Android Question How I can do this authentication?

[LucaMs]

Problem: identify and authorize a user of my app connected to my server.

Some considerations which I have done.

Users do not like to give his email.

I would like that the user could start the app and, if it were not the first start ever, could directly access the Server (a game on the Server).

I could use a UUID created from the app, but there is not a way to save it without the risk of it being deleted. In addition, there is no absolute certainty of always getting a different UUID (if my app was installed on 100 million devices? Since it will not be free, I shall become quite rich, but that's another story ).

In addition, an attacker could send the UUID randomly. The server, receiving this UUID and not finding it in the relative DB, should consider the user as a new user and accept and store the UUID.

I do not find the ideal solution, especially from the point of view of safety.

 

[Erel]

You can find an almost unique id with the method described here: Android Device Unique ID - Alternative to PhoneId

You can also let the user register on your server, with or without a server.

 

[LucaMs]

You can find an almost unique id with the method described here: Android Device Unique ID - Alternative to PhoneId

You can also let the user register on your server, with or without a server.

I read that thread (it contains also the objection that when an app is reinstalled the DirInternal is cleared). In fact, I had tried a random number but long, for which I had opened a thread.

This seems like a quiz:
"You can also let the user register on your server, with or without a server"



Briefly, the problems are two:

1) the device does not have a place in which you can save data (UUID or AppID-RND number) that will not be deleted;
2) to whom I must send that AppID (perhaps I should say "how")


Do you think that Google will allow that my app is free but it requires a payment (through PayPal, for example) in order for it to be activated?
In this way I would send the AppID to a person who actually has my app installed on his device.



Well, if anyone has the solution ... I'm here


Thank you

 

[Erel]

If you want to identify a user in the system then the best option is to let the user register in your system. It can either happen automatically with the device id or manually by letting the user to choose a user name.

You need to implement the back end of this process.

 

[LucaMs]

If you want to identify a user in the system then the best option is to let the user register in your system. It can either happen automatically with the device id or manually by letting the user to choose a user name.

You need to implement the back end of this process.

The first thing I thought was:

The app, during the first start ever, creates a random code (IDKey long) and sends it to the server along with a nickname chosen by the user.

The server can not find the IDKey then inserts it. The server checks the uniqueness of Nick; if necessary, the server asks the client to another nick.

But an attacker could send a IDKey and a nick without having my app.

In addition, the client should store the IDKey somewhere, but there are places indelible.



I did not understand your answer.

But for now I omit this part, otherwise lead me in a mental hospital