I mean on the play store side, where they scan app submissions for TOS violations before they even hit the store. UA rotation on the client side is rarely used for good.

HTML requests are just text, how would you even go about scanning for that?

As from the blog post, the source is public[0] and the Android review process is almost entirely automated static/dynamic analysis of apps submitted, so it wouldn't be super hard to find UA-like strings and have some elevated manual review if there are a lot of them (if they decided to implement this sort of abuse policy).

0: https://github.com/DrKLO/Telegram/blob/c1c2ebaf4690fd91c116d...

Google very likely only scans the input application, I'm not sure why you would bother with an automated system to detect a code repo for it when the majority of applications on the Play Store are closed-source and there's a low confidence if the builds are not repeatable.

Anyway, regardless of that it sounds like it would be easily defeated with the following C format string:

"%s-%s: %s/%s (%s) %s/%s %s/%s"

with argument list:

"User", "Agent", "Mozilla", "5.0", "X11; Ubuntu; Linux x86_64", "Gecko", "2010000", "Firefox", "90.0"

For bonus points you can make those floating points, too, and split it up a bit further. Now nobody can scan for this without a lot of false positives (The strings are going to display in anything that embeds a web browser or references it, lol) and you get ultimate flexibility.

I think that’s only possible if they ban TCP/IP for play store apps, enforce that in the OS kernel (SELinux can probably do), and instead expose the one and only high-level HTTP API for apps.