I'm new to xamarin so I'm still trying to figure out how some things work.
The things is, I wanted to create a simple application where the user will recieve an email if his account logged in into an unknown device (yes, it looks like a login alerts).
Correct me if my proposed method is incorrect, I want to create a list of every known device each user has logged in, and compare it to a current device the login attempt was made. Is there a way where I can use a unique android device ID in Xamarin that I can use for this situation?
Any answers/suggestions will be much appreciated 😁
Thank you in advance
Using device ID would mean that if user uninstalled your app and stashed the phone for a year, it would still be considered trusted. Users most likely won't remember what they did in the past and blame you for failing to alert.
What you should use is instance ID. An UUID that app generates once and then saves. So uninstalling your app or clearing its data would make it "brand new and untrusted" - because that's exactly what users expect.
To paraphrase Fifth Element: Device not important. Only app important.
Also note that mobile users expect to log into app once and remain logged forever. Some apps (like banking apps) add extra PIN, fingerprint or password to actually access the data, but the app remains paired to the user account forever. In that case, there is server-side list of app instances paired to user's account, so it's trivial to notify about new pairing. Bonus-you don't need any client-dependant IDs, have the server assign the ID on pairing.
Related
Using Firebase in unity, I know that I can send a verification email to register a new login, but I would like that when the user tries to login on another device, firebase sends a verification email confirming the action and exiting the old device, I don't if this is possible because I'm a layman in the subject
Language used is C# and I don't even know the terms to search on the internet
The Firebase SDKs and products do not bound to specific devices. So there is no built-in way to get them to verify a user moving from one device to another.
The closest that exists within Firebase are its Installation IDs, which identify a specific installation (so a specific app on a specific device). If you'd associate an installation ID with each of your users, you could detect when they use a different installation ID than the one you have stored for them, and initiate a verification for the new device. But that'd be up to you to implement, as Firebase has nothing built in for such verification.
So, i`m trying to check from my application if my device has any type of protection when user tries to unlock it.
What it means. I need to know if device could be unlocked without graphical (numeric) key for mobile devices. For desktop devices in I need to know if current user has password.
Is it possible in general for both cases (mobile and PC)?
On PC seems there is no method to detect if a password is set for the user account, but there is method to check if a Pin is set using KeyCredentialManager.IsSupportedAsync | isSupportedAsync method, you can check the official KeyCredentialManager sample, the PassportAvailableCheck() method in the SignIn.xaml.cs file.
For PC, Pin is a higher level security, it can be set only if a password is set and there could have other security policies. On mobile there is no password, if a Pin is set, it can be detected.
This topic belongs to the Security part of UWP apps, here are some good documents for example Create a Microsoft Passport login app, Fingerprint biometrics. They may not be able to fully solve your problem, but you can see what we can do and not be able to do in UWP app from these documents.
I am using in-app purchase. To see if user has bought the product, we need to connect to the store:
var listing = await CurrentApp.LoadListingInformationAsync();
then check the value. But I don't want to ask store every time user runs the app, so is it OK to save the purchase after a successful purchase in local, and after that, just check whether the user bought the product or not (for durable products).
Will this way happen some unexpected scenarios?
As a general rule it's safe to save knowledge of a successful IAP purchase.
Whether the purchase is of a consumable or a durable will have an impact on how your app should behave based on knowledge of that purchase.
Purchases ("In App" or otherwise) are related to an account, not a device, so if the item that is being purchased would have an impact if the user logged in on multiple devices then you should consider this in your application logic.
Similarly, users of your app may get new devices (repairs, replacements, upgrades, etc.) and want to continue their experience of your app on their new device without losing anything. Again you should consider this in your application logic too.
If this is a windows store app, if I understood correctly, there's a windows service built into windows 8 and windows phone. The service refreshes the licenses every 6 hours or so, and when the purchase button is clicked. Once the license is synced to the machine, the API calls are to the local service. Thus calling often isn't an issue, as long as you're just checking to see if the license is active and whether or not the license is a trial one. Now if you're getting information on the values of the products etc., I believe those are requested from the store and thus doing those often may be an issue.
