Web App vs Native App Fingerprinting

TL;DR

Yes, a web app can mimic some of the fingerprints used by native apps, making it harder to distinguish between them. However, complete replication is very difficult due to fundamental differences in how they operate and access device features. This guide explains what’s possible, how it works, and what you can do about it.

Understanding Fingerprinting

Device fingerprinting creates a unique identifier based on various characteristics of a user’s device and browser/environment. Native apps and web apps use different methods for this:

• Native Apps: Rely heavily on hardware identifiers (IMEI, serial numbers), OS details, and specific APIs only available to native environments.
• Web Apps: Use browser features like User-Agent string, installed fonts, screen resolution, plugins, canvas fingerprinting, WebGL rendering information, battery API data, timezone, language settings, etc.

How a Web App Can Mimic Native App Fingerprints

Web apps can attempt to replicate certain aspects of native app fingerprints by:

1. User-Agent String Spoofing

1. What it does: The User-Agent string identifies the browser and operating system. A web app can modify this string to appear as a specific mobile browser or even a native app’s identifier (though this is increasingly unreliable).
2. How to do it: This isn’t directly controllable by users, but developers can use JavaScript to alter the User-Agent.

   navigator.userAgent = 'Mozilla/5.0 (Linux; Android 13; Build/PQ3A.190800.001) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.198 Mobile Safari/537.36';

3. Limitations: Modern browsers are stricter about allowing User-Agent modification for security reasons. Many websites now ignore or detect spoofed strings.

2. Canvas Fingerprinting

1. What it does: Draws a hidden image on the canvas element and uses subtle differences in rendering across devices to create a fingerprint. Native apps can also use similar techniques, making this area of overlap.
2. How it works: The web app generates an image using JavaScript.

   const canvas = document.createElement('canvas');
   const ctx = canvas.getContext('2d');
   ctx.fillRect(0, 0, 1, 1);
   dataURL = canvas.toDataURL();

3. Limitations: Browser security features (like privacy-focused browsers) can block or randomize canvas fingerprinting data.

3. WebGL Fingerprinting

1. What it does: Similar to Canvas Fingerprinting, but uses the WebGL API for 3D rendering. This is more computationally intensive and potentially more unique than canvas fingerprinting. Native apps often use similar graphics APIs.
2. How it works: The web app renders a complex scene using WebGL.

   const gl = canvas.getContext('webgl');
   // Render 3D scene...

3. Limitations: Requires significant JavaScript code and can be resource-intensive for the user’s device. Also susceptible to browser protections.

4. Battery API & Timezone

1. What it does: Accesses battery level and timezone information, which are also available to native apps.
2. How it works: JavaScript code accesses these APIs.

   navigator.battery?.level; // Battery API
   new Date().getTimezoneOffset(); // Timezone

3. Limitations: Browser restrictions are increasing on access to the battery API for privacy reasons. Timezone information is less unique than other fingerprints.

Why Complete Replication Is Difficult

• Hardware Access: Web apps cannot directly access hardware identifiers like IMEI or serial numbers, which are core components of native app fingerprints.
• OS-Level APIs: Native apps have access to OS-specific APIs that web apps simply don’t have.
• Sandboxing: Web apps run in a sandboxed environment for security reasons, limiting their ability to interact with the underlying system.

What Can You Do?

1. Use Privacy-Focused Browsers: Brave, Firefox Focus, and Tor Browser offer built-in fingerprinting protection.
2. Browser Extensions: Install extensions like Privacy Badger or uBlock Origin to block tracking scripts and fingerprinting attempts.
3. Disable JavaScript (Carefully): Disabling JavaScript will break many websites but can prevent most fingerprinting techniques.
4. Regularly Clear Browser Data: Clearing cookies, cache, and local storage can remove some fingerprinting data.
5. Use a VPN: A VPN hides your IP address, which is often used in conjunction with other fingerprinting methods.