I deployed a web app a couple of days ago and installed Google Analytics on it to track activity.
Almost everyday, I have at least one recorded pageview pointing to a site like www.pornhub-forum.ga/postxxx or www.youporn-forum.ga/topixxxxx, which, when I follow it, obviously points to a porn web site.
How are these pageviews ending up in my analytics data? How can I avoid getting them (if possible)? Does this mean there is a security flaw in my app?
My best guess for how this happens is that there's a robot that is issuing http messages at mywebsite/#/www.pornhub... or that is reading my Google Analytics code to record fake data, but I don't know what they would expect to achieve which such an attack.
This is Ghost Referrer Spam, there's no flaw in your app/site regarding this aspect. They just target random GA tracking-ID's no matter if it's an app or a website, it's called Ghost because it doesn't reach/use your app actually.
You shouldn't worry about security issues but if you want to keep clean your google analytics is better to exclude them from your reports
The only way to stop them for now is by filtering them in Google Analytics you can add a single filter
Go to Admin tab in Google Analytics
Select the View you want to filter > Filter > New Filter
In Filter Type choose Custom Filter > Exclude Filter
Field: Campaign Source
Filter Pattern: Enter youporn-forum.ga or any referral spam that is hitting you
You can also use a more general approach with an Include filter based on Valid Hostnames that will stop this and most of the Referrer Spam without needing to add a new filter every time as new Spammer show up.
You have to make a regex with all your Valid hostnames something like this
example\.com|example\.es|paypal\com|translate\.googleusercontent.com
When you have the regex of all your valid hostnames create an include filter
You can find more information about Referrer Spam and more detailed instructions of these solutions and others here
https://carloseo.com/removing-google-analytics-spam/ (url updated)