Device Fingerprinting Techniques
There are four common techniques for acquiring a device fingerprint. They are Network-Based Web Browser, Flash, JavaScript, network and SDK fingerprints. The fingerprinting functions the same for desktop/laptop PCs and mobile devices and smart phones that run full-function browsers.
Network-Based Web Browser Fingerprinting
Network-based web browser fingerprinting is useful in a pure web environment. It requires no client software, this makes deployment of the solution to large and diverse user populations manageable. Additionally this technique does not place any logic on the client side where it may be vulnerable to exploit.
When a client is accessing a protected application via a web browser the system utilizes all information in the header of the browser. As seen below, a large amount of information is available to the server to determine the unique device accessing the resources.
GET /scripts/login/ HTTP/1.1
Host: www.mybank.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=r2t32vgf4932r6q9ij3kfeu140
Pragma: no-cache
Cache-Control: no-cache
Flash Fingerprinting
Flash fingerprint data is only available if Adobe Flash is present on the device. During the login process, fingerprint data is gathered from the user's Adobe Flash installation. The Flash system capability data is used as the Flash fingerprint. This technique has been losing favor over time as it does not work on all systems, especially mobile, and Adobe has announced they are retiring Flash.
JavaScript Fingerprinting
JavaScript fingerprinting, which is widely used by sites, can be used as the primary digital fingerprint or co-exist with Flash fingerprinting. Many sites utlize both Javascript and Flash fingerprinting, when Flash is available it used as the primary method and defaults to JavaScript only when Flash is not present.
SDK-based Device Fingerprinting
SDK-based device fingerprinting is the most powerful form of fingerprinting as as piece of code is running local to the device. This typically expands the number of attributes available, and in many case access to unique hardware based identifiers (IMEI, MAC address, etc.). Mobile application developers will usually integrate an off the shelf library into their apps. Mobile specific data such as application ID, GPS/triangulation location and IMEI (International Mobile Equipment Identity)/MAC address (Media Access Control address) can be collected and communicated along with other device data. SDK integration can provide a more comprehensive fingerprint than other methods. In addition by utilizing an SDK fingerprinting, identifying and tracking mobile devices is possible even when access is not via a browser.