I'm new in mobile and web development.
We want to give access to some business methods on mobile phones/tablets.
Now a question arose: How to identify a user.
Our users work on jobsites. Even with desktop applications they rarely use user/password combinations (infact most wanted an auto login for a pc, and from there SingleSignOn is used for the program).
So I think based on experience with the users a traditional login mechanism won't be accepted.
However we want to provide at least some basic security. We thought on the following:
A user can log to the server once with a mobile device
Administrator can link the device to an existing user
Afterwards user can just use his device without logon (Identification of user is then done wia some unique identification of the phone)
If we would write programs for each plattform we could (i think) use something like DeviceExtendedProperties.DeviceUniqueId for Windows Phone. Maybe create / store a token and send it to the Server in step 1 which then is used next time for identification.
But we thought it could maybe also be possible without specific applications for the device types and only use of one website for all devices. Therefore we want to use a webpage and jquery mobile to give a more native looking on the diverent devices.
So the problem is: How to identify a phone via web browser?
Is there some cool jquery or javascript function for device identification that i missed?
Or are there better approaches?
How to identify a phone via web browser?
Why not setting a cookie ? Sure the user would have to relog if he uses multiple browsers or disabled cookies, but this is an easy solution.
Here's more information.
Related
I'm developing an app for my company, and for security reasons I can only allow certain devices to use it. On Android I'm getting the device uuid, so I can uniquely identify it and allow it access to the platform (serverside validation of this uuid). I'm also developing the very same app as a web-app, and for the same security reasons I need to allow only certain pcs to access the platform (even if I'm validating access with username/password, but it's the requirement my boss gave me). So, how can I generate a version 1 uuid using javascript or jQuery? Is it even possible? All I need is a uuid that will be the same everytime I generate it on the same machine.
PS: I can't rely on generating a random uuid and storing it, since my app clears localStorage AND the user can errase cookies.
For legal purposes, I need to find a way to obtain a "one-to-one" identity of a device that logs in to my web application.
Typically, Ill post a url through SMS or email and the end user opens the link in his/her default browser.
I know Phone number cant be retained consistently.
Also, I wouldn't get my hands into flash/active-X objects.
Are there any other ways?
Thanks.
You cannot get unique ID like IMEI or device uuid using HTML/js, but you can create fingerprint of device. Check fingerprint2.js lib: https://github.com/Valve/fingerprintjs2
There is no way to ensure a Devices identity in a Web-Application.
You can only guess by what the Browser tell's you (I can give you some stuff about that). But it can always be faked by the client.
As you where talking about flash, you might be able to do it with flash/java-applets, some information here. But that is with Browser Plugins, wich many clients might not have.
When someone visit your website then you can grab his basic information like as Browser identity and his IP Address only . Because these properties are pushed by the user's browser to visited page . You can't get any other information.
What exactly is your legal requirement and use case?
Are you tracking registered users with registered devices?
Do you have any control over the devices (e.g. company mobile phones or laptops)?
Are you dealing with self-registering users with unknown devices?
How accurate does the identification need to be: exact or approximate / risk-based?
Unfortunately device identity is not something available through web browsers. Can you imagine the privacy implications of such a feature? Advertisers and government agencies would love it, everyone else would hate it.
Some organisations use commercial products that attempt to do "device fingerprinting" using a range of techniques including geolocation, IP, browser and device characteristics e.g. resolution, Flash or Silverlight (if installed), that sort of thing. However these are risk-based approaches that are used by banks etc. to determine whether they've seen the device before or not, and if not it pushes the user to provide additional authentication (step-up authentication). It's not a guarantee, it just offers a convenience to recognised users by simplifying the login process.
This is different to what you're asking for though. As other users have said, it's basically not possible because all the information available through the browser is essentially spoof-able and inherently unreliable. Even a single system can end up with multiple fingerprints if the user uses different browsers, for example, or plugs a laptop into a docking station with a monitor attached.
Probably the best you can do is something like you suggested: send a one-time code to the device using something that IS unique to that device such as the mobile phone number, but even this can be bypassed pretty easily. It also comes down to how you find out and verify the device in the first place.
If you're only dealing with pre-registered mobile devices you may have a chance e.g. you could use a native app that registers a custom URI handler on the mobile device to receive a one-time code from the server, and then the app opens a custom link the system browser and passes in this code and some device ID like IMEI (hashed) to your web server.
However if you want to be able to identify PCs, Macs or any other web-enabled device where you don't have control of something at the OS level you're probably going to struggle.
We are developing in-house web-based application for viewing data reports while targeting on smartphones and tablets. Our customer asked us for possibility that only certain devices could access the content. Hence we use technologies based on javascript/HTML5 we are no capable of reading unique ID like IMEI or device uuid. The idea is to be able to automatically create time-independent fingerprint of device with above mentioned technologies.
The question is are we able to create unique device fingerprint with javascript/HTML5?
The clue might be information available or known by browser (e.g. http://browserspy.dk/)
You can use the fingerprintJS2 library, it helps a lot with calculating a browser fingerprint.
By the way, on Panopticlick you can see how unique this usually is.
It looks like the phoneGap plugin will allow you to get the device's uid.
http://docs.phonegap.com/en/3.0.0/cordova_device_device.md.html#device.uuid
Update: This is dependent on running native code. We used this solution writing javascript that was being compiled to native code for a native phone application we were creating.
