Develop Reference

How to read data sent to app-measurement from firebase

I'm trying to do a network analysis of an Android app to see what information Firebase is collecting. I'm doing a man-in-the-middle using Fiddler and can observe pings to Firebase's app-measurement server. But when I decrypt the content to try to see what's being passed, it looks like the message is encoded or compressed somehow. The messages look like this when opened in a text editor:
POST https://app-measurement.com/a HTTP/1.1
Content-Length: 761
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1; Google Nexus 6 Build/LMY47D)
Host: app-measurement.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
öR
_c
_oauto
_r
_pfo
_sys
_uwa
_sysu _fΞ¶Þ. "
_oauto
_et_eΞ¶Þ. D
_si¹þ½‚ÌÓ¹¨_vsÓ랶Þ. ÎÏž¶Þ.Ξ¶Þ._fot €ºÀ¶Þ.Ξ¶Þ._fi ³Ÿ¶Þ._lte œ ²Ÿ¶Þ.(Ξ¶Þ.0Ó랶Þ.BandroidJ5.1RGoogle Nexus 6Zen-us`Ôýÿÿÿÿÿÿÿjmanual_installr<my-app-bundle-name>‚4.6.19166.0322ˆÄwÄwª <text here>°ñÊîüƒÝÏʸÊ'1:849883241272:android:<my-aaid> òdVZyNR1YbAMøºç’1d5adf7b1442fe22˜ŽºªÜàÙè  ð
Is anyone familiar with this encoding? How can I decode to view the raw text? I've tried gzip, but that doesn't seem to be it. Thank you!

It's not compressed or really obfuscated in any way. You can see plaintext data right there in the payload if you look carefully. What you're capturing is almost certainly a protobuf in binary form, and you'll have to get a hold of the protobuf definition in order to decode it without putting in the work to reverse engineer it. That's not something Google discloses for API endpoints that are not publicly documented.

google pagespeed service returns 503 hovewer site is online

I have strange problem, cause I don't know how to get background request
I have newly updated site "whitestudio.org", and trying to test in the mentioned above service. Hovewer, google return me 503 response message. Don't know what to do.
Also, tried to test from command line, tested with success. Can anyone help me?
curl -H "Mozilla/5.0 (compatible; GoogleBot/2.1; +http://www.google.com/bot.htm)" whitestudio.org

By the way pagespeed bot header for mobile is
Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/537.36 (KHTML, like Gecko; Google Page Speed Insights) Version/8.0 Mobile/12F70 Safari/600.1.4
(Wrote for those who want to test in future).
And that error was related to incorrect configured "A" record [DNS configuration - We migrated from one host to another.

Http Batch Response does not complete in Web API 2

HttpBatchResponseMessage responses never fully return on my machine, it only returns the headers but does not complete the request. I tryed the following OData sample, it works just fine on my colleagues machine:
http://aspnet.codeplex.com/SourceControl/latest#Samples/WebApi/OData/v3/ODataEFBatchSample/ReadMe.txt
(super simple to try, download, start, show network requests in the browser or fiddler)
I would really appreciate ideas for further investigations!
The response
from POST to http://localhost:15625/odata/$batch only returns the headers without any content
Cache-Control:no-cache
Content-Length:2114
Content-Type:multipart/mixed; boundary=batchresponse_1c6b4001-17b8-41bb-9579-970cdc358dba
DataServiceVersion:3.0
Date:Tue, 10 Mar 2015 17:03:40 GMT
Expires:-1
Pragma:no-cache
Server:Microsoft-IIS/8.0
X-AspNet-Version:4.0.30319
X-Powered-By:ASP.NET
X-SourceFiles:=?UTF-8?B?QzpcVXNlcnNca2phcnRhblxEb3dubG9hZHNcT0RhdGFFRkJhdGNoU2FtcGxlXE9EYXRhRUZCYXRjaFNhbXBsZVxvZGF0YVwkYmF0Y2g=?=
Figured out ...
The returned headers already tell the length of the response (Content-Length:2114). I tryed to inject some custom classes an figured out:
Works on my colleagues computer
The problem occures when returning a ODataBatchContent, worked as I used a StringContent instead (which doesn't do the job)
The ODataBatchContent serialized perfectly fine when serializing to a MemoryStream
I Tryed
Disabling any Firewall, Antivirus software, Software, etc.
Updating Visual Studio etc., my configuration is nearly identical to the one of from my colleague
Debugging ... a lot
Request
POST to /odata/$batch
Status Code:202 Accepted
Headers:
Accept:multipart/mixed
Accept-Encoding:gzip, deflate
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Cache-Control:no-cache
Connection:keep-alive
Content-Length:1201
Content-Type:multipart/mixed;boundary=batch_b58d-91a6-2b46
DataServiceVersion:1.0
Host:localhost:15625
MaxDataServiceVersion:3.0
Origin:http://localhost:15625
Pragma:no-cache
Referer:http://localhost:15625/Index.html
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Thanks.

