How to create an unique identifier for an IOS device from a HTML aplication

Question

We are building a web based system where there are money involved and we want to avoid fraud implementing a system that is able to identify the IOS device from where the requests are sent.

The reason of this security is because we offer money for execute actions from a mobile and we only want the user to obtain the money once, if we are not able to identify the device the user can execute the action several times.

This unique identifier can use any HTML, JS, server side technique, but not any native IOS call due the application is web based and it runs in a normal Safari instance.

The unique identifier is not needed to be the official UUID.

The system doesn't need to be bullet-proof just a few more difficult to cheat than a normal cookie.

The system should works in separate sessions, like if the user comes back after one week.

Heuristic based systems are welcome, also any combination of LocalStorage with Cookies, ...

Answer 1

The only ways you can identify a unique user/device in a web application is to use cookies and or track the user's IP address.

Of course, the IP address of a device will change as the owner moves around and cookies can be cleared/disabled or will expire after a set time.

Letting web sites access a device unique identifier such as the UDID would be a huge security risk / privacy invasion. If you were to find such a way, I would say that you found a severe security hole in iOS.

If you are only interested in triggering i.e. an email alert when an account is suspected of being stolen, you could use a heuristic based on device type (user agent string) and geo-ip-lookup to detect if the user has suddenly changed device type and continent and ask the user to confirm that this is really the case. I believe this is what e.g. Google and Facebook does.