Detect in-app browser (WebView) with PHP / Javascript
Solution 1
I'm not sure about Android, but when you're using the iOS SDK's UIWebView
, it sends the name and version of your app as part of the user agent (YourApp/1.0
).
You can then use PHP to check if your in-app webview is being used or not:
if (strpos($_SERVER['HTTP_USER_AGENT'], 'YourApp/') !== false)
I think Android does something similar as well.
Solution 2
Solution code:
$isWebView = false;
if((strpos($_SERVER['HTTP_USER_AGENT'], 'Mobile/') !== false) && (strpos($_SERVER['HTTP_USER_AGENT'], 'Safari/') == false)) :
$isWebView = true;
elseif(isset($_SERVER['HTTP_X_REQUESTED_WITH'])) :
$isWebView = true;
endif;
if(!$isWebView) :
// Android or iOS Webview
else :
// Normal Browser
endif;
Solution 3
For Android WebView, refer the link from Developer Chrome - https://developer.chrome.com/multidevice/user-agent#webview_user_agent
There are already hints available in the user agent string like "Mobile", "wv".
You may use something like
if (strpos($_SERVER['HTTP_USER_AGENT'], 'Mobile') !== false)
or
if (strpos($_SERVER['HTTP_USER_AGENT'], 'wv') !== false)
to detect if the user is an Android WebView.
ohh2ahh
Updated on July 26, 2022Comments
-
ohh2ahh almost 2 years
I developed an app for iOS and Android which accesses an HTML file from my webserver using the in-app browser (Webview).
I don't want that a user can access this file without using the app. Is there a possibility to detect, if the user is accessing the file with the app or directly via a browser on this smartphone / tablet / computer? I think that a solution with PHP is much better, because Javascript can be switched off. At least Google Analytics can differentiate between Safari and Safari (in-app). It should work with every version of iOS and Android.
Thanks for your help.
Solution
After many attempts I finally found a working solution for me!
iOS: You can detect the difference between Safari and the in-app browser using the user agent. Probably there's a nicer solution, but it works.
// Safari (in-app) if ((strpos($_SERVER['HTTP_USER_AGENT'], 'Mobile/') !== false) && (strpos($_SERVER['HTTP_USER_AGENT'], 'Safari/') == false) { echo 'Safari (in-app)'; }
Android: The package name from the app is stored in the PHP variable
$_SERVER['HTTP_X_REQUESTED_WITH']
.// Android (in-app) if($_SERVER['HTTP_X_REQUESTED_WITH'] == "com.company.app") { echo 'Android (in-app)'; }
As Tim van Elsloo already noted HTTP headers can be faked and this is not absolutely secure.
-
cutsoy about 11 yearsPlease note that this can obviously be faked by a desktop browser as well (by setting "fake" HTTP headers), so you shouldn't rely on this from a security perspective.
-
ohh2ahh about 11 yearsThanks for your quick help. Unfortunately the user agent does not include the app name. At least not in my attempts.
-
cutsoy about 11 yearsAre you using
UIWebView
? It should be something like:<AppName>/1.0 CFNetwork/459 Darwin/10.2.0
. If it's not (which I doubt), then you could always try to do something like stackoverflow.com/questions/478387/… or stackoverflow.com/questions/8487581/…. -
ohh2ahh about 11 yearsYes, I'm using UIWebView and I've tried a bit and my app does not appear in the user agent. I even tried it with the iOS simulator from Xcode and only get something like (from the iPhone 6.1 Simulator): Mozilla/5.0 (iPhone; CPU iPhone OS 6_1 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Mobile/10B141
Maybe the PHP variable$_SERVER['HTTP_USER_AGENT']
is not correct?