70

We are developing in-house web-based application for viewing data reports while targeting on smartphones and tablets. Our customer asked us for possibility that only certain devices could access the content. Hence we use technologies based on javascript/HTML5 we are no capable of reading unique ID like IMEI or device uuid. The idea is to be able to automatically create time-independent fingerprint of device with above mentioned technologies.

The question is are we able to create unique device fingerprint with javascript/HTML5?

The clue might be information available or known by browser (e.g. http://browserspy.dk/)

Kamil Kiełczewski
  • 85,173
  • 29
  • 368
  • 345
TauWich
  • 885
  • 1
  • 8
  • 9
  • I'm assuming you would want this to be all behind the scenes, so to speak? As in No passkey that has to be entered or anything? Also, by certain devices, do you mean only phones and tablets can access it, or only certain individual devices, like only employee's phones can access it? –  Sep 11 '13 at 10:02
  • 1
    Similar question that you may find useful:http://stackoverflow.com/questions/6445472/get-unique-static-id-from-a-device-via-web-request – Oliver Sep 11 '13 at 10:04
  • 2
    You are talking about JS and HTML5, but this is just the frontend technology. On the server side, you could use the MAC address from the devices requests, but even this is not safe as it can easily be spoofed. I'd go for some standard user-based authentication rather than device-based. – Rob Sep 11 '13 at 10:05
  • Does it have to be a web based app? Could it be an app that's installed on the devices, but written using web technology (html/javascript etc.)? – Reinstate Monica Cellio Sep 11 '13 at 10:18
  • possible duplicate of [How to allow only certain devices to access web site](http://stackoverflow.com/questions/18719936/how-to-allow-only-certain-devices-to-access-web-site) – Quentin Sep 11 '13 at 10:22
  • @tinkerbot: sorry for lack of information, i ment certain individual devices. All to be happen behind the scene – TauWich Sep 11 '13 at 10:40
  • @Archer: also considering PhoneGap, but first choice is to be done without any additional technology – TauWich Sep 11 '13 at 10:41
  • 1
    @TauWich If you want system information from the device the app is running on then you'll need to run native code. I can't think of a better way of doing it than PhoneGap. You could register new users and link them to their IMEI. In most people's world, that's foolproof. – Reinstate Monica Cellio Sep 11 '13 at 10:43

4 Answers4

101

You can use the fingerprintJS2 library, it helps a lot with calculating a browser fingerprint.

By the way, on Panopticlick you can see how unique this usually is.

Shabbir Dhangot
  • 8,954
  • 10
  • 58
  • 80
Paul S.
  • 1,583
  • 1
  • 11
  • 14
  • 12
    Your "unique fingerprint" changes regularly with that method though. All you need to do is add/remove a browser plugin or system font and you're no longer classed as the same browser. – Reinstate Monica Cellio Sep 11 '13 at 10:45
  • 2
    That's right, but as far as know, there is no other method. It might be a good idea to create a cookie (or a peristent cookie) to ignore future changes in the fingerprint. – Paul S. Sep 11 '13 at 11:06
  • @Archer: you are right, but i hope this method gives enough time-persistent fingerprint. It is not so easy to change e.g. systemfont on mobile platform. I am going to test it right away. – TauWich Sep 11 '13 at 11:18
  • @PawełS.: there is no apparently persistent cookie or other type of web storage, see my question regarding this topic: http://stackoverflow.com/questions/18614188/persistent-client-side-web-storage – TauWich Sep 11 '13 at 11:20
  • @TauWich Most of these apps download and install fonts on Android devices... https://play.google.com/store/search?q=font+changer+for+android+phone&c=apps It's very easy and very common to change fonts yourself. Sorry, but I just don't see any way to rely on this suggestion - just my opinion :) – Reinstate Monica Cellio Sep 11 '13 at 11:26
  • @Archer: read this very interesting article on uniqueness and time changeability https://panopticlick.eff.org/browser-uniqueness.pdf – TauWich Sep 11 '13 at 12:38
  • [Panopticlick will **NOT** show you how unique a fingerprint is](https://games.greggman.com/game/panopticlick-hyperbole/). – gman Jun 23 '18 at 02:07
4

It looks like the phoneGap plugin will allow you to get the device's uid.

http://docs.phonegap.com/en/3.0.0/cordova_device_device.md.html#device.uuid

Update: This is dependent on running native code. We used this solution writing javascript that was being compiled to native code for a native phone application we were creating.

