Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

RSA SecurID - spoof or change UDID?

S

spamdumpster

macrumors 6502a
Original poster
Jan 22, 2008
574
0
We use RSA SecurIDs at work to remote access our network. The folks at work create soft tokens to be pushed to blackberrys ONLY.

RSA has released an iPhone app (free in the app store), but it checks your UDID against the token's UDID/

What I want to do is temporarily spoof or change my UDID so that it matches my blackberry PIN. This way, the iPhone *should* let me import and use the token.

Any ideas?
 
spoofing udid with method swizzling programatically

Here's a way to spoof UDIDs in objective C using Method swizzling:

http://marccodes.posterous.com/method-swizzling-uidevice-to-spoof-udid

Method swizzling swaps two selectors (uniqueIdentifier and spoofUniqueIdentifier) for a class (UIDevice). After the swizzle, subsequent calls to UIDevice uniqueIdentifier will return the spoofed UDID. This can be helpful for testing UDID-keyed libraries that you don't have a valid UDID for. What else???
 
You can't "temporarily" spoof your UDID. The RSA app checks it EVERY time it's launched. It might even check every time the code rolls over, but I have no way of verifying that.

Also, this is a REALLY good way to get yourself fired and depending on your company's policies, prosecuted. Locking soft tokens to UDID is optional (the default is not to), and it's done for a very good reason.
 
geko29 said:
Also, this is a REALLY good way to get yourself fired and depending on your company's policies, prosecuted. Locking soft tokens to UDID is optional (the default is not to), and it's done for a very good reason.
Click to expand...

Best advice right here!
 
geko29 said:
You can't "temporarily" spoof your UDID. The RSA app checks it EVERY time it's launched. It might even check every time the code rolls over, but I have no way of verifying that.

Also, this is a REALLY good way to get yourself fired and depending on your company's policies, prosecuted. Locking soft tokens to UDID is optional (the default is not to), and it's done for a very good reason.
Click to expand...

The reason I see companies locking soft tokens to UDIDs on Blackberries is because BES is a security blanket. A Blackberry can be configured to erase itself if it doesn't see network in x amount of hours/days, so even if someone pulls the SIM out of the device so it won't get a remote kill order, it will eventually erase itself.

iPhones are getting there with security, but still have a ways to go before companies migrate wholesale from RIM to iOS, especially ones that have a hefty investment in BES.
 
mlts22 said:
The reason I see companies locking soft tokens to UDIDs on Blackberries is because BES is a security blanket. A Blackberry can be configured to erase itself if it doesn't see network in x amount of hours/days, so even if someone pulls the SIM out of the device so it won't get a remote kill order, it will eventually erase itself.
Click to expand...

There are a lot of reasons to lock to UDID, and that's definitely one. We're a mostly-iPhone shop, but we lock to UDID as well. The theory being, if we issue someone an iPhone and a token, and they subsequently leave (willingly or not), they will not be able to restore a backup onto a different iThing and retain access to that token. The RSA app will automatically uninstall the token the first time it's launched.

This also applies while they're employed with us. The token can't be installed on any unapproved devices, like the PC soft client (which is forbidden in the highest possible terms by our Security Officer), or personal phones without prior consent.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back