Fake video sharing Android App!

addis_a · March 16, 2015, 12:10pm

Guys, someone cloned our videosharing website and created a FAKE android
application using same name as our website and people considering it as
our
app, which is not. The main problem we’re facing is, the videos being
served from this android application are hotlinked to our server due to
which we’re the one affected by its bandwidth cost.

Webserver is nginx and hotlinking is already enabled but the issue with
no
Referer_Header for the requests being generated by this android
application.

What precautions should we take to prevent this application by using our
server’s bandwidth ?

Regards.
Shahzaib

shahzaib12 · March 16, 2015, 12:21pm

On 16.03.2015 13:09, shahzaib shahzaib wrote:

What precautions should we take to prevent this application by using our
server’s bandwidth ?

Probably you can use
http://nginx.org/en/docs/http/ngx_http_secure_link_module.html

to completely prevent hotlinking
from any other applications and not authorized users.

but secret must not be included inside your android application,
and secure links must be generated only on server and only
for allowed (authorized) android applications and users.

–
Best regards,
Gena

shahzaib12 · March 16, 2015, 2:29pm

On Mon, Mar 16, 2015 at 04:09:30PM +0500, shahzaib shahzaib wrote:

Hi there,

Webserver is nginx and hotlinking is already enabled but the issue with no
Referer_Header for the requests being generated by this android
application.

What precautions should we take to prevent this application by using our
server’s bandwidth ?

You have “the requests that you wish to allow as normal”. You have “the
requests that you wish not to allow, since they come from this client”.

What part of the request that nginx sees puts it into the “yes” or
“no” bucket?

Put that in your configuration, so that “yes” does what happens now,
and “no” returns a http error, or returns a different video inviting
the client to get your official app.

Perhaps their app uses a unique User-Agent header; or all “wanted”
clients do include a Referer header?

If you can’t tell a “good” request from a “bad” one, you probably cannot
configure nginx to.

f

Francis D. [email protected]

shahzaib12 · March 16, 2015, 2:56pm

if ($http_user_agent ~* “Linux;Android 4.2.2”) {
return 403;
}

Looks correct, but maybe nginx does not like the “;” in the provided
string? To be true, I never used such an rule. But anyhow this isn’t the
perfect solution: You’re just blocking Android with version 4.2.2 with
that. When an user has a phone with just Android 4 the if won’t work.

Just try that, I hope it will work (I’m just guessing):

if ($http_user_agent ~* ‘(Android|android)’) {

Regards,
Patrik

shahzaib12 · March 16, 2015, 2:46pm

Hi,

I have installed that android app and requested log against my ip is

following :

39.49.52.224 - - [15/Mar/2015:10:40:26 +0500] “GET
/files/thumbs/2015/03/14/1426310448973c5-1.jpg HTTP/1.1” 200 13096 “-”
“Dalvik/1.6.0 (Linux; U; Android 4.2.2; GT-S7582 Build/JDQ39)”

where 39.49.52.224 is ip of my modem.

I have also tried blocking specific user agent such as Android but
neither
it worked (sure i am doing something wrong) nor this is the correct
solution :

if ($http_user_agent ~* “Linux;Android 4.2.2”) {
return 403;
}

Thanks.
Shahzaib

shahzaib12 · March 16, 2015, 3:48pm

A map will be better here;

map $http_user_agent $block {
    default              0;
    ~*Linux.Android 4\.2\.2     1;
   ....etc.....
}

location {
if ($block) { return 403; }
…

Posted at Nginx Forum:

shahzaib12 · March 16, 2015, 3:51pm

On Mon, Mar 16, 2015 at 06:45:30PM +0500, shahzaib shahzaib wrote:

Hi there,

I have installed that android app and requested log against my ip is
following :

39.49.52.224 - - [15/Mar/2015:10:40:26 +0500] “GET
/files/thumbs/2015/03/14/1426310448973c5-1.jpg HTTP/1.1” 200 13096 “-”
“Dalvik/1.6.0 (Linux; U; Android 4.2.2; GT-S7582 Build/JDQ39)”

where 39.49.52.224 is ip of my modem.

So - you have the log line for one request that you would like to block.

Do you have the log line for the matching request that you would like
to allow?

And that log line shows just two request headers plus an ip address. If
that is enough to accurately distinguish between “yes” and “no”
requests,
you’re good. If not, examine the entire request (either by extra logging
in nginx, or by watching the network traffic involved in each).

