Identifying devices uniquely in my specific situation

I know this topic is a recycled one -> I simply have a more specific situation that it applies to and I would love to pick your brain.

I'm writing an app that upon first boot requests the user to fill in a user-name. This user-name is sent to my server, checked for uniqueness and entered into a database along with a mysql generated UUID. This user-name is also used to create a virtual directory for the user, so user "evan" gets example.com/evan. The UUID is sent back to the phone where it's stored locally (not set on the storage type yet, using sqlite currently).

The app never asks for a password. The phone stores the UUID my server generated and sends this ID along with the stored user-name upon post-initial boot to identify the user. I like the idea of not using passwords because passwords just open too many of pandora's boxes and regardless of being a Greek American I would rather avoid Pandora.

I like this approach because if the user ever factory resets their phone and hands it off the next person won't be logging into the old person's account. I don't like this approach because I'm concerned with how many URLs will go dead as people delete data off their phone and create new accounts (for whatever reason they would do that I'm not sure).

I very much want to avoid having to deal with customers wanting their URL back. That's an intern who could be better spent filling my coffee.

My opinionated brother complains that accounts won't transfer from one device to another: "what if I buy a new phone and want my old account and url?"

I've thought of a few solutions, such as adding a "last logged in" variable to my user table that I could scrape every day to release URLs older than X days. Or I could offer an "erase me" option in the app itself for people to release their URL manually. Or I could add an "I'm transferring this accou开发者_Python百科nt" option allowing the user to receive a unique code they could write down, buy a new phone, install my app, enter their old user-name, and enter the generated code to confirm their identity.

I suppose if someone manually deletes my app's data they deserve to lose their account. And I could always add some uninstall code that released the URL (?? I imagine anyway, I don't know anything about uninstalls yet.)

So those are the issues I'm dealing with. Any creative tips/info/solutions would be great.

When signing in the first time, I would have the app sending also the IMEI or MEID together with the uid so you can store it in your server.

getSystemService(Context.TELEPHONY_SERVICE).getDeviceId();

http://developer.android.com/reference/android/telephony/TelephonyManager.html#getDeviceId%28%29

If the app gets deleted and reinstalled or if the app data gets deleted, the user can sign in again (there could be a button "existing users" and other "new users") . Your server will then check the uid with the corresponding device id. If they match, then the account is authorized again and the uid is stored again in the db.

The only issue I can think of is if the device does not have a sim. You could default to get the WIFI MAC address if there's no IMEI (the device needs a way to access your server, so most probably will have one of the two). If there's no IMEI and no MAC address (a very rare event, I imagine), then you can ask to add an email address for confirmation. You should be pretty covered with all these options.