Browsers have done a good job so far to limit the entropy offered through the User-Agent header, apps that access your website through a webview on the other hand often offer up so much data in their UA it is ridiculous, here is an example:

Mozilla/5.0 (iPhone; CPU iPhone OS 18_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 musical_ly_35.1.0 JsSdk/2.0 NetType/MOBILE Channel/App Store AppVersion/35.1.0 AppName/musical_ly Rifle_35.1.0 musical_ly_35.1.0 JsSdk/2.0 NetType/4G Channel/App Store ByteLocale/pl Region/PL ByteFullLocale/pl-PL isDarkMode/1 Spark/1.5.7 HybridTag/E97C9DDD-9E0C-4CFA-ABEB-0C1F32063216 WKWebView/1 Bullet/1 musical_ly/35.1.0 BytedanceWebview/d8a21c6 FalconTag/8C4B675C-6719-4A7C-B661-86796F3

The question is how you expect an app to represent itself in the Sec-CH-UA header. From an analytics perspective it is useful to know that the user accessed your website through app XXX, using a webview backed by XXX browser or engine:

• Is this the correct place for app makers to place the name of the application?
• Should they also place any frameworks or webview engines that they use in here?
• What should they not place in here?

This scenario has not been mentioned, so I just wanted to put it out there and see what others thought.