Firefox not using cached copy of file after 304

I'm seeing a behaviour in Firefox which seems to me unexpected. This is not particularly repeatable (unfortunately) but does crop up from time to time. Once it starts, it is repeatable on refreshing the page until a full refresh (ctrl-f5) is done. Last time, I managed to get a trace.
Basically, FF4.0.1 is requesting a resource (from an ASP.NET MVC 3 application running under IIS7):
GET http://www.notarealdomain.com/VersionedContent/Scripts/1.0.40.5653/jquery.all.js HTTP/1.1
Host: www.notarealdomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.notarealdomain.com/gf
If-Modified-Since: Sat, 01 Jan 2000 00:00:00 GMT
It then gets the following response from the server (via a proxy, but I can see in the IIS server logs that the request was made all the way to the server):
HTTP/1.1 304 Not Modified
Date: Mon, 09 May 2011 14:00:47 GMT
Cache-Control: public
Via: 1.1 corp-proxy (NetCache NetApp/6.0.3P2D5)
This seems reasonable - the client makes a conditional request (if-modified-since), and the server responds "ok - use your copy" (304 Not Modified).
The problem is that the client in this case then does not dish up the file - it behaves as if there was no content (ie if an image, it doesn't appear, if js it behaves as if the .js file is missing on the page, if .css then the page renders without the css styles, etc). This is apparent on both the web page itself, and also when using the excellent HttpWatch tool. HttpWatch clearly shows that the browser did have the item in cache, but didn't use it as the content source.
What am I missing here? The above conversation seems reasonable, so why does FF make a conditional request and then not use its cached copy when told to do so? If you then ctrl-F5 to force a full refresh, the behaviour goes away, and only returns sporadically.
We also have some anecdotal evidence that this occurs with FF3 and Chrome too, but we haven't confirmed this with any forensic data.
Has anyone else seen this, and does anyone know what might be going wrong, or what further steps might isolate the problem?

OK - I got to the bottom of this problem. As ever - the answer was staring me in the face!
The problem was not with the caching behaviour at all. Another part of the system was sporadically failing and writing out a zero length file - which was being cached by Firefox.
So when Firefox sent a conditional request to the server and received it's 304/Not Modified, it dutifully went off and used the corrupt zero length version of the file that it found in its cache.
All the signs were there for me to see - it just took a bit of time to get there :)
Thanks all, for your comments and suggestions.

Is there a good reference guide for deciphering http user-agent strings?

We're getting some odd errors reported on our website, and are trying to find out some details on who is doing the looking. I'm looking at a sample user-agent strings and seeing things like:
Mozilla/5.0 (Windows; U; Windows NT6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6
Now some of this is obvious, but some of it is less so ("U"?) From the pattern of the hits, I'd suspect that this was a robot, but I don't see anything that I recognize in this string to clue me in to that. I'd like to know what some of the things in this (and other different) strings mean. Is there a comprehensive reference somewhere?

This Wikipedia page gives a good overview, and describes the meaning of the 'U' attribute as well.

User-agent strings (as all request headers) are not to be trusted at all, but I recommend www.useragentstring.com as a reference for helping you determine the patterns you're interested in.

The U stands for security as the Mozilla User Agent String Reference states. The link to wikipedia has been provided by somebody else already
In future I suggest you use these two sites
http://www.useragentstring.com/
http://www.browserscope.org/

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11
This is my current user agent.
Mozilla/5.0 - browser
Macintosh - platform
U - 256 bit encryption supported
Intel Mac OS X 10.5 - my operating system
en-US - language
rv:1.9.0.11 - revision
Gecko/2009060214 - rendering engine
Firefox/3.0.11 - browser version

Robots can fake User-Agent strings, so what it declares is irrelevant. It can simply be done with e.g. curl -A user-agent-here.