Uniquely identify iPhone device with UUID
Question
I have done a lot of researches to find a solution on how to uniquely identify an iPhone device. If the user go to General > Reset > Erase All Content and Settings even if i use the Keychain to store the UUID, and store it in a back end server, i will no more be able to identify that user device.
The last solution i have found is the Framework , DeviceCheck . Does anyone has experience with it and can tell me if after the user wipe his device, the mechanism of token generation with a server-to-server API provided by this Framework could help me to solve this issue? or is the same as the Keychain road where you can't save persistently data after the user have done a wipe of the device?
2 answers
solution1
3 2018-12-06 11:53:35
Usage of UDID on iOS has security and privacy issues. Apps that use UDID can expose data of previous owner to the new owner which is a big issue. Because of this, Apple removed developer access to UDID. Trying to uniquely identify iOS device is playing with fire with Apple's App Store review process. At any time app can be banned.
Quote from Secure Mobile Development Best Practices (Limit Use of UDID)
Details
Most mobile devices have a unique ID, also called a Universal Unique Identifier (UUID), assigned at the time of manufacture for identification purposes. For example, iOS devices are assigned what's called a Unique Device Identifier (UDID). The ability to uniquely identify a device is often important to procure, manage and secure data. Developers quickly adopted the UUID and UDID for device identification, which resulted in it becoming a foundation of security for many systems.
Unfortunately, this approach brings with it several privacy and security issues. First, many online systems have connected the UUID of a device to an individual user to enable tracking across applications even when the user is not logged in to the app. This advanced ability to track a user has become a major privacy concern.
Beyond that, apps which identify a person through the UUID risk exposing the data of a device's previous owner to a new owner. In one instance, after re-setting an iPhone, we gained access to the prior user's account for an online music service even though all user data had been erased. Not only is this a privacy issue, it's asecurity threat because an attacker could fake a UUID.
Apple has recognized both the privacy and security risks of iOS's UDID and removed developer access to it. With the UDID out of reach, some developers apply other device-identification methods involving the MAC address of the wireless network interface or OpenUDID. These methods have now been banned at the system/API level and are also flagged and rejected as part of the AppStore review process.
REMEDIATION
We recommend that developers avoid using any device-provided identifier to identify the device, especially if it's integral to an implementation of device authentication. Instead, we recommend the creation of an app-unique "device factor" at the time of registration, installation, or first execution. This app-unique device factor in combination with user authentication can then be required to create a session. The device factor could also be used as an additional factor in an encryption routine.
Since it is not relying on predictable, device-supplied data, exploitation becomes more difficult. By leveraging a challenge-response approach, the server and device can authenticate each other prior to user authentication. To gain system access an attacker would have to exploit both factors. Developers can also implement a feature where the device factor is reset on the client or server side, forcing a more stringent re-authentication of the user and device.
To protect user privacy while preserving advertising capabilities, Apple recommends using the advertisingIdentifier - a unique identifier shared across all apps in the system. A person can reset the advertisingIdentifier on their device at any time in the Settings -> Privacy -> Advertising menu.
solution2
0 2018-12-06 11:29:10
Uniquely identify iPhone device with UUID
==> I like this question. you want to (IMEI+YourID) to create new ID. this ID store and back to open agin compare with this formula.
Note:- Apple is not allow IMEI number use.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.