Hello There,
I had this same issue and fixed it by the following method.
For example in HTML :
<source src="file.mp4?md5=jobIVRUfgH6USADuWsqJHr818vw&expires=1478192353" type="video/mp4" />
That is what your media stream link would look like.
But if you use JavaScript like the following example :
<script type="text/javascript">
window.onload = MediaReplacement()
function MediaReplacement() {
var _video = "/file.mp4?md5=jobIVRUfgH6USADuWsqJHr818vw&expires=1478192353";
var videoTags = document.getElementsByTagName("source");
videoTags[0].src = _video;
}
</script>
<video width="320" height="240" controls="controls">
<!-- MP4 for Safari, IE9, iPhone, iPad, Android, and Windows Phone 7 -->
<source src="" type="video/mp4" /> <!-- NOTICE HOW I MADE THIS EMPTY BECAUSE JAVASCRIPT WILL INSERT THIS NOW -->
</video>
And you insert your stream link into the page using JavaScript it unlocks the ability to make it hard for their python script to scrape/hotlink/content leech of your web pages.
You can obfuscate JavaScript you can change the var names you can make it incredibly dynamic and difficult breaking their apps completely the more dynamic it is the harder and harder it is for them to obtain your stream links.
Also you should blocked the following two user agents that those apps use.
Kodi
XBMC
(I would suggest making them non case sensitive matches too)
Where I posted in regards to this.
https://forum.nginx.org/read.php?2,270705,270739#msg-270739
https://github.com/C0nw0nk/Nginx-Lua-Secure-Link-Anti-Hotlinking
http://www.networkflare.com/