Forum Discussion

Alfonso_Santia2's avatar
Alfonso_Santia2
Icon for Altostratus rankAltostratus
Jan 17, 2021

Block access to apps by browser. Allow only iPhone or Android accesss

Customer has an application that they want access only through the mobile device app.

They have recently found that the application can be accessed through any browser.

We have configured the following iRule but it is not working:

 when HTTP_REQUEST {

  if { ([HTTP::header User-Agent] contains "iphone") or ([HTTP::header User-Agent] contains "Android") } {

  HTTP::redirect http://www.oursite.com}

  if { ([HTTP::header User-Agent] contains "(IE|Mozilla|Safari|Chrome|Opera)") } {

  drop

  }

  }

 

Any ideas how to achieve this?

 

Thanks

  • Hi Every One ,

    We have about the Same requirement , Please update irule above works or face some problem.

     
  • Hi Alfonso,

    this iRule should work. However I strongly discourage the use of it. User-Agent Headers can be forged easily. Anyone who knows how to access Developer Tools in a browser can change his User-Agent string to whatever they want.

    when HTTP_REQUEST {
        if {([string tolower [HTTP::header "User-Agent"]] contains "iphone") || ([string tolower [HTTP::header "User-Agent"]] contains "android") } {
            return
        } else {
            reject
        }
    }
    • Alfonso_Santia2's avatar
      Alfonso_Santia2
      Icon for Altostratus rankAltostratus

      Hello Daniel,

       

      Thanks for your reply. Will try this out but gave caution to customer as well.

      What do you suggest how best to go about this requirement - allow only the access through mobile app (iPhone and Android) ?

      • jaikumar_f5's avatar
        jaikumar_f5
        Icon for MVP rankMVP

        I assume even with APM, its still going to check the user-agent variable & thats going to validate against if it contains "iPhone"  or "android" as such. I think WAF would have this advanced detection.

         

        But if the requirement is to allow mobile users alone, then the Irule should work. Anyone who knows to tamper the header, can still get the data.

         

        Is the application internal or external facing ?