Store UIDevice identifierForVendor in keychain rejection risks
Question
I need to be able to identify an iOS device across uninstalls/reinstalls. To do so, I plan to store the identifierForVendor in the keychain at first install, and retrieve it on following installs. Is there any risk of being rejected of the AppStore by doing so?
I've seen several questions about that so I guess it would be allowed, but the Developer Program License Agreement states that:
Further, neither You nor Your Application will use any permanent, device-based identifier, or any data derived therefrom, for purposes of uniquely identifying a device.
I could also use a NSUUID instead, would it be safer?
Edit: add some context for answers suggesting to implement a login.
My app already has an identification system (with a login). It allows the user to connect to his account, and he should be able to see a list of the devices linked (ie from which he did connect at some point) to its account, in order to monitor or to unlink them. The problem is that the identifierForVendor changes after an uninstall/reinstall of the app, leaving a "ghost" device in the user's list. Storing and retrieving it would allow a reinstall of the app not to be considered as a new device. It would only be used for this, and not for advertising or tracking in any way.
2 answers
solution1
0 2017-05-18 14:37:38
You may generate a device-id(->similar to UUID) on the server and store that in Keychain of iOS. If your app is reinstalled on the device and you find that device-id in the keychain, then you will be able to identify the device.
solution2
0 ACCPTED 2017-05-18 16:23:25
TL;DR: Storing UUID in phone's Keychain will not get your app rejected. So don't worry.
The UUID you're trying to use is NOT a permanent identifier as we know, and storing them does not violate the licensing term that you quoted. Apple deprecated UDID 's, MAC addresses, IMEI number etc. to prevent developers from tracking/spamming users based on their unique ID's. This is a privacy problem. Since UUID is a temporary ID, we are free to store them and use them later on, which does not do harm to the user.
I am quoting this from the link from Apple's resources here: Using identifierForVendor
The value in this property remains the same while the app (or another app from the same vendor) is installed on the iOS device. The value changes when the user deletes all of that vendor's apps from the device and subsequently reinstalls one or more of them. The value can also change when installing test builds using Xcode or when installing an app on a device using ad-hoc distribution. Therefore, if your app stores the value of this property anywhere, you should gracefully handle situations where the identifier changes.
-----****UPDATE IN IOS 10.3:****-----
It seems that Apple has made some changes to how Keychain works in iOS 10.3+ . Keychain items stored in the Keychain will be deleted when the all the apps from the specific vendor are uninstalled. According to Apple, the residence of sensitive information of an app even after the app is gone from the device may lead to security risks, so they decided to forbid this kind of behavior.
Developers relying on Keychain storage even after an uninstall for their apps can make use of this WORKAROUND to continue with the intended functionality. According to this workaround, any app can access the information stored in that specific Keychain Access Group, so it is recommended that adding an extra layer of encryption to your data will protect it with even more security, although keychain encrypts items by default.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.