You can use this javascript plugin
https://github.com/biggora/device-uuid
It can get a large list of information for you about mobiles and desktop machines including the uuid for example
var uuid = new DeviceUUID().get();
e9dc90ac-d03d-4f01-a7bb-873e14556d8e
var dua = [
du.language,
du.platform,
du.os,
du.cpuCores,
du.isAuthoritative,
du.silkAccelerated,
du.isKindleFire,
du.isDesktop,
du.isMobile,
du.isTablet,
du.isWindows,
du.isLinux,
du.isLinux64,
du.isMac,
du.isiPad,
du.isiPhone,
du.isiPod,
du.isSmartTV,
du.pixelDepth,
du.isTouchScreen
];
I have following idea how you can deal with such Access Device ID (ADID):
Gen ADID
prepare web-page https://mypage.com/manager-login where trusted user e.g. Manager can login from device - that page should show button "Give access to this device"
when user press button, page send request to server to generate ADID
server gen ADID, store it on whitelist and return to page
then page store it in device localstorage
trusted user now logout.
Use device
Then other user e.g. Employee using same device go to https://mypage.com/statistics and page send to server request for statistics including parameter ADID (previous stored in localstorage)
server checks if the ADID is on the whitelist, and if yes then return data
In this approach, as long user use same browser and don't make device reset, the device has access to data. If someone made device-reset then again trusted user need to login and gen ADID.
You can even create some ADID management system for trusted user where on generate ADID he can also input device serial-number and in future in case of device reset he can find this device and regenerate ADID for it (which not increase whitelist size) and he can also drop some ADID from whitelist for devices which he will not longer give access to server data.
In case when sytem use many domains/subdomains te manager after login should see many "Give access from domain xyz.com to this device" buttons - each button will redirect device do proper domain, gent ADID and redirect back.
UPDATE
Simpler approach based on links:
Manager login to system using any device and generate ONE-TIME USE LINK https://mypage.com/access-link/ZD34jse24Sfses3J (which works e.g. 24h).
Then manager send this link to employee (or someone else; e.g. by email) which put that link into device and server returns ADID to device which store it in Local Storage. After that link above stops working - so only the system and device know ADID
Then employee using this device can read data from https://mypage.com/statistics because it has ADID which is on servers whitelist
Hi I need to implement something to prevent users connect to a webapp, from another computer or mobile that it's not authorized, for example if the user enters the user and password correctly and the computer or mobile its authorized by the company grants permission to access, but if the user is on another computer or mobile device this must to reject the login to the webapp.
Also the user can be connected to internet on any place and use this webapp, but only if is using the authorized devices to do it.
I thought on use the mac address to accomplish this, but I don't know if this is the correct approach.
So anyone have any suggestions?
Edit: This webapp is a in house app, with access to sells and inventory, of the company so the only the devices that are provided by the company can access to the webapp.
The MAC address is a poor choice since it is fairly trivial to forge it (aside from the difficulties in obtaining it via javascript). You're going to have that problem with almost any scheme since you are relying on user-controlled content to tell you that the device is authorized. Cookies, even "random" ones, have the same forgery problem.
How are devices authorized? How secure does it need to be? Why must access be limited to only authorized devices?
I see 2 possibilities here:
This requirement is a misguided attempt to exert control over the end-user of the application and there are no real security issues, beyond those already being addressed via the traditional authentication methods (i.e. login/password).
There is a legitimate need to validate that the device being used by the user meets some level of security (e.g. virus protection, located in a physically secure location, etc.). In that case, I am not qualified to build such a solution (and certainly not in a StackOverflow answer), and, judging from your question, neither are you. Even if you come up with a solution you are convinced is secure, I can guarantee it isn't.
A truly secure implementation would probably make use of public key encryption and some sort of signature from the authorized device. Even that signature could be forged, especially for a browser-based solution, which is why so many companies are interested in the trusted platform module.
You cannot get the mac address of a device directly without access to java plugins, native programming, active x, etc.
The usual way to do something like this (read Facebook detecting when you have not logged in from a location before) os to set a cookie on the devices that are authorized. Store a list of these cookies on the server and check to make sure you are getting the right cookie when the user attempts to use the device. The cookie should be random with little chance of collision. You might even get fancy and update the cookie each time the user logs on with a new value. Basically, what you are looking for is exactly the same as the "Remember Me" login systems.
I'm building a webapp, and I could use a solution that allows me to uniquely identify the users computer.
The reason for this is, that once the user is logged into to the application he/she can start several sessions (which is stored in mySQL) related to the app - however, the sessions should only be available from the computer in which the session was initiated.
I cannot use cookies, since the application should allow users to close the browser, restart the computer etc etc., without any risk of loosing the users session.
At first I thought I would be possible to get something like a motherboard serial. Naaah, not going to happen.
Then I thought of generating an MD5 hash based on users remote address + MAC address, until I found out that this is only possible using older versions of IE with ActiveX.
Then I came to think if all Chrome installations have some sort of unique browser ID I could use? ... Haven't been able to find anything helpful.
Any great ideas on how to generate an unique string based on the users computer?
You'll have to relax your constraints : even by using the browser digital print, you won't be able to have a guaranteed not changed and not lost UID.
My usual solution, which works very well but with no guarantee, is to send from the server to the browser an UID and to store it in localstorage. Note that a computer savvy user can remove it or change it. But if the user isn't your foe, this works well.
The reasons to prefer localstorage over cookies are :
no expiration
no tools to "clean" them, as they were origin-bound from the start and thus haven't the privacy-breach reputation of cookies
of course the cleaner and saner interface for javascript applications
I cannot use cookies, since the application should allow users to close the browser, restart the computer etc etc., without any risk of loosing the users session.
Cookies are not lost when the compute restart. You can use cookies.