11

I've noticed that when users on Android-OS devices visit my site, there's constantly two requests happening on each page. The first is the normal browser, and the second is from "Dalvik". Example:

"GET / HTTP/1.1" 200 2126 "-" "Mozilla/5.0 (Linux; Android 5.0.2; SAMSUNG SM-G925F/G925FXXU1AOD8 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/3.0 Chrome/38.0.2125.102 Mobile Safari/537.36" 1229 2802

"GET / HTTP/1.1" 200 2117 "-" "Dalvik/2.1.0 (Linux; U; Android 5.0.2; SM-G925F Build/LRX22G)" 546 8729

From my understanding of this, the first request is from the actual browser, and the other is from the virtual machine (Dalvik) running the browser. The problem is that the Dalvik request doesn't use the same cookies, and/or POST data, and this triggers errors server side. An example would be when a user registers an account. The normal browser sends through POST data, but the Dalvik request just does a GET on the action url. Similarly, if a user is logged in, Dalvik will try a GET on a permission based page, which may redirect it somewhere else because there's no session for it.

The user doesn't experience any real problems (from what I can tell), however, we notice the attempts in our error logging. So my question is: Can I safely block all access attempts if the browser agent indicates "Dalvik/..*"? Will there be any adverse affects for the user? Considering that the Dalvik-related requests aren't actually reposting the real data or carrying a session, it seems unlikely. But hoping someone with more experience with Android can provide some feedback on it, for example, should I issue a specific HTTP header/status code, like "401 Unauthorized" or "400 Bad Request"?

Any help would be appreciated.

Praemon
  • 784
  • 2
  • 7
  • 11
  • See: https://stackoverflow.com/questions/23804278/browser-sending-dalvik-as-user-agent – hsluoyz Aug 28 '19 at 15:28
  • 1
    I've been seeing this ID string on accesses to port 8000 streaming servers (so always 200's), most often identifying as LG and Huawei models, and most of the traffic coming from Phillipines and China. I see much more than two duplicate gets... I see gets happening till the client appears to run out of bandwidth: around 80 or so simultaneous gets. Haven't started blocking yet, but monitoring, and seeing steadily increasing numbers of these. Eventually it will amount to a DDoS attack. – Hugh Buntu Mar 31 '20 at 00:53

2 Answers2

3

This happens whenever a browser/WebView cannot render a particular server response (maybe it's a PDF, or a streaming server, or whatever) and then triggers an intent to the operating system to open another application. The VM (Dalvik) is what handles this routing, and in the process, may download the file to the device so that the other application can access it (normally, applications cannot access one another's files, but the other application needs the file to render it).

Crucially, it downloads the file before launching the intent, and the file ends up downloaded twice: once by the browser to figure out it doesn't know how to handle it, and once by Dalvik so it can pass a file:// URL to an application you might or might not launch.

ZiggyTheHamster
  • 873
  • 8
  • 14
0

This is the Linux shell for Samsung phones. My OS is listed as "Linux 3.4.0-7500527 (Dalvik 2.1.0)" and it's a Samsung Galaxy S5. Could you set up a duplicate of your site (even minimal) with the gets receiving a 501, perhaps? With that, it should be easy to find out.

Joseph Perkins
  • 19
  • 1