I have found that certain android applications show my site, I think they use with webview,
How do I block all applications that can show my site ?
How do I block all applications that can show my site ?
You have no means of conclusively determining what software is sending the HTTP request, and Web browsers are "applications". So, either take down your site, which will "block all applications that can show [your] site", or do not worry about what "applications" the user has chosen to view your site.
I don't think there is a 100% secure way of doing this. What you can do is to attach a header property to your app browser with a server-validated key. Without this key, in combination with a mobile browser detection library you'll know if the app is authorized or not.
But if a developer acquire this key there is no prevention for him to implement it. Also detecting a mobile browser is not an exact science.
Related
I've been working on an app for IG, and was looking at other websites which use the IG API. I came across this website which allows the user to login by entering their username and password directly into the site. It is then able to access the IG API and fetch things like follower count, however without the user authenticating an IG API Client as would normally be required. The app can even perform functions such as liking pictures using your account, which as far as I know also requires you to authenticate an app with elevated privileges.
My question is, how is this app able to login users without using OAUTH which appears to be the only method of authentication?
They probably use a web automation framework like Selenium to take actions like auto-linking content by actually logging in to the Instagram web site with the accounts credentials and simulating mouse clicks, etc. to get the job done. In other words their "script" just looks like a very active user to Instagram because it's all coming from interactions between a web browser and their site.
They definitely are not using the API. Several reasons you can know this:
no OAuth flow to get an access_token
they don't appear in the authorized applications section if you log in and manage your profile
what they are doing is a violation of the API Terms of Use. See the following under "shall not"
Use the Instagram APIs to post automated content to Instagram, including likes and comments that were not initiated and entered by an Instagram user.
I'm no lawyer and I have no inside information, however it seems clear enough to me that Instagram does not want this type of "bot" activity.
They claim that they have the timing set up in a way that they go undetected, but I think it's a safe bet that there are algorithms at Instagram trying to detect and prevent this type of activity and if they do, accounts would be at risk of being disabled, etc. I have not inside knowledge here, just speculation.
The Instagram application that you use from your cellphone uses HTTP/HTTPS communication with their application server. The link that you provided on the question uses to simulate those http calls to mimic as an Instagram application.
You can redirect your cell phone's Internet connection through the proxy(your own proxy server). From your proxy server catch the web requests those are being sent by the Instagram application when you are doing login, liking, etc.
It will be easy for you if the requests are through http channel. But if its through the https, then it will be really difficult to capture those. You can try with Fidler or some sort of similar softwares for this.
What I THINK is happening is the following:
They are logging your PHPSESSID and using that so you have the ability to like pictures and whatnot. They are doing all of the back-end work directly in index.php.
If you track the requests that are being sent to index.php through the Network tab in Chrome, you will see that "Cookie:_ instamacro_advcontent=1; PHPSESSID=" on the index.php file "Headers" tab.
I'm doing the same with my website that uses Vine's API(not public, btw). In a PHP file I created called api.php, I use Vine's API to perform actions. I do not use OAUTH at all. I simply use the users "x-vine-session" cookie.
I've built a little mobile web app for the town I live in which aggregates a lot of info and makes it readable. Lately, on my android phone browser, when I go to a certain page it asks me do I want to open it with Browser or MX Android Player. I've looked at the request headers in Chrome and I can't find anything wrong with it. I've had someone test this on an iphone and the issue doesn't happen. Any ideas?
The site in question is http://sligo.me
The page throwing errors is http://sligo.me/Events.
This has nothing to do with your page. It rather has something to do with MX Android Player. Android allows its app to register for URLs to be handled through them. In this way if Chrome is installed on a phone and the user clicks on an URL the system will ask if it should use Chrome or Browser to open the URL. The user can now select a default app or make the choice every time she clicks on a URL.
An app can also register for some URL parts only. A good Twitter app would register for all URLs with the host Twitter and then display the content of that page inside the app.
I guess that MX Android Player registered for some URLs and the http://sligo.me/Events matches that filter. You could experiment a little bit and try to change the URL part that the filter matches. More information about this filtering can be found in the Documentation about Intents and Intentfilters
How to record user's voice from the website without Flash? I want to use HTML5 but I found it will be hard to implement that. This site says this functionality is now only supported by the latest version of Chrome and Opera.
After searching the articles both here and the other site, I decide to find an alternative approach.
The scenario is: users will use different sort of platform (Android/iOS and other OS), but they access the same website and record their voice in their device and upload it later.
BTW: My purpose is that, as the users press the "Record" button on my web-page, the recording starts with his microphone. And as he presses the button again, the process stops. This can be on an iPad or a mobile phone so that he can't record his voice by some other software and store in his device then upload. They use their device to link my web-page to record voice. The webpage is not just for the users who operate on a PC.
