How to know if someone has embedded my website into an Android App?

Question

I'm recieving request to my php webserver with this content in HTTP_X_REQUESTED_WITH header:

[HTTP_X_REQUESTED_WITH] => com.android.browser

This var is into $_SERVER global var when the website is requested from an Android App but i'm not sure if this is the correct way to detect if someone is embedded my website.

I'm not sure if that request are from any Google built-in app or from any app that is taking advantage of my work without permission.

EDIT: These type of requests began suddenly in December 2016.

Regards

Answer 1

I'm not sure if that request are from any Google built-in app or from any app that is taking advantage of my work without permission.

You really can't be 100% percent sure about it by only looking at that, it might be an app embedding your website, or a legitimate user accessing your website through an android browser. Different browsers send different HTTP headers (for example the one you have noticed) as well as user agents.

For example, if your website is requested via a WebView (the "browser" component you can use in an app that could be used to impersonate your website), you should get this kind of user agent:

Mozilla/5.0 (Linux; Android 5.1.1; Nexus 5 Build/LMY48B; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.65 Mobile Safari/537.36

The key is wv here, that indicates that the request comes from a WebView (Take a look at https://developer.chrome.com/multidevice/user-agent)

Likewise, Google Spiders (and thousand others) add other headers / user agents.

However, all these things are easily forged, so (imho) at the end of the day it doesn't really pay off to spend too much time and resources on complicated heuristics that, at most, would only ban the most novice impersonators.

I'd suggest you to monitor a little those requests, and if at some point you suspect they're non-legit, just ban them in the server configuration file.