ForgeRock Developer Experience

Uniquely identifying devices

The Device Match node looks up a user’s stored device profiles using a device identifier as a key. The ForgeRock SDKs generate the device identifier as part of the device profile that it returns to the Device Profile Collector node as part of the JSON payload.

For example:

{
  "identifier": "d50cdb5ce8d055a3-86bd35e1b975a14d76b40940112c2380264c8efd",
  ....
}

Device identifier generation

This section covers the identifiers used on each platform, and how they are generated.

  • Android

  • iOS

  • JavaScript

On Android, a static device ID is not possible.

Static device ID

An ID that never changes, even during a factory reset or app re-installation.

Instance ID

An identifier for an instance of an application.

Instead of using a device ID, Android uses an instance ID. The instance ID provides a unique identifier for each instance of app, or app group.

Instance ID generation algorithm:

  1. Generate a public/private key pair, and store the KeyPair in the AndroidKeyStore (Shared Storage).

  2. Hash the public key with SHA1.

  3. Encode with Base64.

  4. Compile the ANDROID_ID with the hashed public key.

On iOS, FRDeviceIdentifier provides a unique identifier for each device that is defined in same Shared Keychain Access Group.

FRDeviceIdentifier provides a secure mechanism to uniquely generate, persist, and manage the identifier.

Device ID generation algorithm:

  1. Generate an RSA key pair with key size of 2048.

  2. Persist RSA keys in the Shared Keychain Service.

  3. Hash the public key with SHA1.

  4. Convert the hashed data into a hex string.

To view code that shows how iOS generates the device ID, see FRDeviceIdentifier.swift.

In JavaScript, the browser’s crypto library generates the device ID. The ID is stored in the browser’s localStorage.

To view code that shows how JavaScript generates the device ID, see index.ts in the forgerock-javascript-sdk repository.

When can identifiers change?

If the identifier changes, the Device Match node will be unable to match any stored device profiles.

If this happens, your journey must collect and store a new device profile, which contains the new identifier.

This section explains what can cause an identifier to change on each platform.

  • Android

  • iOS

  • JavaScript

In Android, the instance ID is deleted or changes if any of the following occurs:

  • An app is restored on a new device.

  • The user uninstalls and re-installs the app.

  • The user clears app data.

On iOS, the device ID is stored in the Keychain. This means the ID persists when the app is removed.

However, the device ID is deleted or changes if any of the following occurs:

  • The user wipes or factory resets the phone.

  • The user migrates to a new phone.

  • The keychain is programmatically deleted from the phone.

  • The device ID is programmatically deleted from the Keychain.

  • The keychain identifier in the forgerock_keychain_access_group configuration property changes.

In JavaScript, the device ID is deleted or changes if any of the following occurs:

  • The browser window creates the device ID while in "private" or "incognito" mode. Closing the browser removes the ID.

  • The browser removes the ID when cleaning up old data to make room for new data.

  • The browser is uninstalled and reinstalled. The ID is removed.

  • The user removes the device ID by clearing the browser data.

Copyright © 2010-2024 ForgeRock, all rights reserved.