monxas monxas - 1 month ago 20
Android Question

Generating unique id in android (UUID)

for months I've been using a class to generate a UUID that was solid between reintalls. My app is about discounts so I rely on this UUID to limit the number of coupons per device.

protected void getDeviceId(){
try {
Context context = cordova.getActivity().getApplicationContext();
TelephonyManager tm = (TelephonyManager) context.getSystemService(Context.TELEPHONY_SERVICE);

String uuid;
String androidID = Secure.getString(context.getContentResolver(), Secure.ANDROID_ID);
String deviceID = tm.getDeviceId();
String simID = tm.getSimSerialNumber();

if ("9774d56d682e549c".equals(androidID) || androidID == null) {
androidID = "";
}

if (deviceID == null) {
deviceID = "";
}

if (simID == null) {
simID = "";
}

uuid = androidID + deviceID + simID;
uuid = String.format("%32s", uuid).replace(' ', '0');
uuid = uuid.substring(0, 32);
uuid = uuid.replaceAll("(\\w{8})(\\w{4})(\\w{4})(\\w{4})(\\w{12})", "$1-$2-$3-$4-$5");

this.callbackContext.success(uuid);
}catch(Exception e ) {
this.callbackContext.error("Exception occurred: ".concat(e.getMessage()));
}
}


That's the core of how I generate my uuid. The thing is this weekend someone with an XT1032 and android 5.1 was able to regenerate different UUIDs after each installation of the app, getting free coupons. This method that I use can be tricked somehow? Maybe with a rooted phone? I'm shooting in the blind. I need to be able to create reliable UUIDs between installations.

Answer

Your UUID depends on three of different IDs, all of which are easily changeable. There is no way to be sure whether this is the reason, but looking at the code here:

SSN (SIM serial number) getSimSerialNumber() gets you SSN for the sim card attached. A simple way to generate a different UUID for same device would be simply to insert a different sim card. Which I know is cumbersome, but doable nonetheless.

IMEI/MEID getDeviceId() returns IMEI or MEID. So another way would be to change the IMEI of the device. If you only google "change phone IMEI without root" you will get loads of doable results. Which might be an easier way (if automated).

Android Device ID ANDROID_ID according to docs changes with each time phone is restored. So again user can change UUID just by restoring phone.

Since your UUID is based on a chain of three unique ids fooling the system is as easy as the weakest link in your chain. ANDROID_ID being the strongest link in this chain I'd recommend you to only use it instead. Refer to this link as an alternative.

Comments