User Agent no longer present on CONNECT requests starting from iOS 15

I'll let Quinn weigh in here, but just to get some more information on this question, can you describe which API you are using and what type of proxy your client side connection is interacting with?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi, the proxy is Charles. We use it to validate our App's traffic, we have some rules that try to match the User-Agent. Of course we can achieve this by other means but we would like to know if this is a permanent change and not an issue before thinking in doing so.

I have the same question actually. I've posted about similar changes in iOS 14 before (https://developer.apple.com/forums/thread/657824). Is there any chance this can get reinstated?

Matt and I discussed this with the team. It’s likely that this change is unexpected fallout from the proxy support unification work we’ve been doing recently [1]. Having said that, we’re disinclined to fix this because the user agent string is a potential source of personal information.

So, Cougnes, if I’m reading your other thread correctly it seems that we ‘broke’ this in iOS 14. Is that right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] To unify the proxy implementation between CFNetwork and Network framework.

No, not exactly. In that case last year, manually set UA’s would not be respected in CONNECT requests for any NSURLRequests.

The behavior that I currently see is that no user agent whatsoever is passed for CONNECT requests. This feels quite arbitrary to me, as all other requests (GET/POST/…) do function as expected.

I can confirm that this bug is still present in iOS15 beta 2.

I can confirm that this bug is still present in iOS15 beta 2.

Did you file a bug about this? ’cause at this point I’m not sure that Apple knows about it officially.

I can’t guarantee that we’ll actually change this behaviour back. Still, if this is important to you then your best option is to file a bug with a clear explanation as to what it’s breaking.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

sven-m wrote:

Bug number: FB9186563.

Thanks.

Cougnes wrote:

Would it be useful to file another bug report?

Duplicate bug reports are most helpful when they contain new diagnostic info (not really relevant here) or new information about the impact of the issues (possibly relevant here).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I have the same behavior while using on Device VPN (NEPacketTunnelProvider). No User Agents (at least 95% of the times). Randomly, I see few user Agents reported on some traffic.

We have a webpage that renders different functionality / content based on the operating system. We user UserAgent to match for OS

@eskimo

Update: this bug still exists in iOS 15 beta 3.

Is there any movement in the bug reports mentioned in this thread?

Is there any movement in the bug reports mentioned in this thread?

I have no info to share here (other than to say that the bugs referenced above have all landed in the right place).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Just to keep this thread up to date: This behavior is still present on iOS 15 beta 6.

Still the same behavior for iOS 15 beta 8.

This is an interesting issue. Just catching up, but it sounds like this was done inadvertently but that Apple is "disinclined to fix this because the user agent string is a potential source of personal information."? I personally feel that not fixing this inadvertent bug is a mistake and is likely to expose much more sensitive personally identifiable information than anything I've ever seen in the User-Agent header.

There are multiple organizations that either opt to or are required to intercept SSL/TLS requests to inspect traffic for malicious code or inappropriate use. In order to aid with preserving privacy many of these organizations will only match specific user agent headers in the HTTP CONNECT request (i.e. for web browsers) in order to avoid decrypting other potentially sensitive information and/or breaking communication for apps that are using certificate pinning. By removing this header in HTTP CONNECT requests it will mean these organizations will start attempting to decrypt and inspect ALL traffic going through these proxies. This will likely break communication for many apps using certificate pinning and unnecessarily expose potentially sensitive information that the organization (or school, as there are many state laws requiring this type of monitoring) would have preferred to remain private.

Ensuring this header is present (and contains the User-Agent information for the app making the request) will protect sensitive personally identifiable information in addition to ensuring apps utilizing certificate pinning will continue to work unhindered.

Please reconsider your position on this issue.

Thank you!

just submitted

Thanks. But please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"