Can I implement this function in client side via javascript? Or I should refer to Server side? What language and method should I adopt?
You can check google's web fundamental article on recording audio here : https://developers.google.com/web/fundamentals/media/recording-audio/
Its pretty easy to follow and it is device independent, obviously given correct browser support. You can get the audio recorded and saved on the local device or upload it to a server. Hope it helps.
oh, and on a note, its based on HTML5 and js. I don't know why you think implementing it using HTML5 is difficult but I hope this helps.
If it was up to me, I'd go for something like the link mentioned above and just use a fallback to Flash applet if its not supported in the users browser.
When it comes to the mobile platform, you'll have a big problem at least with the iPhone. I dont think you can upload files, and Iam pretty certain that you cannot record audio from their microphone. The best approach would be an application to do such a thing on mobile devices. Iam pretty sure that this can be done with PhoneGap - http://docs.phonegap.com/en/1.0.0/phonegap_media_capture_capture.md.html
If your not familiar with PhoneGap it allows you to write cross platform applications for mobile devices in HTML/CSS/JS and still get access to some core components. Like capturing audio.
Unfortunately no, you can't record from the browser, however, if you have an app (you can use Phonegap/Cordova (which use HTML5, JS and CSS to build your app for many platforms)) to record whatever you want to record, you can easily upload what you want to your server. It is currently impossible to use pure HTML5 in the mobile web browser to do this.
If you want to learn more about this, the API reference is a good start: http://docs.phonegap.com/en/2.1.0/cordova_media_capture_capture.md.html#capture.captureAudio
I have reverse engineered a social login framework to use frames instead of popup windows. It is working but appears that the authentication content will not display.
I wondered if maybe this was deliberate from the social network provider as I cannot find a mistake in my code.
EDIT.,,
I have been told that this deliberate to prevent a cyber attack. Pop Up window are monstrously ugly though and terrible on mobile devices. Is there a replacement that can work. Since iFrames cannot is there another way of keeping it seemingly inline to the page.
If you want to make it seamless, then you'll need to look at an alternative approach altogether. Most of these social networks (twitter, facebook etc) have api's that allow you to connect and login "in code" rather than just OAuth from your page.
That's the only way you can reliably avoid the dreaded popup.
I need to execute a google analytics script on a site using curl. What are the reporting features that will be available to me for that curl request ?
To make my question more clearer, suppose i have a website www.abc.com which has analytics code on it and if i connect to www.abc.com from www.xyz.com using curl, in the analytics report of www.abc.com will the request i made using curl show ?
What are the parameters that wont show ? since there is no navigator there wouldnt be screen resolutions, color depth, or any other javascript based features. any other reporting features that wouldn't be available to me ?
I need the following to show up :
user agent (which i will be sending by setting header)
referrer (again which i will be sending by setting header)
source ip address and location (using proxies for different countries)
one issue that Im unsure of is Google's cookies and whether (since i might also be using proxies) these need to be cleared. The ultimate outcome is that I need to be able emulate site traffic as if it is coming from a variety of visitors....
IF the entire thing is not technically possible,is there any other way i can simulate diverse traffic into my google analytics account ?
So, the other answers are right: CURL doesn't execute JS, and there are some methods of automated requests that do.
Other methods to simulate diverse traffic to your account include:
Visit the site manually, and grab the __utm.gif request that Google Analytics generates, and manipulate its pieces so that you can CURL it in conjunction with curling the actual site, so that the GA pageviews are recorded. (ie, alter the hostname, pageview name, timestamp, etc.) You can find the meaning of the values of those parameters here.
Implement a server side GA on your target site.
Use a headless web engine to programmatically crawl sites. PhantomJS is a particularly user-friendly option.
Use a browser screenshot service like BrowserShots to get traffic from distributed locations to visit your site.
Use Amazon's Mechanical Turk to get people to visit the site. You could pay $0.01 per click, and get a large amount of diverse traffic from a large number of sources. (To verify, give them an arbitrary, simple task like asking them "What's the headline on this website?")
You can send events directly to Google Analytics using the Measurement Protocol, creating GET or POST requests directly with the tool of your choice.
See reference here:
https://developers.google.com/analytics/devguides/collection/protocol/v1/reference
No, because Google Analytics is based on Javascript and curl doesn't process HTML or Javascript.
Instead of curl, use a command-line tool that does JavaScript, like HTTPUnit (which includes Rhino). I have heard about WATIR too but never tried.
Those happen to be testing tools, but I guess you can use them to trigger Google Analytics too.