1

We are building a web based system where there are money involved and we want to avoid fraud implementing a system that is able to identify the IOS device from where the requests are sent.

The reason of this security is because we offer money for execute actions from a mobile and we only want the user to obtain the money once, if we are not able to identify the device the user can execute the action several times.

This unique identifier can use any HTML, JS, server side technique, but not any native IOS call due the application is web based and it runs in a normal Safari instance.

The unique identifier is not needed to be the official UUID.

The system doesn't need to be bullet-proof just a few more difficult to cheat than a normal cookie.

The system should works in separate sessions, like if the user comes back after one week.

Heuristic based systems are welcome, also any combination of LocalStorage with Cookies, ...

fguillen
  • 36,125
  • 23
  • 149
  • 210
  • Are you going only generate UUID or save it and share with other apps? If only generate - you can find this link useful: http://stackoverflow.com/questions/105034/how-to-create-a-guid-uuid-in-javascript – Orange Oct 16 '12 at 10:07
  • @Orange: I need to identify the device, I can't use these functions because they generate different chains any time they are executed. – fguillen Oct 16 '12 at 13:33

1 Answers1

1

The only ways you can identify a unique user/device in a web application is to use cookies and or track the user's IP address.

Of course, the IP address of a device will change as the owner moves around and cookies can be cleared/disabled or will expire after a set time.

Letting web sites access a device unique identifier such as the UDID would be a huge security risk / privacy invasion. If you were to find such a way, I would say that you found a severe security hole in iOS.

If you are only interested in triggering i.e. an email alert when an account is suspected of being stolen, you could use a heuristic based on device type (user agent string) and geo-ip-lookup to detect if the user has suddenly changed device type and continent and ask the user to confirm that this is really the case. I believe this is what e.g. Google and Facebook does.

Krumelur
  • 31,081
  • 7
  • 77
  • 119
  • In our team we are working in a very creepy system based on certificates, but I don't like due it is very ugly and over-engineering – fguillen Oct 16 '12 at 10:08
  • Yes, client side certificates is definitely a way of identifying the user, but the user is still free to move/remove them at will. – Krumelur Oct 16 '12 at 10:10
  • Heuristic based systems are welcome but they have to be precise enough to differentiate two devices, and to identify the same device without mistake. – fguillen Oct 16 '12 at 13:40
  • The reason of this security is because we offer money for execute actions from a mobile and we only want the user to obtain the money once, if we are not able to identify the device the user can execute the action several times. – fguillen Oct 16 '12 at 13:41