So... how does this protect against a replay attack?
i.e. I'm sniffing traffic at a local coffee shop, or I find out your 'unique' phone ID through a malicious app.
Once I have that, I spoof my phone to be yours and suddenly I'm logged in as you.
The login system suggested should be used via HTTPS where you have to do more than just sniffing the traffic. Also, as the author mentioned, we don't do e-banking or stuff that involves $$$. Just keep it simple :)
Yeah, now that I think about it, username/password combos pose the same risk as this when it comes to sniffing.
Does it just use an easily obtained device id though? so could a potentially malicious app that the user installs also grab the device ID and then forward it?
Even if an app 'saves' a username/password combo, (I hope at least) it does it in a secure way, where other apps can't access the saved info.
If all this system does is use a device id, its still not as secure. The article didn't mention whether or not it did this, but it would be better if, in addition to a device id, the app also randomly generated a key and stored it in a place that other apps couldn't access it. If it used that in addition to the device id for authentication, it would at least be as secure as other apps that 'remember' your username/password.
Again, the article stresses the "good enough security" . However, udid itself can be sniffed and read by other apps, so it's not good to rely only on it but in a combination with some kind of a "salt".
i.e. I'm sniffing traffic at a local coffee shop, or I find out your 'unique' phone ID through a malicious app. Once I have that, I spoof my phone to be yours and suddenly I'm logged in as you.