comment 15•7 months ago
|
||
backed out from 124.0a1
https://hg.mozilla.org/mozilla-central/rev/3eba1c7082aa5d2e1198ff02e055c8ea1eb302fa
Assignee | ||
Comment 16•7 months ago
|
||
Thanks. The regressing bug has now been backed out of Nightly 124, Beta 123, and Release 122 so I'll resolve this regression as fixed.
Updated•7 months ago
|
Description
•