Online shop does't verify Xperia 10 III as a "mobile phone"

DrDweeb · 5 August 2025 16:17

I live in Thailand, my Thai SIM phone is the 10 iii with whatever the latest Sailfish version is.

Online shopping here via shopee.co.th is a thing.

However, in order to verify I am me, the website send an SMS to my phone.
Hitting the verification check in the message fails, for not being on a mobile phone.

This is the power of a duopoly - or maybe it’s the browser oligopoly … who knows?

enrish · 5 August 2025 17:22

Do you maybe happen to have ‘desktop version’ enabled in your stock browser?

If I remember well this hit me as well a couple of years ago. And if I still remember well, I copied the link to clipboard and opened it in a browser for android (when I still had AAS on my phone).

emva · 5 August 2025 17:35

Have you tried the browser Vivaldi using AppSupport?

nephros · 5 August 2025 19:29

Sounds like they are using a browser UA whitelist or so.

Maybe spoofing the UA is all that is needed.

It could be more tricky though.

DrDweeb · 6 August 2025 07:08

No, It’s not in desktop mode

ohnonot · 6 August 2025 07:19

Depends on how “clever” the web app is:

spoof the UA to a current mobile Chrome version
use an Android web browser, chromium based, maybe repeat step 1

But AFAIU there are cleverer ways to check, and ultimately it might resist because it’s neither Android nor iOS.

And by clever I mean stupid.

toastal · 7 August 2025 13:17

Hey, brother. I emailed Shopee for 2 days straight to tell them how to fix their issue thru support a couple of months ago, but they acted like they don’t accept bug reports.

The solution is to spoof the user agent (UA) as @nephros mentioned. Web dev 101 teaches every deveoper that UA detection is bad practice, full of false positives, & other errors—like this situation. …but I’m sure smooth-brained management pushed this feature.

With terminal access thru the debug menu, you should be able to modify that setting:

$EDITOR $XDG_DATA_HOME/org.sailfishos/browser/.mozilla/user.js

to add this more recent Gecko-based UA

user_pref("general.useragent.override", "Mozilla/5.0 (Android 15; Mobile; rv:141.0) Gecko/141.0 Firefox/141.0");

Now if you go thru the same flow as before, you will receive your SMS as expected. You may still need “desktop mode” tho to look at recent purchases since they want to drive users to the app for that juicy data collection. Or just set a desktop UA instead:

user_pref("general.useragent.override", "Mozilla/5.0 (X11; Linux x86_64; rv:141.0) Gecko/20100101 Firefox/141.0");

This worked for me on Sailfish OS’s browser, but it could have adverse effects elsewhere as you are now lying to all website about your UA. You can use an “inline comment” via // (meaning // user_pref(…);) to disable the UA til you need it again.

…But all Gecko-based browsers (which would include Sailfish OS’s browser) have issues recently using privacy.resistFingerprinting = true since it doesn’t allow part of Shopee’s tracking/fingerprinting system to run (which they dared call pcmall-antifrauderror.$HASH.js). (Yet is still better than Lazada somehow).

toastal · 16 August 2025 08:30

BTW, if you have time, you may want to report this issue thru Shopee’s support webform—which is generally hidden from the web as the want you to do support thru LINE, but LINE doesn’t work on Sailfish OS. They obviously need more bug reports to take this issue seriously.

toastal · 18 February 2026 09:19

I want to provide a new workaround for Shopee’s bad UX since this page has been failing to load at all for me now which is my guess now related to a piece of JavaScript code execution failing to run for compatibility reasons… Where this comes up for me is the cookie expiring on my laptop & needing to “reauthenticate” myself.

Let’s start with the premise: Shopee wants you to verify a user thru 2FA (good practice, that it’s tied to SMS as well as specific browser requirements is another story). Why were Sailfish OS users originally refused access with “not a mobile phone”? This is due to user agent sniffing as the only means of “checking” that a user came from a phone. This has long (2 decades now?) been considered an anti-pattern/bad practice in web development.

However this poor design gives us an easy workaround if you are also coming from a laptop that does have access to a modern browser. The UA detection is super weak so you can just use the device emulation in the browser’s developer tools. I will describe how I did this with a Gecko-based browser:

Copy or forward the SMS link to yourself (I used “Note to self” from my XMPP client)
In a Gecko-based browser like Firefox, LibreWolf, & so forth open a new tab or window
Enter “Responsive Design Mode” thru Ctrl+Shift+M or by menuing More Tools>Web Developer Tools then in the top-right corner near the close for the dev tools overlay is a button with the tooltip reading in English “Responsive Design Mode”
The top-left dropdown lets you choose a device to “emulate”, so pick probably any phone option, but I went with the first Samsung Galaxy option
Paste the URL in the URL bar
Click the button that allows you to complete the login flow

This will ‘just work’ since the only thing gating the auth flow is “mobile” user agent & the ability to execute the JavaScript payload.

What Shopee should be doing:

Don’t use SMS 2FA as it is SIM jackable with a decade of security folk recommending against it; instead use TOTP + WebAuthn for 2FA for security
Don’t do user agent (UA) sniffing for almost anything
Be okay keeping your product/service compatible with older tech as not everyone has the money to upgrade phones where quite a lot of OSs don’t really let you “upgrade” the browser. If the functionality was fine for the last decade, then it will work for the next. Progressive enhancement is your friend if required, but make sure critical features like authentication maximize compatibility.

What Jolla should be doing:

Update the damn browser; if this isn’t easy, then you need a system that will be easy to try to keep up with the latest ESR as this shouldn’t seem like a herculean effort each update since unfortunately the web space will continue to be a moving target + Silicon Valley pseudo-gurus will recommend that targeting “evergreen browsers” is the reasonable. I would be sad to move on from Gecko, but if the browser needed to move to Qt’s Webkit for ease, so be it since this can’t be the hill to die on given just how many sites are breaking & will continue to break. I have been trying to do my part making sure Fx 91 is in any browserslist I am using, but I’m not the maker all websites (tho DM me if you need someone to build something).

attah · 18 February 2026 17:27

That’s an extremely dumb verification, and as you say trivial to work around. It is embarrassing that it stops any actual malicious actor at all.

What’s stopping you from opening the link in an Android browser on device?

toastal · 23 March 2026 08:29

I wanted to avoid installing another browser as they used to be small (40ish MiB, but not anymore). I had to cave recently since just too many sites are broken now.