8 Replies Latest reply: May 2, 2012 7:22 AM by jdyeager
jdyeager Level 1 Level 1 (0 points)

My company is planning on giving a free account for a game for each iBook we sell. In short, is there any kind of unique identifier I could grab in an HTML widget to tie that iBook or device to the free account we generate for them?

 

The only solution I see so far is to:

  1. Generate a unique id on the device and store it using local storage.
  2. Have the user create the free account from an HTML widget in the book, sending along that unique id to tie to the free game account.
  3. Store the unique id on our server to prevent creation of multiple accounts.

 

Clearly this doesn't really prevent creating multiple accounts though, since the user can just clear local storage and register again. So is there some identifier that the widget will have access to that the user cannot change?

 

Thanks,

 

Josh

  • 1. Re: Unique Identifier
    MichiHenning Level 4 Level 4 (1,350 points)

    jdyeager wrote:

     

    Clearly this doesn't really prevent creating multiple accounts though, since the user can just clear local storage and register again. So is there some identifier that the widget will have access to that the user cannot change?

    I don't think so. You can generate a UID and put it into local storage, but local storage is wiped when iBooks is uninstalled or Safari data is cleared. At the very least, you'd have to allow people to re-establish the link between their device and the game account in case the ID is lost. Similar considerations apply to storing the data in a cookie.

     

    I don't see a way to prevent the multiple account creation issue either.

     

    Michi.

  • 2. Re: Unique Identifier
    K T Level 7 Level 7 (23,700 points)

    You'd stand a chance of this type of scheme working if you simply relied on a logon off of your own servers (#2 above?) - this would aid the user that wants to retain certain info across multiple/new devices as well. If security is a need at all, there's not much you can do globally except to try making an app instead

     

    I woudn't rely on localStorage for anything beyond session, tho.

  • 3. Re: Unique Identifier
    MichiHenning Level 4 Level 4 (1,350 points)

    K T wrote:

     

    You'd stand a chance of this type of scheme working if you simply relied on a logon off of your own servers (#2 above?) - this would aid the user that wants to retain certain info across multiple/new devices as well.

    The problem with this approach is that it allows anyone with the username/password to get access, not just people who have bought the book.

     

    Michi.

  • 4. Re: Unique Identifier
    jdyeager Level 1 Level 1 (0 points)

    Yeah the main issue is just that anyone who has bought the book would be able to create an unlimited number of free accounts for the game, which is also going to be sold separately. So if there is no way to tie a game account to a book purchase, we may have to re-think this setup.

     

    And unfortunately my company is very set on doing an iBook, so... yeah

     

    Anyway, thanks for the help guys. I'll have to think on this more.

  • 5. Re: Unique Identifier
    K T Level 7 Level 7 (23,700 points)

    Good luck

     

    Keep us posted if you have time, etc., thanks.

  • 6. Re: Unique Identifier
    MichiHenning Level 4 Level 4 (1,350 points)

    To make this work, Apple would have to do their bit. For example, they could make an ID available to Javascript that is unique per purchase. Sounds simple in theory, but is messy in practice because that then means that the download image would have to be patched with the unique ID for each download. Not impossible, of course, but more work.

     

    There are also privacy concerns: as soon as each purchase has a unique ID that differs for each copy, that now makes it theoretically possible to trace the movement of each purchase across devices. Even if the ID could not be associated with a particular account, there would probably still be objections on privacy grounds.

     

    One option that might work: require purchasers to send in a copy of the purchase receipt in order to get their account. Not exactly elegant, work-intensive, and still subject to fraud though…

     

    Yet another option: use encryption and use the public key to encrypt the user name or some such from Javascript, together with with an opaque piece of data that was encrypted using a private key. Then send the result to the server to decide whether the request was made from the widget that's running inside the book.

     

    Again, this is not foolproof because anyone who is technically savvy could analyze the Javascript, see what it does, and work out what to send. But it would deter casual theft at least.

     

    Michi.

  • 7. Re: Unique Identifier
    K T Level 7 Level 7 (23,700 points)

    jdyeager wrote:

    ...my company is very set on doing an iBook

    Don't forget - there is a 'books' category for apps. Just don't call it an ibook. Call it a guide, reference, directive, etc.

  • 8. Re: Unique Identifier
    jdyeager Level 1 Level 1 (0 points)

    Thanks for the suggestion about the receipt, we may have to do that. I was hoping that it might be possible to validate the receipt and then use the order # as my unique id, but it seems that receipt validation is only for in-app purchases. (Which seems to suggest that doing the book as an app really is the right way to go).

     

    Ah well, it may be that I'm more worried about security than I should be. The game is educational, not Diablo III or anything so the number of people wanting to get it for free is probably fairly low

     

    Thanks again.