4

A web app I'm working on needs to identify devices as either activated or not activated to prevent them from using services that they haven't paid for. Right now, we store it a webSQL table and if you clear browser settings, you are completely hosed and we have to fix it for you.

Is there a more persistent way to uniquely identify devices to determine their device activation status?

I've been looking into evercookie, but it only took a clear and a few force closes of the browser to kill it Android (without the force closes, it worked fine even with the browser clear). Better, but not ideal. I do not have an iOS device to test it on but all we really care about are those two.

Are there better options that I don't know about? Is evercookie a smarter than what I've currently got or is it unnecessary?

Just some background on the business model we are using. Clients buy device licenses, one device license activate one device (as in one device can now be used, not one account). So multiple devices can be on one account but they need to be activated. So unique accounts are out. We NEED a way to force device activation with a web app.

Will
  • 733
  • 8
  • 23
  • I think that last year's google i/o android talks say to not use a global device id in case the device is ever transfered. What I've done is once the device is authenticated, I simply create a private key that is stored in the db and send it over ssl on the first request. That first request then gets a response with a cookie that can be killed when the user quits. – Shellum May 25 '12 at 18:40
  • These licenses are transferable but at OUR discretion. And I don't really see the persistence in your particular method. – Will May 25 '12 at 18:45
  • 2
    @MobyD, Javascript doesn't have access to a unique device identifier like the IMEI, so you're stuck using cookies in some way. I think this would be a neat solution though: write a very simple native app for authentication only that sends you the IMEI and sends them back a short auth code to type into your web app. If they ever clear the cookie for whatever reason just ask them to authenticate again using the other app, issue them a new auth code, etc. – nwellcome May 25 '12 at 18:59
  • @nwellcome I'm beginning to see that. It's not what I had hoped but you're solution really is currently the best. It's just a little out of our league at the moment given that we have zero experience in Android/iOS development. Thank you though. – Will May 25 '12 at 19:07
  • @MobyD, my solution is similar to nwellcome's. In both instances, you need to pair the device using an app that can persist some sort of key (like a cookie) that will persist in app memory. I think it is a common scenario, but you would need some basic android programming experience. – Shellum May 25 '12 at 19:23
  • 1
    @MobyD, check out PhoneGap, that will let you create a native app using mostly javascript and html like a web app, it's actually fairly quick to get up and running with. I wouldn't know how to write something like Chuck Norris's persistent app or Pulsar's thin wrapper with PhoneGap, but my authentication app would be fairly simple. – nwellcome May 25 '12 at 19:59
  • What solution did you go for in the end? – Adam Marshall Mar 18 '14 at 15:45
  • @AdamMarshall The requirement was dropped. It caused too many headaches to be worth it. – Will Mar 18 '14 at 16:10
  • I think that is where I am at as well, thanks :) – Adam Marshall Mar 18 '14 at 16:18

1 Answers1

1

There has been several discussions about this regarding Android at least.

From the official blog, bringing up some of the issues:

http://android-developers.blogspot.se/2011/03/identifying-app-installations.html

Then also refer to this stackoverflow question and don't only read the first answer:

Is there a unique Android device ID?

Community
  • 1
  • 1
Mattias Isegran Bergander
  • 11,811
  • 2
  • 41
  • 49
  • Native Apps allow a lot of flexibility in this area, Web Apps...not at all. We are avoiding native for the moment. – Will May 25 '12 at 18:45
  • 100% web app or one that can be wrapped in *very* thin app? That could be the solution I mean. Could just get the id and hand it off to the web app using javascript. – Mattias Isegran Bergander May 25 '12 at 19:03