Network-Based Web Browser Fingerprinting
Network-based web browser fingerprinting is useful in a pure web environment. It requires no client software, this makes deployment of the solution to large and diverse user populations manageable. Additionally this technique does not place any logic on the client side where it may be vulnerable to exploit.
When a client is accessing a protected application via a web browser the system utilizes all information in the header of the browser. As seen below, a large amount of information is available to the server to determine the unique device accessing the resources.
GET /scripts/login/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:220.127.116.11) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Flash fingerprint data is only available if Adobe Flash is present on the device. During the login process, fingerprint data is gathered from the user's Adobe Flash installation. The Flash system capability data is used as the Flash fingerprint. This technique has been losing favor over time as it does not work on all systems, especially mobile, and Adobe has announced they are retiring Flash.
SDK-based Device Fingerprinting
SDK-based device fingerprinting is the most powerful form of fingerprinting as as peice of code is running local to the device. This typically expands the number of attributes available, and in many case acess to unique hardware based identifiers (IMEI, MAC address, etc.). Mobile application developers will usually integrate an off the shelf library into their apps. Mobile specific data such as application ID, GPS/triangulation location and IMEI (International Mobile Equipment Identity)/MAC address (Media Access Control address) can be collected and communicated along with other device data. SDK integration can provide a more comprehensive fingerprint than other methods. In addition by utilizing an SDK fingerprinting, identifying and tracking mobile devices is possible even when access is not via a browser.