Web server log entries for iPhone appearing; authentic?

Several sites, including Mac Rumors, have reported seeing server log entries that appear to be generated by test iPhone units. This assumption is based on the user agent string being generated, which looks something like this:

• Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A538a Safari/419.3

for comparison, the user agent string generated by the current version of Safari running on an Intel-based Mac with Mac OS X 10.4.9 and Security Update 2007-004:

• Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3

Is it possible that this user agent string could have been faked to give the appearance of an iPhone browsing these sites? Most certainly.

Let’s break the first, purportedly iPhone-generated string down:

Mozilla/5.0: This is the browser type generated, by default, by Safari — it doesn’t indicate that the iPhone is running a version of Mozilla or Firefox.

(iPhone; U; CPU like Mac OS X; en) This is the platform of the accessing agent. You can see that the device is identified as “iPhone,” and the CPU as “CPU like Mac OS X.”

AppleWebKit/420+ This is the version of WebKit (the engine that powers Safari and many other HTML-rendering applications in Mac OS X). The build number used here is 420+, which is newer than that of the latest public Safari for Mac OS X release. However, this build is used by OmniWeb (another WebKit-based browser). In fact, even newer builds of WebKit are available from the WebKit open source project. A nightly build downloaded on May 26th, for instance, was numbered AppleWebKit/522+.

Version/3.0 Mobile/1A538a Safari/419.3 Here’s where things get interesting. In the normal user agent string generated by the latest version of Safari for Mac OS X, there is no Version/ entry, nor (obviously) a Mobile/ entry. There is only the Safari/ entry. What’s odd is that the Version/ entry appears to indicate Safari 3.0, which is scheduled to ship with Mac OS X 10.5 (Leopard), yet theSafari/ entry indicates 419.3 — the same version number indicated by Safari 2.0.4 running on a fully-patched Mac OS X 10.4.9 system.

Spoofing a user agent is a simple process, and can be accomplished quite simply by either directly modifying the HTTP headers sent out by a browser (as can be accomplished to some extent by enabling the debug menu in Safari), or by using a Web site like WannaBrowser. Simply enter the aforementioned, purportedly iPhone-generated string in the “HTTP User Agent” field at WannaBrowser, then enter the address of a site that reads back the user agent (like this one) and inspect the resulting HTML source code, which will contain:

Shown below is the User Agent string your browser is sending out. Use it
check your changes: Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A538a Safari/419.3

So while these entries could very well represent test iPhone units being used by Apple employees to test various Web sites (indeed sites have indicated that the IP addresses appear to originate from within Apple), it’s wholly possible that they are nothing more than the fruits of some simple user agent masquerading.