RayLoveless
  • 19,880
  • 21
  • 76
  • 94
  • 1
    if this is actually worked in a browser javascript context alone, then why isn't the https://github.com/Valve/fingerprintJS library using it? As far as I can tell phonegap is a mobile web-*application* development library not a standalone javascript library. – user3338098 Oct 12 '16 at 22:29
  • If this did work it would destroy any remaining concept of web browsing anonymity... this 'feature` would violate everyone's privacy expectations in browsing the web. – user3338098 Oct 12 '16 at 22:32
  • 5
    The Cordova plugin is dependent on running native code (e.g. java for Android, objective-C for iPhone), so it's not a pure javascript solution afaik. – treejanitor Nov 19 '16 at 16:03
  • 2
    While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/low-quality-posts/18579323) – Mehdi Dehghani Jan 21 '18 at 10:51
  • @user3338098: It anonymizes data so it's not a substantial privacy compromise. Besides native apps are sniffing your device IDs (with your permission) in any case. It's a missing feature for the web in my opinion. – Hassan Baig Sep 12 '18 at 17:30
  • @HassanBaig an identifier "anonymizes data"... please clarify. I thought the opposite was the case... – user3338098 Sep 13 '18 at 21:13
  • @user3338098: I solely meant the stripping of user details so that although you have data, you're unable to connect it to the specific user, and can only connect it to the uuid. – Hassan Baig Sep 14 '18 at 02:41
  • @MehdiDehghani, I agree however their documentation changes from time to time so i felt better pointing to the source rather than using a code example that could become dated. – RayLoveless Sep 14 '18 at 15:40
  • @HassanBaig I might be unable to, but that doesn't mean someone else can't. I just have to pay the right person for details *they* have on an identifier and then I have obtained the very user details that were intended to be unavailable in the first place. – user3338098 Sep 18 '18 at 16:39
  • @user3338098 each website origin could be given a unique tracing id instead – David Callanan Sep 02 '20 at 20:49
  • @DavidCallanan if each website origin had a unique tracing id, it would be no better than cookies or the various forms of local storage, and therefore redundant, however it would add to user confusion as to how to protect their privacy (the web is already quite complicated enough for those who are not as tech savvy). – user3338098 Sep 05 '20 at 23:18
2

I have following idea how you can deal with such Access Device ID (ADID):

Gen ADID

  • prepare web-page https://mypage.com/manager-login where trusted user e.g. Manager can login from device - that page should show button "Give access to this device"
  • when user press button, page send request to server to generate ADID
  • server gen ADID, store it on whitelist and return to page
  • then page store it in device localstorage
  • trusted user now logout.

Use device

  • Then other user e.g. Employee using same device go to https://mypage.com/statistics and page send to server request for statistics including parameter ADID (previous stored in localstorage)
  • server checks if the ADID is on the whitelist, and if yes then return data

In this approach, as long user use same browser and don't make device reset, the device has access to data. If someone made device-reset then again trusted user need to login and gen ADID.

You can even create some ADID management system for trusted user where on generate ADID he can also input device serial-number and in future in case of device reset he can find this device and regenerate ADID for it (which not increase whitelist size) and he can also drop some ADID from whitelist for devices which he will not longer give access to server data.

In case when sytem use many domains/subdomains te manager after login should see many "Give access from domain xyz.com to this device" buttons - each button will redirect device do proper domain, gent ADID and redirect back.

UPDATE

Simpler approach based on links:

  • Manager login to system using any device and generate ONE-TIME USE LINK https://mypage.com/access-link/ZD34jse24Sfses3J (which works e.g. 24h).
  • Then manager send this link to employee (or someone else; e.g. by email) which put that link into device and server returns ADID to device which store it in Local Storage. After that link above stops working - so only the system and device know ADID
  • Then employee using this device can read data from https://mypage.com/statistics because it has ADID which is on servers whitelist
Kamil Kiełczewski
  • 85,173
  • 29
  • 368
  • 345
2

You can use this javascript plugin

https://github.com/biggora/device-uuid

It can get a large list of information for you about mobiles and desktop machines including the uuid for example

var uuid = new DeviceUUID().get();

e9dc90ac-d03d-4f01-a7bb-873e14556d8e

var dua = [
    du.language,
    du.platform,
    du.os,
    du.cpuCores,
    du.isAuthoritative,
    du.silkAccelerated,
    du.isKindleFire,
    du.isDesktop,
    du.isMobile,
    du.isTablet,
    du.isWindows,
    du.isLinux,
    du.isLinux64,
    du.isMac,
    du.isiPad,
    du.isiPhone,
    du.isiPod,
    du.isSmartTV,
    du.pixelDepth,
    du.isTouchScreen
];
centralhubb.com
  • 2,705
  • 19
  • 17
  • I tried this in multiple systems and it results in generating same id in different systems. So it won't be helpful in this case. – Subramanian Feb 18 '21 at 09:35