There are four common techniques for acquireing a device fingerprint. They are Network-Based Web Browser, Flash, JavaScript, network and SDK fingerprints. The fingerprinting functions the same for desktop/laptop PCs and mobile devices and smart phones that run full-function browsers.
Network-Based Web Browser Fingerprinting
Network-based web browser fingerprinting is useful in a pure web environment. It requires no client software, this makes deployment of the solution to large and diverse user populations manageable. Additionally this technique does not place any logic on the client side where it may be vulnerable to exploit.
When a client is accessing a protected application via a web browser the system utilizes all information in the header of the browser. As seen below, a large amount of information is available to the server to determine the unique device accessing the resources.
Code
GET /scripts/login/ HTTP/1.1 | |
Host: www.mybank.com | |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
Accept-Language: en-us,en;q=0.5 | |
Accept-Encoding: gzip,deflate | |
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 | |
Keep-Alive: 300 | |
Connection: keep-alive | |
Cookie: PHPSESSID=r2t32vgf4932r6q9ij3kfeu140 | |
Pragma: no-cache | |
Cache-Control: no-cache |
Flash Fingerprinting
Flash fingerprint data is only available if Adobe Flash is present on the device. During the login process, fingerprint data is gathered from the user's Adobe Flash installation. The Flash system capability data is used as the Flash fingerprint. This technique has been losing favor over time as it does not work on all systems, especially mobile, and Adobe has announced they are retiring Flash.
JavaScript Fingerprinting
JavaScript fingerprinting, which is widely used by sites, can be used as the primary digital fingerprint or co-exist with Flash fingerprinting. Many sites utlize both Javascript and Flash fingerprinting, when Flash is available it used as the primary method and defaults to JavaScript only when Flash is not present.
SDK-based Device Fingerprinting
SDK-based device fingerprinting is the most powerful form of fingerprinting as as peice of code is running local to the device. This typically expands the number of attributes available, and in many case acess to unique hardware based identifiers (IMEI, MAC address, etc.). Mobile application developers will usually integrate an off the shelf library into their apps. Mobile specific data such as application ID, GPS/triangulation location and IMEI (International Mobile Equipment Identity)/MAC address (Media Access Control address) can be collected and communicated along with other device data. SDK integration can provide a more comprehensive fingerprint than other methods. In addition by utilizing an SDK fingerprinting, identifying and tracking mobile devices is possible even when access is not via a browser.