Prevent web browsers to access mobile custom server domain


#1

I was just wondering. When I host my mobile app I often choose app.mydomain.com as the server app domain.

That means users who are smart :slight_smile: They could try access the app via browser and try the app.mydomain.com

Two questions:

  1. Is there a way to block web browser to access it ( via Galaxy )
  2. What domain prefix are people using when they host their mobile apps? Is “app” to easy and insecure?

#2

Hi @krizzii,

I have same problem and don’t know how I can prevent user to access application through web browser.

  1. Is there a way to block web browser to access it ( via Galaxy )

But I think maybe it’s possible to handle this by move some important code to isCordova block to prevent load on web browser.

But I don’t know which part of application is better for moving into isCordova block.

Maybe application routes or
Maybe controllers subscription or

It’s only my idea. :wink: I’m so happy if other guys share their experience about this question.

  1. What domain prefix are people using when they host their mobile apps? Is “app” to easy and insecure?

I think it’s not matter which sub domain (prefix) you are using, because it’s possible to see list of all sub domain with simple DNS lookup.


#3

@krizzii,

In line with @cyclops answer, you could check Meteor.isCordova. Essentially you could block your router (FlowRouter if you are following the guide) to prevent a browser from rendering the page.

Personally, I use the online version of our app to check the admin side, so I don’t necessarily want to block it, just limit it.


#4

So this should work and only works in mobile?

if (Meteor.isCordova) {
    Router.route('/', {
        name: 'start',
        layoutTemplate: ''
    });
}

#5

Why are you trying to block access via the web browser? If it’s just because your client side isn’t designed/optimized for the browser (and your server will block any erroneous calls) then a simple check of Meteor.isCordova that determines which template to render should be fine.

However you’re asking if app.mydomain.com is insecure - those who are dedicated to accessing your application from a browser will be able to 1) spoof the necessary environment variables to use your client or 2) access your methods directly through their own client.

There’s nothing you can do to 100% verify they are using only the client you want them to.


#6

Found a solution for this using Amazon Bucket Policy :slight_smile:

{
	"Version": "2012-10-17",
	"Id": "http referer policy example",
	"Statement": [
		{
			"Sid": "Allow get requests originating from www.example.com and example.com.",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::yourbucket/*",
			"Condition": {
				"StringLike": {
					"aws:Referer": [
						"http://meteor.local/*",
						"http://localhost:12528/*"
					]
				}
			}
		}
	]
}

Final question: Is localhost:12528 always used for Meteor 1.3 apps?