Im have created a software application which is windows based. Soon im going to make it live. Means my clients will be able to use it after they download it from my website. Also to mention i have made the software in a way that it works only with the key that i provide. Initially its gonna be a free trial.
Here im generating 35 digit key and its a unique one. Means once the user requests me for the key and i send him/her the key, he/she may be able to use my application. But the real problem arises from here.
I want the code to be used only once.
Ex: If my application is downloaded by the user, he can use the key to use my application but the same key cannot be used by any one else. Lets suppose my key is xxx the same code xxx should not work for any other person who has downloaded my application. Just to make the software to be used only by genuine users.
i have also gone through this link
http://social.msdn.microsoft.com/Forums/zh/winformssetup/thread/301913a0-ecf9-4095-8d66-a3f4baeea6eb
by Danny Staten
I still haven't met my requirements.
First of all i thought to get the Ip address of the person who is registering to download my application and based on that i can limit my key to be used only by the person whose ip address would be stored in my database. But i think it would be wrong/ unnecessary process. And to use my application the persons network cable should have been plugged each and every time. But it wouldn't solve my purpose.
Secondly i thought of creating a process of the application pinging to my server or to me.
Like initially when the user runs the application(online or offline) the application should work, but as soon as he connects the network cable/plug to network an alert should be provided to my server or to me. And from my side i can make a check if the user is using the key that i have provided to him. If in either way the user is not genuine i should be able to stop him from using my application anymore. From my side i have decided to store the keys inside the database which have been provided by me. And each requested keys in another table. Im not sure if im going the right. But as of now this is the thing that has come into my mind.
But to summarize, in the end i want that a key should be used by only one user. Just to avoid a million different users using my application with a single key.
Im not sure with any idea that i have provided.
Now is there a way i can achieve that?
Get hardware fingerprint of his machine and generate key based on that. Your software should check whether the key was generated for that specific machine.
This however requires online activation of your software. You can do this in two ways
letting user start unactivated application and display HW fingerprint which he sends to you. You then return activation key which he enters.
your application connects automatically to activation service and sends the fingerprint, receives activation key and stores it
Another point would be to include information about several components of hardware and allow user to change one or few. E.g. take fingerprint of HDD serial number, MAC address, motherboard SN, some CPU info (e.g. family name), you should allow user to upgrade or add another HDD.
There is SO topic about getting hardware information.
You have to make a choice I think, the stronger your key system will be, harder it'll be for your users.
IE: A good system would be to generate a hardware key, so it only gets installed on the computers that are registered. Although it works well, users who buy a new computer will probably get in the trouble of asking you to register a new hardware key.
And if you only give them a key (like a serial number), it'll probably easy to use it on another computer.
So basically, if you don't think many users will give away their key because the software isn't going to be used by many people, I would not get a "super-strong" hardware authentication..
Also, don't register an IP address, everyone with a dynamic IP will hate you for doing this.
I'm implementing notifications into my app, but I am trying to figure out what I need to do to know if a Channel is an "Update" vs a "New" channel that wants to receive notifications.
Currently, everytime the app is ran, it sends me the new channel and the expire date. When I want to send a new notification, I am going to assume everyday, I'll get a new one of these for the same person. I need a way to only send it to the person once.
I was thinking about using CoreApplication.Id and store that, but I am not sure if that is unique per application install.
Any ideas how to go about this? I have read several articles, but they are all just showing how to push it once, no mention to this problem.
Thanks!
You will need to add another aspect of identification in your service. Because the URI can change any time, and there maybe multiple installs of your client, you will have some challenges trying to identify unique per user notifications without having identified some "user" id uniquely.
Likely, you want to take advantage of either:
Microsoft Account, using this to identify the user
Make the client application get a "unique" identifier for your client from your server (it could just be a GUID), and save that in roam settings. This will travel with the client across machines. If it's there, clearly it's not a new customer.
Note that if the user uninstalls your app on ALL their machines/accounts, then the roaming setting may go away. This is an undefined period of time.