Hacker News new | past | comments | ask | show | jobs | submit login

We've recently discovered that even though the Apple docs suggest the APNS tokens may be unique to each app and may change over time they are NOT unique to an app and they also do not change (at least not over the last 18 months).

So if you have two apps on the same device they both share the same UDID and the same APNS token.

Whilst on the surface this may seem like a huge security issue it is not as bad as it seems, because in order to send push notifications to a device you must have the correct APNS .p12 certificate generated by Apple for the app AND the app must be installed on that device.

I would see the UDID's as more of a security breach given the fact that many developers are still using the now depreciated udid to interface with web services.

On a similar note, If you are developing an app and need to have a unique identifier you should be using Secure UDID or something similar https://github.com/crashlytics/secureudid and if you're sending data to you're own webservice, don't just use SSL, use encryption such SHA to prevent mitm sniffing of your data - Both iOS and Android both allow installation of root CA certs which is amazing for developing and sniffing API's but dangerous if your writing webservices and ONLY relying on SSL and no other encryption.




> you should be using Secure UDID or something similar

As an app developer, does this give me some benefit over just generating and saving a random UUID on first launch?


If you save the random number, what happens when they wipe the device and reinstall your app? No way to get that original number back. Secure UDID is deterministic, so you'd get the same ID, and can resume the original session.


One way around this is to store that number in iCloud. Then you can always get it back no matter the device.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: