How unique is the defaut device identifier which is generated for the device locking in CA Mobile OTP library

book

Article ID: 37991

calendar_today

Updated On:

Products

CA Rapid App Security CA Advanced Authentication CA API Gateway

Issue/Introduction

Question

[A] How unique is the device identifier, which is generated for the device locking in CA Mobile OTP library for Android, iOS and Windows Phone.

[B] If a user uninstalls the app(which is using the CA Mobile OTP library) and reinstall it, is the deviceid the same(used in the first installation) or it changes?

Environment

CA Mobile OTP library for Android, iOS and Windows Phone (Release: 8.1)

Answer

[A] By default, the device locking feature is enabled in CA Mobile OTP libraries. Below are used as default uniqueid: 

For iOS mobiles, the CFUUID parameter is used to lock the device.

For Android, Secure.ANDROID_ID is used as uniqueid.

For Windows phone, Windows.Phone.System.Analytics.HostInformation.PublisherHostId is used as uniqueid. 

 

[B] As we are storing CFUUID in key chain it will persist even after application is uninstalled. Application re-installation should be able to access the same CFUUID which is stored earlier. But in following scenarios CFUUID will not be accessible -  

1. There should not be any change in keychain access group identifier (By default, an app can only access keychain items with the keychain access group matching the application-identifier code signing entitlement. If the previous version of your app was writing data to the keychain, submitting an app update with the new App ID will result in a loss of access to the previous keychain data. The keychain access will only be lost after an update to the app is released on the App Store.)

2. User deletes CFUUID from keychain explicitly 

 

In case of Windows Phone Windows.Phone.System.Analytics.HostInformation.PublisherHostId is unique per device and per publisher, which means that no two publishers will receive the same value for the same device. This string is generated at time of first application installation from publisher and will last till user uninstalls last application from the same publisher. So CA Mobile OTP behavior should be consistent for the user accounts with CA Mobile Application across installation and un-installation. (While uninstalling application, all the accounts gets deleted and after re-installation user credential will get device locked with current PublisherHostId id)

 

In case of Android, Secure.ANDROID_ID is a 64-bit number randomly generated when the user first sets up the device and should remain constant for the lifetime of the user's device. The value may change if a factory reset is performed on the device. So, CA Mobile OTP behavior should be consistent for the user accounts CA Mobile Application across installation and un-installation. (While uninstalling application, all the accounts gets deleted and after re-installation user credential will get device locked with current Secure.ANDROID_ID id)

 

It is also possible to lock an account using non default parameters. To lock an account to a device by custom device locking key, implement custom logic as explained in the following steps:

1. Implement the DeviceLock interface to use the custom device locking parameters.

2. Invoke the setDeviceLock() method in the API class.

Please refer to this link for more details: Device Locking

 

In case of iOS, if you want to persist the unique id between instalation and uninstallation, you can use identifierForVendor which belong to UIDevice class. This identifier is unique per device and per vendor.

 

You can also disable the device locking feature by passing a NULL value to the setDeviceLock() method. 

Environment

Release: ARCWFT05900-8.1-Arcot-WebFort-for Windows
Component: