The QR code is deeply rooted in the hearts of the people. Many apps have posted a QR code on the official website that can be scanned and downloaded. The products of my company are no exception. Generally, the URL encoded by the QR code will not directly put the apk but an intermediate address, and then jump to the URL where the apk is located through this intermediate address. There are probably several reasons:
1. Keep the URL as short as possible : the less information, the smaller the size of the QR code, the larger the embedded LOGO, and the higher the recognition rate.
2. Let iPhone and Android download through the same QR code : extract the operating system according to the User Agent at this intermediate address, and then decide to jump to the iTunes Store link, the apk download address or the product introduction page according to the operating system.
3. Facilitate data statistics : Some download statistics functions can be added to this intermediate page. Although it can also be implemented through the Access Log of Webserver, the way of the intermediate page is obviously simpler.
Now, there is a fourth reason: support for WeChat scanning .
When I checked the access log, I found that when the QR code address was scanned by WeChat, the same client would be repeated several times, and in the end they were all downloaded by other browsers. I scanned it with WeChat and found that it was blank .
Readers and friends can pick up the Android version of WeChat 5.0 and "scan" the QR code in the Baidu App Store, if nothing else, it will be blank. It turns out that a whitelist mechanism has been added to apk links in WeChat's "Scan", and only apks under Tencent's own domain name can be downloaded by scanning.
So how to break through this limitation and let WeChat Android version scan and download your apk?
Identify the Android version of WeChat "scan"
First of all, we need to identify the UA of the WeChat Android version in order to prescribe the right medicine. Here the author extracted a paragraph from the access log for reference:
Mozilla/5.0 (Linux; U; Android 4.0.4; zh-cn; GT-I9100G Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 MicroMessenger/5.0.1.352
UA compared to common Android browsers
Mozilla/5.0 (Linux; Android 4.1.1; MI 2 Build/JRO03L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.58 Mobile Safari/537.36
It can be seen that for compatibility, the UA of the WeChat Android version scans the built-in browser (actually Webview) is strictly in compliance with the UA specification, and the browser name "MicroMessenger" and version number are marked at the end, so it is the simplest but cannot guarantee 100 % The correct way is to match the MicroMessenger string, and of course the Android string. The strict method is to parse the UA according to the specification, and judge whether the operating system and browser names match according to the extracted information.
Prescribe the right medicine
After confirming that the current user is downloading the app through the "Sweep" of the Android version of WeChat, the next step is to prescribe the right medicine. The safest way is to publish the app to Tencent's app store, such as App Store, and then parse the address of the QR code on the app store. When the user accesses the middle page through the Android version of WeChat, jump to this address to download normally. .
Another way
If your app is not listed in Tencent's app store, is there no way? You can use the Android version of WeChat to scan the official mail of our company's products and try, our Android client is not on the App Store.
Is it possible to download normally?
In fact, it is very simple, just find an application in the application treasure, such as QQ browser, you will find that its download address is
http://202.112.136.110/files/101800000087A9AC/119.190.4.66/down.myapp.com/android/49367/17002426/com.tencent.mtt_500650.apk
If you haven't seen the trick, you can try to change your http://example.com/download/test.apk to http://example.com/down.myapp.com/test.apk, no You can download it by accident.
Yes, WeChat does not strictly match the domain name, but uses the method of arbitrary string matching. As long as the url contains Tencent's domain name, it can be downloaded smoothly.
Is this design because WeChat developers are lazy? Obviously not, WeChat developers don't even know how to write regular expressions or are too lazy to write them, but there are too many products under Tencent, and many download servers do not have domain names. In order to avoid accidental injury, they have to do this The shield of the blindfolded. It can also be seen from this point that if it is only for security reasons, it is easy to crack its shield.
Although WeChat has hundreds of millions of users, it has no moral bottom line for abusing its dominant market position to suppress competitors' products.