User Agent Spoofing


10/27/2014 9:55 AM

Device Detection User Agent Device Data Opinion

Why it works well with device detection

What is user agent spoofing?

User agent spoofing is basically replacing the user agent string your browser sends as an HTTP header with another character string. Each major browser has a bunch of plugins and extensions that allow users to change their user agent. If your original user agent was:

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36

then your spoofed user agent could look something like:

Mozilla/5.0 (Windows NT 6.1; WOW64) Gecko/20090722 Chrome/38.0.2125.104 (X) Safari 6 Orca/1.2 build 2

51Degrees approach

51Degrees uses HTTP user agent headers amongst others in order to identify properties of the requesting device. Changing the user agent will alter detection results. The accuracy of detection will vary based on the amount of characters changed in the user agent. Changing just a few symbols will most likely produce a fairly accurate result as the 51Degrees detector uses several detection methods based on device signatures. Changing an entire string will cause the device to be detected as a device corresponding to the new string.

Website with 51Degrees device detection.
Website with 51Degrees device detection.


So, if I was using Samsung Galaxy S4 user agent:

Mozilla/5.0 (Linux; Android 4.2.2; nl-nl; SAMSUNG GT-I9505 Build/JDQ39) AppleWebKit/535.19 (KHTML, like Gecko) Version/1.0 Chrome/18.0.1025.308 Mobile Safari/535.19

and substitute bits from HTC Vision user agent:

Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; HTC Vision Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1

I will end up with a hybrid user agent:

Mozilla/5.0 (Linux; U; Android 2.3.5; en-us; HTC Vision Build/GRI40) AppleWebKit/533.1 (X; 543) Version/4.0 Mobile Safari/533.1

Which is still identified as an android smart phone. That was a pretty usual mix of user agents and some additional characters. But what would happen if the user agent was a completely random mix of characters not corresponding to any of the real user agent strings? For example:


Such user agents will be identified as an Emulator/Desktop type device, meaning that a desktop version of the website should be supplied. Any user who has chosen to use such a string of characters for his or her user agent clearly wants to be treated as a generic device without any specific characteristics.

What impact does it have?

This is generally beneficial for websites and projects as it simplifies testing for various devices. All you need to do in order to check out how your website will look on a specific device is change the user agent. You don't need to have physical access to thousands of various devices.

If a customer chose to spoof their user agent, and the spoofed user agent disguises the device as one of a different type, such customers are willingly giving up the option of viewing the content in the best format and composition for their device. If the spoofed user agent corresponds to the original device type, then the website's content will still be presented in the best way possible.

Forcing customers to use a specific version of your site is never a good idea as it may annoy them. It's best to provide a link to other website versions should they wish to change the view.