Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to be undetected while emulating phone? #330

Closed
Somberor opened this issue Sep 19, 2020 · 9 comments
Closed

Is it possible to be undetected while emulating phone? #330

Somberor opened this issue Sep 19, 2020 · 9 comments

Comments

@Somberor
Copy link

Somberor commented Sep 19, 2020
edited
Loading

Hey guys ,
I've tried to emulate phone while using the stealth plugin,
but it seems like most of the sites can easily detect that its phone:
http://prntscr.com/ujz2js
http://prntscr.com/ujz2z0

I think this makes 0 sense and might be a big reason for the detection as how can I be using nvidia and chromium on iphone :D
http://prntscr.com/ujz3wg

The code is used to open the browser:
`const puppeteer = require('puppeteer-extra');

const puppeteerdevice = require('puppeteer');
const pluginStealth = require('puppeteer-extra-plugin-stealth');
puppeteer.use(pluginStealth());
let isheadless = false;
let browser2 = await puppeteer.launch({
    headless: isheadless,
    //ignoreHTTPSErrors: true,
    //executablePath: 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe',
    args: []
});
let page2 = (await browser2.pages())[0];
let iPhonex = puppeteerdevice.devices["iPhone X"];
await page2.emulate(iPhonex);`
@prescience-data
Copy link
Collaborator

There are many leaks from an emulated phone, too many to list.

Even executing through a proper emulator such as BlueStacks is fairly easy to detect by a sufficiently motivated adversary.

@Somberor
Copy link
Author

There are many leaks from an emulated phone, too many to list.

Even executing through a proper emulator such as BlueStacks is fairly easy to detect by a sufficiently motivated adversary.

How can I learn about those leaks?
Is it also possible to modify any leak via puppeteer?

@prescience-data
Copy link
Collaborator

Here's a couple of papers on the topic, but the problems are so broad that it's hard to capture in a single paper:

For example, the first thing a detection script will do is check something like your expected device touchpoints... which obviously won't be there in the example you provided.

@Somberor
Copy link
Author

Thank you @prescience-data

@evading-bot-detection
Copy link

There are many leaks from an emulated phone, too many to list.

Even executing through a proper emulator such as BlueStacks is fairly easy to detect by a sufficiently motivated adversary.

the official Apple emulator passes the Pixelscan test.

@berstend
Copy link
Owner

Emulating a different browser engine (e.g. iPhone which uses WebKit) is a lost cause, there are too many differences in the JS VM/API alone.

Once #303 as landed we could check how different the iPhone Safari is in comparison to desktop webkit and if it's possible to patch the JS APIs to mask the differences.

Successfully emulating a mobile Chrome through desktop Chrome should be possible (ignoring fingerprinting/canvas hashes for a moment, this topic requires a dedicated solution in general).

It'd be nice if someone would compare a real and emulated mobile Chrome and list the differences here (also curious if there are emulation differences with playwright/pptr).

@prescience-data
Copy link
Collaborator

There are many leaks from an emulated phone, too many to list.
Even executing through a proper emulator such as BlueStacks is fairly easy to detect by a sufficiently motivated adversary.

the official Apple emulator passes the Pixelscan test.

Would be interested to see the differences between the canvas hashes of an emulated iPhone and a real iPhone of the same model.

@berstend
Copy link
Owner

berstend commented Nov 3, 2020

Closing this for now, discussions like this might be better suited for our discord.

@berstend berstend closed this as completed Nov 3, 2020
@Summaw
Copy link

Summaw commented Oct 1, 2023
edited
Loading

Here's a couple of papers on the topic, but the problems are so broad that it's hard to capture in a single paper:

For example, the first thing a detection script will do is check something like your expected device touchpoints... which obviously won't be there in the example you provided.

This could be a dumb question of sorts but is it not possible to imitate or create some sort of package in which we could spoof users movements? Could be something like ghost-cursor? Obviously it wouldn't be like ghost-cursor but the idea and concept behind ghost-cursor package? Ghost-Cursor uses Bezier curves to act human like... is that not possible for us to create for mobile?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@berstend @Somberor @prescience-data @evading-bot-detection @Summaw