Spoof the device ro.product.name ro.product.device

[condor0765]

In the file frameworks/base/core/java/android/os/Build.java information on the mobile device is described. Is it worth for security to spoof this to may be some other device.

    /** Either a changelist number, or a label like "M4-rc20". */
    public static final String ID = getString("ro.build.id");

    /** A build ID string meant for displaying to the user */
    public static final String DISPLAY = getString("ro.build.display.id");

    /** The name of the overall product. */
    public static final String PRODUCT = getString("ro.product.name");

    /** The name of the industrial design. */
    public static final String DEVICE = getString("ro.product.device");

    /** The name of the underlying board, like "goldfish". */
    public static final String BOARD = getString("ro.product.board");

    /** The manufacturer of the product/hardware. */
    public static final String MANUFACTURER = getString("ro.product.manufacturer");

    /** The consumer-visible brand with which the product/hardware will be associated, if any. */
    public static final String BRAND = getString("ro.product.brand");

    /** The end-user-visible name for the end product. */
    public static final String MODEL = getString("ro.product.model");

The reason is some malware sites can even detect the OS/device/name etc. Also relevant http://webkay.robinlinus.com/

Thanks for the great work.

[thestinger]

The browser example is the browser's problem for leaking so much data in the user agent, not an OS issue. I don't think spoofing these would make much difference because an app can still determine the information via various other ways. I don't plan on making changes unless they accomplish a meaningful goal.

[thestinger]

The browser example is the browser's problem for leaking so much data in the user agent, not an OS issue. I don't think spoofing these would make much difference because an app can still determine the information via various other ways. I don't plan on making changes unless they accomplish a meaningful goal.

[Rudd-O]

It would indeed be nice if something like User Agent Changer was built into Chromium, but I understand that's a lot of work.

[Rudd-O]

It would indeed be nice if something like User Agent Changer was built into Chromium, but I understand that's a lot of work.

[condor0765]

browser example is the browser's problem for leaking so much data in the user agent, not an OS issue

Agreed. I assumed doing at OS level would mean the browser or other apps cannot get so much information by any means. But I am not an expert, you decide.

I don't think spoofing these would make much difference because an app can still determine the information via various other ways.

Sure. But a request: Could you point to me where in the source code tree it may be changed so that all apps may be somehow spoofed?

I don't plan on making changes unless they accomplish a meaningful goal.

It was only a suggestion. Thanks for response.

[condor0765]

browser example is the browser's problem for leaking so much data in the user agent, not an OS issue

Agreed. I assumed doing at OS level would mean the browser or other apps cannot get so much information by any means. But I am not an expert, you decide.

I don't think spoofing these would make much difference because an app can still determine the information via various other ways.

Sure. But a request: Could you point to me where in the source code tree it may be changed so that all apps may be somehow spoofed?

I don't plan on making changes unless they accomplish a meaningful goal.

It was only a suggestion. Thanks for response.

[thestinger]

It's not feasible to conceal the device that an app is running on. The OS is built for each device individually, and there are countless ways for an app to identify a build. If you want that information to be hidden, then you need a whole different app ecosystem built for a much different kind of app sandbox.

[thestinger]

It's not feasible to conceal the device that an app is running on. The OS is built for each device individually, and there are countless ways for an app to identify a build. If you want that information to be hidden, then you need a whole different app ecosystem built for a much different kind of app sandbox.

[thestinger]

Replacing this with #543. There's no way to stop apps from determining which device they're on even with all of these properties removed. There's so much they can inspect to determine that so it's only worth worrying about cases where common / important apps are leaking this information externally without malicious intentions. For Chromium (including the WebView), that can be directly addressed.

[thestinger]

Replacing this with #543. There's no way to stop apps from determining which device they're on even with all of these properties removed. There's so much they can inspect to determine that so it's only worth worrying about cases where common / important apps are leaking this information externally without malicious intentions. For Chromium (including the WebView), that can be directly addressed.