Identify devices uniquely

Using Ionic v3.

I need to uniquely identify a device (both on android and ios). This is because, while the user can install our app on multiple devices, the app needs to be able to distinguish between the devices’ contact lists.

I am using the Device plugin from @ionic-native and can get the serial number if it is an android, but since May 2017, ios is rejecting apps that use the UDID. Unfortunately, the serial number for an iOS device is undefined.

I am interested to know what the best approach would be – as I imagine this would be quite a common requirement?

Can you have the app generate a UUID when it registers?

… and store in local storage? That would work, though I assume this wouldn’t handle a re-install.

It should survive an update, but no, not an uninstall and reinstall. To cover that, perhaps you could publicize the uuid to the user and have them stash it somewhere and have the ability to paste it into a re-registration screen.

Thanks for your suggestion rapropos. That would be a solution, even though it puts quite a burden on the user. I was hoping to avoid this kind of thing…

Maybe I could add a ‘silent’ entry into the contact list with the generated UUID - that would directly relate that list to the app regardless of whether the app is reinstalled or not…

You could hash it down to something smaller like game consoles use for promotional codes. I tend to use base36 encoded 64-bit integers for this sort of thing, which results in relatively small alphanumeric strings. You can pitch it to your users as a security feature: an identifier that is only used by your app.

I suppose there is no OnUninstall event - because that would be a good occasion to pitch the security feature. I keep your suggestion in mind rapropos - thanks again.

What do you think about adding a silent entry in the contact list?

Tough question that I don’t feel very confident answering without understanding more about your user base. In my experience, users don’t uninstall and reinstall the app on the same device. Much more frequently, they change devices and want a seamless transition. In that situation, giving them the “remember this device” code at registration time and telling them that they should memo it for future use if they swap out the device. Presumably that works with your app because the contacts of old-device and new-device would be equivalent. I can’t speak for your users, but a silent contact entry seems sort of underhanded to me.

P.S. You can also use QR-codes for this, so they can snap the uuid of old-device from the camera of new-device.

It’s true that users generally don’t uninstall and reinstall - so it is quite a rare occasion. I just wish there was a way of knowing if they did.

We are not assuming that the contact lists will be the same on all of the user’s devices though - e.g. one device could be more work related.

Yes, it is a little ‘underhanded’ to add an entry in the contact list - and I’m liking it less and less. Users shouldn’t be expected to have their contact lists fooled with.

I like your QR-code suggestion. Thanks for your feedback, you’ve provided much food for thought.

1 Like

Actually, the newer OS versions can backup the local data of an app and recover it on re-install. This is causing unexpected behaviour in many apps in the other way - they expect local storage to be empty after uninstall and re-install and it isn’t. Cordova added some config thingies for config.xml to disable this.

1 Like

Google and Apple don’t want you to uniquely identify devices. So they make it hard, and each way you find to directly circumvent this will be a pain. I don’t think you should invest too much time there.

Do you maybe have another way to identify users? On Android you could ask for the device’s Google account for example.

What exactly are you doing? Maybe knowing more will help uncover a solution.

Thanks Sujan - I’m working for a client so I can’t disclose too much - but enough to be relevant to this topic I believe.

We provide a service for a client’s contacts list. The client signs in using Auth0. The app (ionic 3) uploads some data to a cloud server.

The difficulty is that each client may install the app on several devices. So although he only has one account, he may have several devices, each with their own contact list (which we assume to be unique).

The app needs to interact with a cloud server which in turn needs to know what device/contact list it is handling. Hence the need for some type of unique identification.

Hope that’s enough info.

Yep, makes it clearer.

Just to make sure, with “contact list” you mean the list of contacts on the device with names, phone numbers etc. Correct?

Follow up questions:

  • Why does it hurt if after a reinstall the device is considered different to the “device” it was before in your database?
  • Do you expect one use to have two identical (e.g.) iPhone 6S at the same time? Because if it is only about iOS vs. Android, you don’t really have a problem, right?

1 - Yes, I’m talking about the native contacts list on the device.
2 - When the app reinstalls, we lose the identification even though the device’s contacts list is still the same - so now there is no way for the server to know what device we are talking about.
3 - Indeed, the user may have an ipad and an iphone, each with their own contacts list (though I probably will be able to distinguish between them with some difficulty). The user may also have 2 similar devices, say one for work and a private one.

Why is this important? What do you loose if you handle this as an additional, new device? (The reason for this might give alternative solutions)

Idea: You could use available data points (device type, device os version, etc) plus a hash over the whole contact list to “reidentify” such devices. (Of course only works if nothing changed in the mean time).

Another question: It this the only app of the company the users will have installed on the device?

I hopne not - checking for the device type should be really easy.[quote=“dbertels, post:15, topic:88153”]
The user may also have 2 similar devices, say one for work and a private one.
[/quote]

This is making things difficult re “simple” identification of devices.

The data for the ‘previous’ device will become obsolete in the database. The server is doing some linking between users, so all those links will become obsolete as well (sorry I can’t be more specific).

Yes, that’s an option.[quote=“Sujan12, post:16, topic:88153”]
Another question: It this the only app of the company the users will have installed on the device?
[/quote]
Yes, usually.

Shame, otherwise you could have abused the advertising identifiers but they are reset when all apps from a company are removed.

Is this really a problem? I assume it is linking the contact objects to some kind of “person” object (like in a CRM), so having an additional device with a set of contacts linked to the same "person"s doesn’t really hurt, right?

If I were you I would create a unique ID on app install. Save this in local storage (or whatever storage type is best used for this), see if there already is one from backup (investigate how this works in Cordova so you actually force it explicitly to use that option). When the user logs in and e.g. uploads his contacts you check if they had a device before and if so you try some matching: OS, device type, OS version etc + the contact list. If you think you have a match (e.g. matching properties + 99% contact list match), optionally ask the user if he had the app installed on that device before - or just give that installation the same unique ID as the old one. Done.

Would that cover all cases?

(Things that could maybe still derail that process: Device reset, Backup restoration on new device, OS updates, rooted devices, users manually deleting app data [Oh how I love Android users that ‘clean’ their data directories…], sold devices, devices bein inherited from person A to person B in a company)

(I spent sooo many hours developing a similar system a few years ago - it was a pain in the ass all the way.)

Thanks so much for your input - it is well appreciated!

Yes, your first point is well taken - a reinstall is not the end of the world.

Looks like it will be a bit of messing about (if I want to be 100% sure I’m looking at the same device/user) - but I suppose it’s all for the good of security.

cheers