Geek Answers Handbook

Good idea to use mobile device UUID for login?

I am using phonegap and jQuery mobile to develop an application, and this is the first time I've been working with these two technologies.

Now the user must go to the remote server. I have a JSON service ready for this, the session will be stored on the remote server. To make everything convenient, I would like the user to log in only once. Here is my process:

1) the phone is looking at the remote directory - is my UUID allowed in a specific account?

1a) if yes, log in

1b), if not, go to 2

2) Login

2a) If the login was successful, save the UUID in the user account. Remove UUID from other accounts if it was saved there

2b) If you are not logged in, go to 2

Now my question is: for security reasons, is it a good idea to use the UUID as a "key"? Or can it be manipulated in a nasty way?

Another option is to save the password (hashed) on the iphone.

What is the best practice?

Thanks Christian

+4
source share
3 answers

I assume that you are talking about a device identifier that Apple calls "UDID".

Using UDIDs for this purpose does not seem like a good idea to me. For your purposes, there is no difference between a UDID and any other 40-digit hexadecimal string. From the user's point of view, however, this is an immutable string that is not private and which is used as a backup for their username and password. Since any application can detect UDIDs, and UDIDs are provided to developers and other users, the security of your entire system will rely on nothing more than the unknownness of your hash algorithm.

It is possible to use the UDID as a stand for the username if you require the user to enter a password at the beginning of each session, because then at least there would be a private, mutable login component.

I don’t see the real advantage of using UDID compared to the random 40-digit hexadecimal string that you create in your application. The advantages of creating your own string, on the other hand, are that no other application can easily detect your string, and the user can (if you allow) change the string as desired.

Note. I am not a security expert, and I do not want to give the impression that I am. However, as a user, I would be nervous about using an application that uses the device identifier as you describe.

+3
source

You can use the UUID as a key. You can also convert UUID (Hashed), although the UUID is unique for each device. In my care you should use the concept of UUID. This is much better than the password (hashed) stored on the phone.

+1
source

Unless the UUID is used as the only unique identifier for the user, this should be fine. Just remember that the UUID identifies the device, not the user. The user can lose or break his phone and get a new one, which means a change in UUID. He will still be the same user using a different phone.

+1
source

More articles:


All Articles