Fake video sharing Android App !!

Francis Daly francis at daoine.org
Mon Mar 16 14:50:25 UTC 2015

On Mon, Mar 16, 2015 at 06:45:30PM +0500, shahzaib shahzaib wrote:

Hi there,

>     I have installed that android app and requested log against my ip is
> following :
> - - [15/Mar/2015:10:40:26 +0500] "GET
> /files/thumbs/2015/03/14/1426310448973c5-1.jpg HTTP/1.1" 200 13096 "-"
> "Dalvik/1.6.0 (Linux; U; Android 4.2.2; GT-S7582 Build/JDQ39)"
> where is ip of my modem.

So - you have the log line for one request that you would like to block.

Do you have the log line for the matching request that you would like
to allow?

And that log line shows just two request headers plus an ip address. If
that is enough to accurately distinguish between "yes" and "no" requests,
you're good. If not, examine the entire request (either by extra logging
in nginx, or by watching the network traffic involved in each).

> I have also tried blocking specific user agent such as Android but neither
> it worked (sure i am doing something wrong) nor this is the correct
> solution :
> if ($http_user_agent ~* "Linux;Android 4.2.2") {

Does that 19-character string appear in the user agent header? If not,
the "if" will not match.

(I don't see it in there.)

If the most important thing is that "they" don't "steal" your bandwidth,
you can just turn off your web server. Bandwidth saved.

But presumably it is also important that some requests are handled as
they currently are.

Only you can say what distinguishes a "no" request from a "yes"

And only you can say which "yes" requests you are happy to
mis-characterise as "no" requests and reject.

After you determine those, then you can decide how to configure nginx
to implement the same test.

(For example: check your logs from before this app started. Do all valid
requests include Referer? Are you happy to block any actually-valid
requests that omit Referer, in order to block all requests from this
app? How long do you think it will take the app author to change their
app to include a Referer, if you do that?)

Francis Daly        francis at daoine.org

More information about the nginx mailing list