gistray:


Send your number

***

gistray:


You're speaking In parables


I told u even if the app data and cookies are cleared the app is still able to know the device has been used... Where else are the tokens stored?

Only factory reset works as at now

I don't know much about app development on Android or iPhone , but on web , the tricks is browser fingerprinting

Then the hash will be stored on server
When request is made u compare to detect new browser or device I believe android development pack will have something similar

silento:



I don't know much about app development on Android or iPhone , but on web , the tricks is browser fingerprinting

Then the hash will be stored on server
When request is made u compare to detect new browser or device I believe android development pack will have something similar

Seems you're the one who doesn't know how JWT works.


Well thanks.

gistray:


You're speaking In parables


I told u even if the app data and cookies are cleared the app is still able to know the device has been used... Where else are the tokens stored?

Only factory reset works as at now

Hi. Have you tried resetting the AdvertisingID? I have used it once for an app to limit content. Clearing app data or reinstalling wouldn’t work until you do a hard reset of the device or reset the ads id.

Even Google uses the ads id for ads tracking thats how they serve targeted ads. It’s wrong though according to Android best practices if you are not using it for Ads related purposes. I have shared a link. Try all the possible ways highlighted there it definitely should be one of those.

Updated: I’m no sure even resetting the device would work as I believe it’s tied to your PlayStore account. So signing in same Google Play Store account should restore the previous AdvertisingID. I have not tested that before, you should.


PS: Don’t use this for illegal purposes oo. If you collect loan go pay am

[url] https://developer.android.com/training/articles/user-data-ids[/url]

gistray:


Seems you're the one who doesn't know how JWT works.


Well thanks.

U are welcome

Millerules:


Hi. Have you tried resetting the AdvertisingID? I have used it once for an app to limit content. Clearing app data or reinstalling wouldn’t work until you do a hard reset of the device or reset the ads id.

Even Google uses the ads id for ads tracking thats how they serve targeted ads. It’s wrong though according to Android best practices if you are not using it for Ads related purposes. I have shared a link. Try all the possible ways highlighted there it definitely should be one of those.

Updated: I’m no sure even resetting the device would work as I believe it’s tied to your PlayStore account. So signing in same Google Play Store account should restore the previous AdvertisingID. I have not tested that before, you should.


PS: Don’t use this for illegal purposes oo. If you collect loan go pay am

[url] https://developer.android.com/training/articles/user-data-ids[/url]

I'll definitely give this a try.

But what if the app wasn't downloaded from play store or the user haven't logged into playstore?

Thank u.

gistray:


I'll definitely give this a try.

But what if the app wasn't downloaded from play store or the user haven't logged into playstore?

Thank u.

If the app is not on PlayStore and downloaded from the web the app can still call the AdvertisingClient to get the ID since it has been programmed so. I’m really not sure if it’s PlayStore alone I was only guessing it could be tied to PlayStore user instance. However, I have seen some cases where the client returns a generic ID something like 000000.

Be sure to test for your requirements.

gistray:


Send your number

Ur phone has its own unique IP whenever it connects to the internet, it can never be changed, websites register and stores this IP's in there database server for easy identification of gadgets.., you can try everything but you can't change ur internet address IP, because everytime you off and on ur data, it generates another static IP linked to the original, it only displays when you are connected to the internet

minato12:


Ur phone has its own unique IP whenever it connects to the internet, it can never be changed, websites register and stores this IP's in there database server for easy identification of gadgets.., you can try everything but you can't change ur internet address IP, because everytime you off and on ur data, it generates another static IP linked to the original, it only displays when you are connected to the internet

VPN changes this.


All what was posted here non works as I have tried them all


Only thing I think of now is the Android GSF which is always unique and only changes after factory reset

gistray:


VPN changes this.


All what was posted here non works as I have tried them all


Only thing I think of now is the Android GSF which is always unique and only changes after factory reset

Not VPN

minato12:


Not VPN

Lol

Ok.

As stated before almost all banking app could dictate that a particular device had been used to register the app this is due to the fact that each device contain a specific ID which is used to identify it for each current season.

So a token is generated by the device or ID which the app sever recognizes and that token is saved within the device storage so when next it sees the system it tends to identify it.

But once the device undergoes hard rest all the information held by the device secondary storage is lost so the initial ID is lost and must be regenerated.

Elscott007:
As stated before almost all banking app could dictate that a particular device had been used to register the app this is due to the fact that each device contain a specific ID which is used to identify it for each current season.

