We are developing in-house web-based application for viewing data reports while targeting on smartphones and tablets. Our customer asked us for possibility that only certain devices could access the content. Hence we use technologies based on javascript/HTML5 we are no capable of reading unique ID like IMEI or device uuid. The idea is to be able to automatically create time-independent fingerprint of device with above mentioned technologies.
The question is are we able to create unique device fingerprint with javascript/HTML5?
The clue might be information available or known by browser (e.g. http://browserspy.dk/)
You can use the fingerprintJS2 library, it helps a lot with calculating a browser fingerprint.
By the way, on Panopticlick you can see how unique this usually is.
It looks like the phoneGap plugin will allow you to get the device's uid.
http://docs.phonegap.com/en/3.0.0/cordova_device_device.md.html#device.uuid
Update: This is dependent on running native code. We used this solution writing javascript that was being compiled to native code for a native phone application we were creating.
You can use this javascript plugin
https://github.com/biggora/device-uuid
It can get a large list of information for you about mobiles and desktop machines including the uuid for example
var uuid = new DeviceUUID().get();
e9dc90ac-d03d-4f01-a7bb-873e14556d8e
var dua = [
du.language,
du.platform,
du.os,
du.cpuCores,
du.isAuthoritative,
du.silkAccelerated,
du.isKindleFire,
du.isDesktop,
du.isMobile,
du.isTablet,
du.isWindows,
du.isLinux,
du.isLinux64,
du.isMac,
du.isiPad,
du.isiPhone,
du.isiPod,
du.isSmartTV,
du.pixelDepth,
du.isTouchScreen
];
I have following idea how you can deal with such Access Device ID (ADID):
Gen ADID
prepare web-page https://mypage.com/manager-login where trusted user e.g. Manager can login from device - that page should show button "Give access to this device"
when user press button, page send request to server to generate ADID
server gen ADID, store it on whitelist and return to page
then page store it in device localstorage
trusted user now logout.
Use device
Then other user e.g. Employee using same device go to https://mypage.com/statistics and page send to server request for statistics including parameter ADID (previous stored in localstorage)
server checks if the ADID is on the whitelist, and if yes then return data
In this approach, as long user use same browser and don't make device reset, the device has access to data. If someone made device-reset then again trusted user need to login and gen ADID.
You can even create some ADID management system for trusted user where on generate ADID he can also input device serial-number and in future in case of device reset he can find this device and regenerate ADID for it (which not increase whitelist size) and he can also drop some ADID from whitelist for devices which he will not longer give access to server data.
In case when sytem use many domains/subdomains te manager after login should see many "Give access from domain xyz.com to this device" buttons - each button will redirect device do proper domain, gent ADID and redirect back.
UPDATE
Simpler approach based on links:
Manager login to system using any device and generate ONE-TIME USE LINK https://mypage.com/access-link/ZD34jse24Sfses3J (which works e.g. 24h).
Then manager send this link to employee (or someone else; e.g. by email) which put that link into device and server returns ADID to device which store it in Local Storage. After that link above stops working - so only the system and device know ADID
Then employee using this device can read data from https://mypage.com/statistics because it has ADID which is on servers whitelist
Related
I really need to get an imei number to my webapp to register the device. I have made a simple native Android app that gets the imei and was hoping to put the number somewhere locally on the device that the web app could then come and check for.
I can put the imei in an sqlite db ok from the Android side of things, but not sure if I can access that specific info from the webapp.
Would there be a better way to achieve this?
Sqlite db created by a native app is sandboxed for access by other applications. So you cannot do what you are trying to do.
Add your web application as a webview along with your app that provides you the imei number. Then your webview will have access to the sqlite db or the IMEI number directly.
If you are trying to authenticate the device using IMEI info then it will be a wrong approach as this information can be easily faked. At the most IMEI should be used as a username and not as a password.
a quick hack
Use the native app to get the imei.
From the app Generate a URL like this www.yourdomain.com/'Replace_with_IMEI_NUMBER'
Once the user clicks with some client side server side coding you
can store the received IMEI number in the browsers Local storage.
The next time your web app is opened you will get access to the local storage which contains the imei number.
But once the local storage is cleared this step has to be repeated.
I do not think you can access the db application Android. But you might save the imei in a DB to be questioned later.
I'm developing an app for my company, and for security reasons I can only allow certain devices to use it. On Android I'm getting the device uuid, so I can uniquely identify it and allow it access to the platform (serverside validation of this uuid). I'm also developing the very same app as a web-app, and for the same security reasons I need to allow only certain pcs to access the platform (even if I'm validating access with username/password, but it's the requirement my boss gave me). So, how can I generate a version 1 uuid using javascript or jQuery? Is it even possible? All I need is a uuid that will be the same everytime I generate it on the same machine.
