I'm developing an app for my company, and for security reasons I can only allow certain devices to use it. On Android I'm getting the device uuid, so I can uniquely identify it and allow it access to the platform (serverside validation of this uuid). I'm also developing the very same app as a web-app, and for the same security reasons I need to allow only certain pcs to access the platform (even if I'm validating access with username/password, but it's the requirement my boss gave me). So, how can I generate a version 1 uuid using javascript or jQuery? Is it even possible? All I need is a uuid that will be the same everytime I generate it on the same machine.
PS: I can't rely on generating a random uuid and storing it, since my app clears localStorage AND the user can errase cookies.
Related
I'm new in mobile and web development.
We want to give access to some business methods on mobile phones/tablets.
Now a question arose: How to identify a user.
Our users work on jobsites. Even with desktop applications they rarely use user/password combinations (infact most wanted an auto login for a pc, and from there SingleSignOn is used for the program).
So I think based on experience with the users a traditional login mechanism won't be accepted.
However we want to provide at least some basic security. We thought on the following:
A user can log to the server once with a mobile device
Administrator can link the device to an existing user
Afterwards user can just use his device without logon (Identification of user is then done wia some unique identification of the phone)
If we would write programs for each plattform we could (i think) use something like DeviceExtendedProperties.DeviceUniqueId for Windows Phone. Maybe create / store a token and send it to the Server in step 1 which then is used next time for identification.
But we thought it could maybe also be possible without specific applications for the device types and only use of one website for all devices. Therefore we want to use a webpage and jquery mobile to give a more native looking on the diverent devices.
So the problem is: How to identify a phone via web browser?
Is there some cool jquery or javascript function for device identification that i missed?
Or are there better approaches?
How to identify a phone via web browser?
Why not setting a cookie ? Sure the user would have to relog if he uses multiple browsers or disabled cookies, but this is an easy solution.
Here's more information.
We are developing in-house web-based application for viewing data reports while targeting on smartphones and tablets. Our customer asked us for possibility that only certain devices could access the content. Hence we use technologies based on javascript/HTML5 we are no capable of reading unique ID like IMEI or device uuid. The idea is to be able to automatically create time-independent fingerprint of device with above mentioned technologies.
The question is are we able to create unique device fingerprint with javascript/HTML5?
The clue might be information available or known by browser (e.g. http://browserspy.dk/)
You can use the fingerprintJS2 library, it helps a lot with calculating a browser fingerprint.
By the way, on Panopticlick you can see how unique this usually is.
It looks like the phoneGap plugin will allow you to get the device's uid.
http://docs.phonegap.com/en/3.0.0/cordova_device_device.md.html#device.uuid
Update: This is dependent on running native code. We used this solution writing javascript that was being compiled to native code for a native phone application we were creating.
You can use this javascript plugin
https://github.com/biggora/device-uuid
It can get a large list of information for you about mobiles and desktop machines including the uuid for example
var uuid = new DeviceUUID().get();
e9dc90ac-d03d-4f01-a7bb-873e14556d8e
var dua = [
du.language,
du.platform,
du.os,
du.cpuCores,
du.isAuthoritative,
du.silkAccelerated,
du.isKindleFire,
du.isDesktop,
du.isMobile,
du.isTablet,
du.isWindows,
du.isLinux,
du.isLinux64,
du.isMac,
du.isiPad,
du.isiPhone,
du.isiPod,
du.isSmartTV,
du.pixelDepth,
du.isTouchScreen
];
I have following idea how you can deal with such Access Device ID (ADID):
Gen ADID
prepare web-page https://mypage.com/manager-login where trusted user e.g. Manager can login from device - that page should show button "Give access to this device"
when user press button, page send request to server to generate ADID
server gen ADID, store it on whitelist and return to page
then page store it in device localstorage
trusted user now logout.
Use device
Then other user e.g. Employee using same device go to https://mypage.com/statistics and page send to server request for statistics including parameter ADID (previous stored in localstorage)
server checks if the ADID is on the whitelist, and if yes then return data
In this approach, as long user use same browser and don't make device reset, the device has access to data. If someone made device-reset then again trusted user need to login and gen ADID.
You can even create some ADID management system for trusted user where on generate ADID he can also input device serial-number and in future in case of device reset he can find this device and regenerate ADID for it (which not increase whitelist size) and he can also drop some ADID from whitelist for devices which he will not longer give access to server data.
In case when sytem use many domains/subdomains te manager after login should see many "Give access from domain xyz.com to this device" buttons - each button will redirect device do proper domain, gent ADID and redirect back.
