1

I'm trying to protect offline data stored on mobile devices (android / ios), and part of the protection is to prevent a user from restoring his old data.

Is there some unique value on android / ios that will not change unless a user does a factory reset or use some sort of image backup-restore? And of course that value should be accessible in an un-rooted device.

I know it is kind of weird / ambiguous question, but I could not find anything while googling.

Note: I'm not trying to protect against rooted devices, only devices with official images.

Update As to the request in the comments, here is a simple example:

I have 2 mobile devices, with 2 applications, one "client" app and one "server" app. The 2 devices communicates using BT.

When the "client" app first communicates with the "server" app, it receives an encrypted file that contains a number Z.

After that, each transaction between the "client" and the "server" works as followed:

  1. The "client" sends the file to the "server" and deletes the file.
  2. The "server" decrypts the file and decrease the number by 1 (Z - 1)
  3. The "server" re-encrypt the file and send it back to the "client".
  4. The "client" stores the file for use in the next transaction.

I'm trying to prevent the "client" data restore. For example, the user of the "client" device will create an image of his phone after receiving the file for the first time, and after E transactions, when the file contains the number Z - E, the user will restore his phone back using the backup image.

The "catch" is that it must be done OFFLINE (online would solve it without a doubt).

Ron Dadon
  • 2,666
  • 1
  • 13
  • 27
  • Have a look [here](http://stackoverflow.com/q/19402327/1971013). Then, please be more specific, for example with an example scenario, what exactly you want to achieve. Your current story is rather vague. – meaning-matters Nov 30 '16 at 14:51
  • IDFA on iOS. http://stackoverflow.com/questions/12944504/how-to-retrieve-iphone-idfa-from-api – Bhavuk Jain Nov 30 '16 at 14:56
  • @meaning-matters Added an example. Device unique ID is unique for the device as far as I know, so after restoring the device from image of the device, it will be the same. – Ron Dadon Nov 30 '16 at 15:22
  • @BhavukJain as far as I can see, the IDFA is available only if the user allowed for it, so unfortunately it is not a valid solution in this case. – Ron Dadon Nov 30 '16 at 15:24
  • On iOS you would typically store a value in the keychain, as the keychain isn't backed up or restored. – Paulw11 Nov 30 '16 at 19:52
  • @Paulw11 Thank's, but according to the following SO question, the keychain can easily backed up and restored: http://stackoverflow.com/questions/18491143/does-ios-keychain-storage-persist-when-restoring-an-app-to-a-new-device – Ron Dadon Nov 30 '16 at 21:14
  • Yes you are correct; the keychain is restored if the backup is restored to the same device it was backed up from, but not if it is restored to a new device. The issue you have is that you cannot trust any device that the user controls, so an offline solution is probably impossible; In the situation you describe, shouldn't there be an issue when the client contacts the "server" app since the server will now be expected "Z-E", not "Z" which causes the transaction to fail. – Paulw11 Nov 30 '16 at 21:25
  • @Paulw11 Thank you, but my bad, I forgot to mention an important part - the "server" have limited memory, and there can be more then 1 server device, and they are not in sync. I guess offline solution that secures it by 100% is really impossible, because every way I can think of, I can also "hack"... – Ron Dadon Dec 01 '16 at 08:56

0 Answers0