How to uniquely identify an iOS device

As an iPhone developer I wanted to find out the users who have multiple signups from a single device. For the app I am working upon, we are giving signup bonus. But I want to limit this bonus to a single device only. If user of the device use multiple phone-numbers/email-id I want to prevent giving free bonus to those signups. For this, I need to uniquely identify the device.

“A way to uniquely identify an iOS device” has been a topic of discussion for a long time. Over the years, in WWDC sessions they have talked and discussed about this feature and the privacy concerns this might expose to the device user. But Apple has never talked about openly about a clear solution.

There are so many apps which rewards a user on first time installation.
But what if a user deletes the app and reinstalls it with a new mobile number/email just to earn the free reward. This is a potential fraud for your app and you may want to avoid it. Good news is we have a solution folks!!

Earlier developers used to rely upon UUID which helps developers to mark a device. But this only lasts till a user delete/uninstall the app and changes on reinstall.
However it serves well if there are apps on a device coming from a same vendor. So it can help us identify the users having both app A and app B from a same vendor. But this doesn’t solve our problem.

UDID stays with the device for life long. But apple doesn’t allow developers to access it programmatically. In fact they have started rejecting the app on usage of UDID.

Another option is DeviceCheck API. It is a public API from Apple which can be used in combination with server-to-server APIs, and can be set or queried on two bits of data per device. This value can only be changed or updated by the developer and remains same even if the user removes and reinstalls. But it is only available from iOS 11+.

There is this fine blog I came across which talks about similar problem as ours and found it’s solution in DeviceCheck API. It claims that this API can survive a reinstall.

Another solution is to use Keychain storage to store device token(or any other key which can help in identifying a device). Keychain persists the data you stored in there even after the app is uninstalled. This was discontinued after 10.3 beta, i.e, iOS will wipe out keychain data after app delete after 10.3 beta.
Keychain storage is not one of the official solutions for the given problem. You won’t find a clear documentation which talks about this approach for this problem as it is an artefact and not a design feature. It is a good solution but not full proof. The keychain data can be cleared by wiping out(factory reset) the phone. Also as it is not a design feature, it should be used with your own risk.

Conclusion :
One should go for Keychain Storage for users until 10.3 beta.
For users above iOS 11, we can go for DeviceCheck API.

Here are the WWDC sessions which talks about user privacy and ways to identifying device :
https://developer.apple.com/videos/play/wwdc2012/710/
https://developer.apple.com/videos/play/wwdc2013/714/
https://developer.apple.com/videos/play/wwdc2014/715/
https://developer.apple.com/videos/play/wwdc2015/703/