I have also tried blocking specific user agent such as Android but neither
it worked (sure i am doing something wrong) nor this is the correct
solution :

if ($http_user_agent ~* “Linux;Android 4.2.2”) {

Does that 19-character string appear in the user agent header? If not,
the “if” will not match.

(I don’t see it in there.)

If the most important thing is that “they” don’t “steal” your bandwidth,
you can just turn off your web server. Bandwidth saved.

But presumably it is also important that some requests are handled as
they currently are.

Only you can say what distinguishes a “no” request from a “yes”
request.

And only you can say which “yes” requests you are happy to
mis-characterise as “no” requests and reject.

After you determine those, then you can decide how to configure nginx
to implement the same test.

(For example: check your logs from before this app started. Do all valid
requests include Referer? Are you happy to block any actually-valid
requests that omit Referer, in order to block all requests from this
app? How long do you think it will take the app author to change their
app to include a Referer, if you do that?)

f

Francis D. [email protected]

shahzaib12 · March 17, 2015, 10:11am

I’d use some kind of authentication based on a user logging in before
allowing use of a service, an encrypted cookie or something along that
line.

Posted at Nginx Forum:

shahzaib12 · March 17, 2015, 9:23am

@itpp thanks for suggestion but the problem is , this is the invalid way
of
blocking requests belong to android and the reason is , our official
android app will be releasing soon and filtering based on this
user-agent
will block valid users as well. So we need something different such as,
adding some custom header in official android app and filtering requests
based on that (Maybe).

@Francis, thanks for explanation and suggestion. As you suggested, i
should
enable extra logging and currently following is the log format enabled
on
nginx. Does nginx support extra logging format ? i want to log each
parameter to distinguish between valid and invalid requests. Following
is
current log format :

log_format  main  '$remote_addr - $remote_user [$time_local]

“$request”
’
'$status $body_bytes_sent “$http_referer” ’
‘"$http_user_agent" “$http_x_forwarded_for”’;

Thanks.
Shahzaib

shahzaib12 · March 17, 2015, 11:39am

Which can all be faked (eventually), build some kind of
validation/authentication system before launching your app.

Posted at Nginx Forum:

shahzaib12 · March 17, 2015, 12:21pm

@itpp, you’re right but even if we can partially solve this problem,
it’ll
be sufficient for us. Well, using below method worked in our case :

location ~ .(mp4)$ {
mp4;
root /var/www/html/conversion;
expires 1d;
valid_referers servers domain.net content.domain.com ;
if ($invalid_referer) {
return 403;
}
}

This config is only permitting domain.net and domain.com while
preventing
any other referer header such as “empty” one.

shahzaib12 · March 17, 2015, 11:13am

@itpp, as i sent the logs above that referer_header for android requests
are empty, maybe blocking requests based on empty referer_header will
partially resolve our issue ? Following is the config i used to block
empty
referer_header but in vain.

valid_referers server_names ~.;
if ($invalid_referer) {
return 403;
}

Android request log :

39.49.52.224 - - [15/Mar/2015:10:40:26 +0500] “GET
/files/thumbs/2015/03/14/1426310448973c5-1.jpg HTTP/1.1” 200 13096 “-”
“Dalvik/1.6.0 (Linux; U; Android 4.2.2; GT-S7582 Build/JDQ39)”

I might be putting this config under wrong location, following is the
content of android.conf and virtual.conf :

virtual.conf :

server {
listen 80;
server_name conversion.domain.com;
client_max_body_size 8000m;

limit_rate 180k;

#    access_log  /websites/theos.in/logs/access.log  main;

    location / {
        root   /var/www/html/conversion;
        index index.html index.htm index.php;
 #      autoindex on;
        include android.conf;

}
location ~ .(flv|jpg|jpeg)$ {
flv;
root /var/www/html/conversion;
expires 2d;
include android.conf;
valid_referers none blocked domain.net
www.domain.net domain.com www.domain.com;
if ($invalid_referer) {
return 403;
}
}
location ~ .(mp4)$ {
mp4;
root /var/www/html/conversion;
expires 1d;
include android.conf;
valid_referers none blocked domain.net www.domain.net
domain.com www.domain.com;
if ($invalid_referer) {
return 403;
}
}

pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

    location ~ \.php$ {
        root /var/www/html/conversion;
        fastcgi_pass   127.0.0.1:9000;
       fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME

$document_root$fastcgi_script_name;
include fastcgi_params;
}

    location ~ /\.ht {
        deny  all;
    }

}

android.conf :

#if ($http_user_agent ~* “Android”) {

return 403;

#}

valid_referers server_names ~.;
if ($invalid_referer) {
return 403;
}

Regards.

Shahzaib