4

I have a bit of a conundrum. I am currently in the initial design phase of creating a mobile app, what I would like to do is have it so that a user goes through a login page while connected to the internet. After being verified the app is basically downloaded to their ipad using html5s caching abilities.

Ultimately what I would like to do is limit this to select devices prior to any visitor going to the login page. This would probably involve verifying a database of the allowed devices on the web server with the devices unique identifier (UDID). Has anyone really explored this? Is it even possible?

I would be using a combination of php, mysql, and htaccess.

pjs
  • 18,696
  • 4
  • 27
  • 56
John Smith
  • 75
  • 9
  • I don't think there is a way to reliably restrict access this way, but I don't have iOS development knowledge... However from this my initial thought would be going towards some form of one-off authentication via HTTPS during installation and local storage of a unique session identifier, and then restricting access based on this unique session. – cyber-guard Nov 12 '13 at 23:19

1 Answers1

2

Apple no longer accepts apps in the app store that access the UDID. Instead, use identifierForVendor.

If you simply send the vendor ID from your app, be sure to use HTTPS and verify the SSL certificate on the server to ensure that you are connecting to your own server. Otherwise, people can perform their own man-in-the-middle attack and use any ID they sniff off the wire or are shared by another user.

A cracker won't be able to defeat this short of modifying the code, which would require a jailbroken device anyway, since every app on the app store is signed.

Note that the vendor ID can change when the app is uninstalled, so you should code it so that the user authenticates on each new install of the app.

Community
  • 1
  • 1
Marcus Adams
  • 53,009
  • 9
  • 91
  • 143