Bottom line, this is an insecure way to authenticate a device (Chris summed it up very aptly in his earlier thread).
On Wed, Oct 26, 2011 at 1:55 AM, Nick <[email protected]> wrote: > > Wouldn't it be more secure if they hashed the imei before placing it into > > the header? This way a unique hash can be used as an authentication key. > > Hashes are more difficult to match. Or to make it more difficult, slit > the > > imei into 2, hash both parts, and combine them together in the same > string. > > An md5 hash for example is 33 bytes long, if using that method, the > app/site > > would send a long 66 byte hashed imei to the server to uniquely identify > > itself. If I built an android app, I'd use this method to secure each > apps > > license and in-app purchases. > > NTT Docomo says IMEI is not hashed. No changed. It's just a plain text > in HTTP User-Agent header and original header. > Please See: > > http://www.nttdocomo.co.jp/service/developer/smart_phone/service_lineup/music_movie/index.html > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
