Yeah, now that I think about it, username/password combos pose the same risk as this when it comes to sniffing.
Does it just use an easily obtained device id though? so could a potentially malicious app that the user installs also grab the device ID and then forward it?
Even if an app 'saves' a username/password combo, (I hope at least) it does it in a secure way, where other apps can't access the saved info.
If all this system does is use a device id, its still not as secure. The article didn't mention whether or not it did this, but it would be better if, in addition to a device id, the app also randomly generated a key and stored it in a place that other apps couldn't access it. If it used that in addition to the device id for authentication, it would at least be as secure as other apps that 'remember' your username/password.
Again, the article stresses the "good enough security" . However, udid itself can be sniffed and read by other apps, so it's not good to rely only on it but in a combination with some kind of a "salt".
Does it just use an easily obtained device id though? so could a potentially malicious app that the user installs also grab the device ID and then forward it?
Even if an app 'saves' a username/password combo, (I hope at least) it does it in a secure way, where other apps can't access the saved info.
If all this system does is use a device id, its still not as secure. The article didn't mention whether or not it did this, but it would be better if, in addition to a device id, the app also randomly generated a key and stored it in a place that other apps couldn't access it. If it used that in addition to the device id for authentication, it would at least be as secure as other apps that 'remember' your username/password.