So a token is generated by the device or ID which the app sever recognizes and that token is saved within the device storage so when next it sees the system it tends to identify it.

But once the device undergoes hard rest all the information held by the device secondary storage is lost so the initial ID is lost and must be regenerated.

Non of this worked.


I found out what worked already albeit a hectic and cumbersome process that involved me downloading and unpacking Palmpay raw apk to see what the heck they where doing

gistray:


Non of this worked.


I found out what worked already albeit a hectic and cumbersome process that involved me downloading and unpacking Palmpay raw apk to see what the heck they where doing

Kindly share what you found.

Millerules:


Kindly share what you found.

Sure!

When I'm done with why I asked the question in the first place.

gistray:
Please help me answer this, I know the reward money is small but I need an answer.

How does PalmPay mobile app Knows a device Android/iPhone have been used to access the App before? I'd love to implement this feat Tom an my App.

It is not any of the following:

It is not via Storing the Device IMEI Number.
We got an Android, registered a PalmPay account with it, then change the IMEI number of this Android and tried registering a new account.

Palmpay was able to detect the device has been used before.


It is not By detecting device Build Number or MAC address, those where changed too.


It is not by storing cookies or some form of secret on the device, we cleared the app cache, uninstall it and removed all the app data yet it was able to detect it has been used before.




Only way PalmPay was able to view the device as new was After a hard factory reset.



So Dev in the house, what magic is PalmPay doing here?

There are several ways I could implement such feature.

I could use the DeviceID, IMEI, deviceHostName, etc. i could equally use a combination of those to generate a secrete code that would be stored serverSide with a reference probably stored on the device for quick access.

Now, most times, I prefer using hard to alter values to generrate secretes, rather than assigning fresh vales. that way, rather than assigning your device a random unique secrete code, I could generate that out of a combination of IMEI + DeviceID, then garnish it with few other variables. that way, even if I generates it 1-million times, it always would be same. Just like how olden Days password checkings worked.

Now depending on how complex I want to go, just changing your IMEI alone, and not your deviceID is enough for me to susppect foulPlay because I would see IMEI looks new, but deviceID is known. Who knows how many other variables I use in considerations ; hence even despite changing your IMEI, I still could make the system reAssign you same token generated earlier, rather than generating a Fresh token.

As for storage, I would choose storage locations that couldn't be easily clearred without doing hardReset, or flashing the device.

The way I do most of these, are quite similar to [b]fingerPrinting , hence just changing a couple of variables e.g IMEI, wouldn't be enough to get you a new token. Don't Forget to Never trust the User[/b]

bassdow:


There are several ways I could implement such feature.

I could use the DeviceID, IMEI, deviceHostName, etc. i could equally use a combination of those to generate a secrete code that would be stored serverSide with a reference probably stored on the device for quick access.

Now, most times, I prefer using hard to alter values to generrate secretes, rather than assigning fresh vales. that way, rather than assigning your device a random unique secrete code, I could generate that out of a combination of IMEI + DeviceID, then garnish it with few other variables. that way, even if I generates it 1-million times, it always would be same. Just like how olden Days password checkings worked.

Now depending on how complex I want to go, just changing your IMEI alone, and not your deviceID is enough for me to susppect foulPlay because I would see IMEI looks new, but deviceID is known. Who knows how many other variables I use in considerations ; hence even despite changing your IMEI, I still could make the system reAssign you same token generated earlier, rather than generating a Fresh token.

As for storage, I would choose storage locations that couldn't be easily clearred without doing hardReset, or flashing the device.

The way I do most of these, are quite similar to [b]fingerPrinting , hence just changing a couple of variables e.g IMEI, wouldn't be enough to get you a new token. Don't Forget to Never trust the User[/b]

All what u mentioned can be changed.


Unfortunately that still won't work.

gistray:



All what u mentioned can be changed.


Unfortunately that still won't work.

Still looking for help on this?
Can we meet on WhatsApp? If yes, drop your number.
(I'm hoping the bounty is still intact?)

gistray:



All what u mentioned can be changed.


Unfortunately that still won't work.

just gave idea on how it's done and I said fingerPrinting. No matter how it's done, if it's rooted, and the user is determined, it could always be byPassed.

except I didn't understand what OP stated

OP u need this for hacking multiple accounts.

I perceive this is the last piece of your puzzle.

BlackhatMentor:
OP u need this for hacking multiple accounts.

I perceive this is the last piece of your puzzle.

you mean like having multiple accounts with same login ?

or maybe the mobile app is a trial version, He wants to always extend it by appearing to be a new user