6

I would like to be able to read a device UUID from an iOS device in a webpage. I understand it is not possible using JavaScript for obvious security issues but I use testflight every day and I can see that they do have access to devices uuid.

It looks like they do so by installing a kind of provisioning profile on your iPhone when you register your device.

What kind of certificate/ provisioning profile should I use to do something similar ?

I would then be able to link a device UUID to a webpage session. I understand that this requires acknowledgement from the users which is completely ok for me.. I am not trying to find a way around the fact that we cannot access device uuid from code, I am asking this because I know testflight is doing this

rpechayr
  • 1,282
  • 12
  • 27

1 Answers1

3

Ok! I think I get it now.

You're right, the UDID is, of course, not sent by the browser. I was convinced too it was getted by a security flaw of Safari, or something like that, because testflightapp adds an unique ID similar to UDID, but no.

What they actually do, is generate a new DeviceID (not related with UDID). Then, to register the device, they generate a profile specifically made to this DeviceID, that contains an Enrollment Payload that enrolls the device against an URL that contains this DeviceID generated by testflightapp.

In this enrollment process, the device is asked by the profile, to send the UDID (plus other data). This is the info the profile asks for:

<array>
    <string>UDID</string>
    <string>IMEI</string>
    <string>ICCID</string>
    <string>VERSION</string>
    <string>PRODUCT</string>
    <string>MODEL</string>
    <string>DEVICE_NAME</string>
</array>

So, when the device asks to the testflightapp server to enroll this device, they're able to relate that DeviceID stored in the profile, with the actual UDID of the current device. That's how they show in the browser that the process is completed and keep the UDID.

But, this doesn't complete the answer, because I've don't solved (yet) how they actually relate this web session with the UDID, even when the session deads, and the DeviceID goes orphaned. The answer seems to be (not confirmed, but 99% sure!) that the enrollment process allows to define a WebClip to be inserted in your Springboard menu. This WebClip has in the URL written the UDID of the device, so any time you get into the testflightapp through this WebClip, you're refreshing to the session your UDID number, so doesn't matter if the session dies.

Hope my post helps now! Sorry again for the uncomplete-misinformed previous one.

Gonzalo Larralde
  • 3,523
  • 25
  • 30
  • Sounds really good. Did not check this myself because yet since I am not in the process of implementing such a feature. Thank you ! – rpechayr Mar 10 '12 at 17:18
  • I'm looking at this exact area at the moment. I believe the webclip specifies signing info that matches a URL (in this case *.testflightapp.com), and any time iOS Safari hits a URL that matches that pattern, the signing info is also sent. And that signing info ties your request to your UDID/your account. – occulus Mar 04 '13 at 11:30
  • If you look at the WebClip's URL for the springboard shortcut, the URL doesn't contain any user info. They rely on the signing cert, as previously mentioned. – occulus Mar 04 '13 at 11:31