How to make a secure login using UDID or device token?

Question

So I\'m making an app where I want the users to be able add, edit and rate content, but I do not want to force them to register. Instead I was planning on just using their d

Answer 1

I am no Android expert but the IMEI code I think is unique for the device. I dont know though how you can read it and transmit it.

Answer 2

In theory, you cannot. A device ID is not particularly secret, and in most cases, it can be easily spoofed. As for Android, there's no reliable device ID on that OS at all - see the gory details here: Is there a unique Android device ID?

All you can rely upon is security by obscurity - hoping that no one will be determined enough to reverse-engineer the code and analyse the authentication protocol. And not disclosing the code is not an option - you are distributing the app after all.

That said, one not-particularly-secure auth method would be - send the device ID and a hash of device ID concatenated with a secret, hard-coded in the client code string. The service would contain a copy of the same string, recalculate the hash (using the device ID provided) and match the hashes. Not breakable by protocol analysis, only by digging in the code for the string. Vulnerable to replay attacks though.

For a stronger solution, authenticate users, not devices. This is up to your customers, and depends on the nature of the business.