PS: I can't rely on generating a random uuid and storing it, since my app clears localStorage AND the user can errase cookies.
For legal purposes, I need to find a way to obtain a "one-to-one" identity of a device that logs in to my web application.
Typically, Ill post a url through SMS or email and the end user opens the link in his/her default browser.
I know Phone number cant be retained consistently.
Also, I wouldn't get my hands into flash/active-X objects.
Are there any other ways?
Thanks.
You cannot get unique ID like IMEI or device uuid using HTML/js, but you can create fingerprint of device. Check fingerprint2.js lib: https://github.com/Valve/fingerprintjs2
There is no way to ensure a Devices identity in a Web-Application.
You can only guess by what the Browser tell's you (I can give you some stuff about that). But it can always be faked by the client.
As you where talking about flash, you might be able to do it with flash/java-applets, some information here. But that is with Browser Plugins, wich many clients might not have.
When someone visit your website then you can grab his basic information like as Browser identity and his IP Address only . Because these properties are pushed by the user's browser to visited page . You can't get any other information.
What exactly is your legal requirement and use case?
Are you tracking registered users with registered devices?
Do you have any control over the devices (e.g. company mobile phones or laptops)?
Are you dealing with self-registering users with unknown devices?
How accurate does the identification need to be: exact or approximate / risk-based?
Unfortunately device identity is not something available through web browsers. Can you imagine the privacy implications of such a feature? Advertisers and government agencies would love it, everyone else would hate it.
Some organisations use commercial products that attempt to do "device fingerprinting" using a range of techniques including geolocation, IP, browser and device characteristics e.g. resolution, Flash or Silverlight (if installed), that sort of thing. However these are risk-based approaches that are used by banks etc. to determine whether they've seen the device before or not, and if not it pushes the user to provide additional authentication (step-up authentication). It's not a guarantee, it just offers a convenience to recognised users by simplifying the login process.
This is different to what you're asking for though. As other users have said, it's basically not possible because all the information available through the browser is essentially spoof-able and inherently unreliable. Even a single system can end up with multiple fingerprints if the user uses different browsers, for example, or plugs a laptop into a docking station with a monitor attached.
Probably the best you can do is something like you suggested: send a one-time code to the device using something that IS unique to that device such as the mobile phone number, but even this can be bypassed pretty easily. It also comes down to how you find out and verify the device in the first place.
If you're only dealing with pre-registered mobile devices you may have a chance e.g. you could use a native app that registers a custom URI handler on the mobile device to receive a one-time code from the server, and then the app opens a custom link the system browser and passes in this code and some device ID like IMEI (hashed) to your web server.
However if you want to be able to identify PCs, Macs or any other web-enabled device where you don't have control of something at the OS level you're probably going to struggle.
I'm new in mobile and web development.
We want to give access to some business methods on mobile phones/tablets.
Now a question arose: How to identify a user.
Our users work on jobsites. Even with desktop applications they rarely use user/password combinations (infact most wanted an auto login for a pc, and from there SingleSignOn is used for the program).
So I think based on experience with the users a traditional login mechanism won't be accepted.
However we want to provide at least some basic security. We thought on the following:
A user can log to the server once with a mobile device
Administrator can link the device to an existing user
Afterwards user can just use his device without logon (Identification of user is then done wia some unique identification of the phone)
If we would write programs for each plattform we could (i think) use something like DeviceExtendedProperties.DeviceUniqueId for Windows Phone. Maybe create / store a token and send it to the Server in step 1 which then is used next time for identification.
But we thought it could maybe also be possible without specific applications for the device types and only use of one website for all devices. Therefore we want to use a webpage and jquery mobile to give a more native looking on the diverent devices.
So the problem is: How to identify a phone via web browser?
Is there some cool jquery or javascript function for device identification that i missed?
Or are there better approaches?
How to identify a phone via web browser?
Why not setting a cookie ? Sure the user would have to relog if he uses multiple browsers or disabled cookies, but this is an easy solution.
Here's more information.
Are there any special JavaScript methods you can access on Android to identify the user or the device?
In particular we want to uniquely identify a user's multiple phones in their household so that they can manage their phones' app usage centrally. E.g. if we could get their phone's name like "Jim's Phone" or get the serial or IMEI, that would be great.
As Paul mentioned, this is not possible because device does not expose its data via browser. On the other hand, native apps can access device data called Universally Unique Identifier called uuid. By using cross platform like PhoneGap you can easily port your mobile web app into native mobile app. In this way, you can uniquely identify users. (With phonegap, you can access the id with javascript device.uuid).
Another option is to assign unique identifier to users and store it in local storage or cookie. This has a risk of losing the tracking of users if user clears his local storage or cookie. To solve this problem, you can provide some service for users to recover the information.
In any case, you should do this with users permission because of privacy issue.