0

What is the least invasive way to uniquely identify a user or a user's device in Cordova. I've not yet been looking at iOS yet, but it looks like ANDROID_ID is definitely not unique, which rules out org.apache.cordova.device.Device's uuid property.

Specifically, this is for recovering remote user account data in case of a phone- or application-data reset and I am trying to figure out how to do this with the fewest app permissions and the smallest cognitive load on the user.

Currently, I think the only routes I have are:

  1. Ask user for email
  2. Use third-party authentication (OpenID, Facebook, Twitter, Weibo, etc.)
  3. Ask user for a uname/password
Andrew
  • 12,936
  • 13
  • 52
  • 102

2 Answers2

1

If your problem is only about backups, I don't know about Cordova/iOS, but Android has a standard backup service meant for this, which should work on even non-Google firmwares (assuming the ROM-maker did integrate a backup service)

Concerning having a unique ID, I don't think there is any obvious answer, it depends on your more precise need:

  • According to the link you gave, the non-unique ANDROID_ID bug only applies to <= 2.2, is that relevant for your use-case ? (Edit: Though ANDROID_ID will change after phone-reset, so that doesn't match your need)
  • Asking user for email means taking care of spams
  • username/password means have proper security, not to leak infos
  • My personal preference is third-party authentificatino, but then you'll need your users to have a google account/facebook/etc, which you might not want

Also, one problem you might want to consider, is that Android devices are getting more and more multi-user capable. Do you want to a identify a device or a user ? If the later, one user might have multiple devices for the same application.

schnatterer
  • 6,520
  • 6
  • 53
  • 71
Pierre-Hugues Husson
  • 51
  • 5
  • All good points. Thank you. I am focusing on cheaper markets, where lower quality phones rule, so vendor ID reuse concerns me -- though not sure if that's a concern now. My current preference is to ask for an email address (stored with `bcrypt` or the current slowest hashing algo), but fall back to a variety of third-party authenticators. As well, I will likely allow the user to play without a safety net if they want (worst case is that I'll have some orphaned data on my servers). But I am hoping there is an easier standard that I can stick to in Cordova. We'll see if other answers roll in. – Andrew Jun 20 '15 at 14:08
0

If you want to identify an user then you have to use any of the routes you though and any of them will require permissions, so it's up to you which one to choose.

For identifying a device, the best choice is to use the IMEI for phones and the Build.SERIAL for devices that don't have IMEI (tablets, media players), you will have to create a plugin to get those values

jcesarmobile
  • 45,750
  • 8
  • 107
  • 152
  • Thank you very much for your reply. I don't think any of the options in my question require any special permissions -- they come with network access, which I need for my project anyway. But using IMEI is highly problematic: First, I thought it requires READ_PHONE_STATE in Android, which I consider to be the most invasive permission in the manifest. Second, last I checked, it is only accessible via private methods on iOS, so it should never get approved by Apple. And most importantly, it identifies a unique device, not a user. If a user sells his phone, then I'd be leaking his or her data. – Andrew Jun 25 '15 at 06:30
  • You said you want to identify an user or a device, the user can just be identified with an user account, the device can onle be "uniquely" identified with the IMEI or Build.SERIAL. But you have to use a combination of both, or just the user account if you don't really need to identify the device at all. On iOS you should use the identifier for vendor instead of the IMEI – jcesarmobile Jun 25 '15 at 06:40
  • I'm sorry my question came across that way, but I asked specifically for a way to identify a "user or user's device", not 'user or device'. I apologise for not making this more clear. What I was hoping for was something transparent like a user's Google identity or something like that. I remember reading a couple years ago of a way to get a GUID that was constant for each user across all apps from a specific app vendor, but maybe that was just a feature request. That would be my ideal solution. But because of privacy concerns, IMEI is off the table for me. – Andrew Jun 25 '15 at 06:58
  • Ok, I understand. On android you can use the AccountManager, but on iOS you have no such thing http://stackoverflow.com/questions/2245545/accessing-google-account-id-username-via-android – jcesarmobile Jun 25 '15 at 07:08
  • That sounds pretty close to what I am looking for. If you add that link to the answer, I will gladly accept it. Thanks! – Andrew Jun 25 '15 at 07:29
  • Don't worry, if I do that moderators might delete it because of "link only ansker". BTW, there is an account manager plugin https://github.com/vishalkardode/cordova-android-accountmanager – jcesarmobile Jun 25 '15 at 07:46