1

Can we assure that no one can change the device UDID by hacking the OS of an iPhone or iPad. Because we are using that UDID for authentication of our users. We want to know that hackers wont able to change it gain access to our system.

AstroCB
  • 12,337
  • 20
  • 57
  • 73
nath
  • 2,848
  • 12
  • 45
  • 75

3 Answers3

3

Don't do this! And, no u can't tell that.

UDID is deprecated in userland.

Jailbroken UDID fakers do exactly that. They intercept calls to UDID via mobile substrate and return their own value. The only thing you could do is detect jailbroken phones and block them completly.

Also how would you tell if they had a proxy between the app and the internet connection and changed this value on the fly.

Brian Webster
  • 30,033
  • 48
  • 152
  • 225
j_mcnally
  • 6,928
  • 2
  • 31
  • 46
  • Bring your art back if you want, it is pretty neat, but I think the answers are easier to read without. – Brian Webster Mar 14 '13 at 04:59
  • @j_mcnally how to detect device is jailborken. – nath Mar 14 '13 at 05:18
  • thats not a real solution because they could swap the data with a proxy. – j_mcnally Mar 14 '13 at 05:24
  • http://stackoverflow.com/questions/413242/how-do-i-detect-that-an-sdk-app-is-running-on-a-jailbroken-phone if you must. but your going down a bad and lonely road..... UDID is deprecated by apple and has been proven to be a horrible source for identifying and worse for authenticating a user. – j_mcnally Mar 14 '13 at 05:26
1

From IOS 5 onwards the IOS devices UDID is deprecated for developers. See the below link for more details for alternatives to generate the UDID. UIDevice uniqueIdentifier Deprecated - What To Do Now?

Community
  • 1
  • 1
Bhanu Prakash
  • 1,493
  • 8
  • 20
0

As it stands it is unclear what you mean by "we are using that UDID for authentication of our users." Does that imply that only UDIDs originating from devices you're preapproved to communicate with your servers can access it? If a hacker presents a "changed UDID" to your system how would that grant access? If you are obtaining the UDID through Apple's APIs (which are deprecated and will likely result in a flag when you get the application reviewed) you are at the mercy of whatever that given API returns to you, how else would you obtain the UDID?

In general its not a good idea to use a single technology to prevent hacking. Simply passing a UDID that is known to your backend should not be sufficient to gain access. You might consider other mechanisms such as client-side SSL certificates (only clients with the given certificate can present themselves to your servers, etc.) or a secure token vendor.

Joe
  • 2,352
  • 20
  • 38