UPDATE
Simpler approach based on links:
Manager login to system using any device and generate ONE-TIME USE LINK https://mypage.com/access-link/ZD34jse24Sfses3J (which works e.g. 24h).
Then manager send this link to employee (or someone else; e.g. by email) which put that link into device and server returns ADID to device which store it in Local Storage. After that link above stops working - so only the system and device know ADID
Then employee using this device can read data from https://mypage.com/statistics because it has ADID which is on servers whitelist
Hi I need to implement something to prevent users connect to a webapp, from another computer or mobile that it's not authorized, for example if the user enters the user and password correctly and the computer or mobile its authorized by the company grants permission to access, but if the user is on another computer or mobile device this must to reject the login to the webapp.
Also the user can be connected to internet on any place and use this webapp, but only if is using the authorized devices to do it.
I thought on use the mac address to accomplish this, but I don't know if this is the correct approach.
So anyone have any suggestions?
Edit: This webapp is a in house app, with access to sells and inventory, of the company so the only the devices that are provided by the company can access to the webapp.
The MAC address is a poor choice since it is fairly trivial to forge it (aside from the difficulties in obtaining it via javascript). You're going to have that problem with almost any scheme since you are relying on user-controlled content to tell you that the device is authorized. Cookies, even "random" ones, have the same forgery problem.
How are devices authorized? How secure does it need to be? Why must access be limited to only authorized devices?
I see 2 possibilities here:
This requirement is a misguided attempt to exert control over the end-user of the application and there are no real security issues, beyond those already being addressed via the traditional authentication methods (i.e. login/password).
There is a legitimate need to validate that the device being used by the user meets some level of security (e.g. virus protection, located in a physically secure location, etc.). In that case, I am not qualified to build such a solution (and certainly not in a StackOverflow answer), and, judging from your question, neither are you. Even if you come up with a solution you are convinced is secure, I can guarantee it isn't.
A truly secure implementation would probably make use of public key encryption and some sort of signature from the authorized device. Even that signature could be forged, especially for a browser-based solution, which is why so many companies are interested in the trusted platform module.
You cannot get the mac address of a device directly without access to java plugins, native programming, active x, etc.
The usual way to do something like this (read Facebook detecting when you have not logged in from a location before) os to set a cookie on the devices that are authorized. Store a list of these cookies on the server and check to make sure you are getting the right cookie when the user attempts to use the device. The cookie should be random with little chance of collision. You might even get fancy and update the cookie each time the user logs on with a new value. Basically, what you are looking for is exactly the same as the "Remember Me" login systems.
I made fire fox add-on using java script. I want to give password protection to this add-on. Where can I store the user password permanently ? How can I do this?
The best solution would be to store on an external storage. Just like websites. You send the authentication data, server checks for user and returns true or false. There are a few problems with this. If you want to restrict parts of add-on for non-registred users, that's not possible. The whole code is available to the user and he can modify it.
If you create a website specific add/on search for a data (most likely in the cookies and preferences of the website) that is a secret, unpredictable, unique and uniform for a single user. You can hash that and use it as a password. Along with the username of that specific website. This way you can avoid registration.
Server communication trough HTTP is not too secure, but hey, most websites still use it.
If you don't have an external server available, you can use local storages like a SQLite, or i you have a single password you can use the preferences which are also available under about:config. But these are far from permanent. It's there until the user reinstall operating system, which unfortunately is quite common.
If you want closed source to hide storage mode, hash generating or something like that XP-COM components might help you but I don't recommend because it's really hard to maintain (all versions on all platforms).
If the password is required to authenticate the user to a server then you should use nsILoginManager to store it. The password will be stored encrypted on disk if the user defines a master password. If you want to protect the extension's user interface from the user then it doesn't matter where you store the password - this kind of protection works only against inexperienced users. E.g. you can use Preferences to store it.
Are there any special JavaScript methods you can access on Android to identify the user or the device?
In particular we want to uniquely identify a user's multiple phones in their household so that they can manage their phones' app usage centrally. E.g. if we could get their phone's name like "Jim's Phone" or get the serial or IMEI, that would be great.
As Paul mentioned, this is not possible because device does not expose its data via browser. On the other hand, native apps can access device data called Universally Unique Identifier called uuid. By using cross platform like PhoneGap you can easily port your mobile web app into native mobile app. In this way, you can uniquely identify users. (With phonegap, you can access the id with javascript device.uuid).
Another option is to assign unique identifier to users and store it in local storage or cookie. This has a risk of losing the tracking of users if user clears his local storage or cookie. To solve this problem, you can provide some service for users to recover the information.
In any case, you should do this with users permission because of privacy issue.