Reputation: 5691
Spoofing safe device identification in Android and Firebase
We developed an Android application which acts like a simplified version of our webshop. Now we want to send a discount code to those who install our app.
We figured the following procedure would work:
When the app starts up the first time, the remote API is called to register the device using the FCM token. If this FCM token is new, we will send a push notification with the discount code.
This works, however, if the user re-installs the app it will create a new FCM token for the user so we will not be able to determine it is really the first time the user installs our app. Obviously we do not want a single user requesting multiple discount codes.
I understand that unique identifiers can be spoofed.
How can we solve this?
Upvotes: 1
Views: 341
Answers (1)
Reputation: 1982
I am assuming that prior to sending the discount code you require user login. You can have a flag in the user database that indicates whether the specific user has received a discount, and if not, send it. Therefore, the token will be account, and not device specific.
The discount being device specific is not a good practise, since it may change owner. The new owner will not be entitled to a discount in this scenario.
Upvotes: 1
Related Questions
- Settings.Secure.ANDROID_ID different in build APK and Signed APK why?
- Firebase Cloud Messaging request DeviceID without connecting to Firebase
- How is Android Firebase messaging SDK secure against Intent spoofing?
- is possible to change Settings.Secure.ANDROID_ID?
- Android unique device identifier to use with google's firebase token generator
- Firebase Anonymous authentication and Device ID
- Unique identity issue on Firebase
- Authenticate by Device with Firebase
- Any vulnerability to exposing Unique Android Device ID?
- Android - How to detect same user from multiple devices?