Recipe Name:
Information Exposure: Avoid using hardware identifiers - Compliant
Description:
Using hardware identifiers is not recommended - compliant
Level:
error
Language:
- java
Tags:
- security
- framework specific
- mobile
- Android
Documentation
Android best practices on unique identifiers state that developers should avoid using hardware identifiers.
While there are valid reasons why your application may need to identify a device rather than an instance of the application or an authenticated user on the device, for the vast majority of applications, the ultimate goal is to identify a particular installation of your app. Hardware identifiers such as SSAID (Android ID) and IMEI can be avoided in most use-cases without limiting required functionality. For advertising uses developers should use Advertising ID's
Dependencycompile 'com.google.android.gms:play-services:7.5.0'Class information
com.google.android.gms.iid.InstanceID static instanceID getInstance(Context) String getId() String getToken(...)Correct code example
String iid = InstanceID.getInstance(context).getId();Resources
Recipe
id: scw:android:hardware-identifiers-compliant
version: 10
metadata:
name: 'Information Exposure: Avoid using hardware identifiers - Compliant'
shortDescription: Using hardware identifiers is not recommended - compliant
level: error
language: java
enabled: true
comment: ""
descriptionFile: descriptions/Information_Exposure__Avoid_using_hardware_identifiers_-_Compliant.html
tags: security;framework specific;mobile;Android
search:
methodcall:
name: getId
type: com.google.firebase.iid.FirebaseInstanceId
availableFixes: []