This article describes how Mobile Authenticator Studio handles the device-unique data on the supported platforms.
Android
On Android devices, two device-specific keys are computed to ensure uniqueness. One is generated from the ANDROID_ID or (exclusive) the SERIAL, depending on the deviceIdentificationMethod configuration. The other is generated from the ANDROID_ID, and may also include the SERIAL depending on the deviceIdentificationMethod configuration. For more information, refer to https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID.
Since Android 8.0, the SERIAL value is not accessible anymore. Devices activated using the SERIAL will keep using this value stored securely inside the application. If the SERIAL is not available at activation, a random value is used instead, and is securely stored for future operations.
iOS
iOS devices use the identifierForVendor data, which is retrieved on the first application launch and stored encrypted in the iOS device keychain. This identifierForVendor data is then encrypted before being used as the device-unique data. Keychain data is protected using a class structure similar to the one used in file data protection. These classes, however, use different keys and are part of other APIs.
The keychain used by the Mobile Authenticator Studio application uses the NSFileProtectionComplete class.
The random data is set in the keychain with the kSecAttrAccessibleWhenUnlockedThisDeviceOnly attribute.
For more information, refer to https://developer.apple.com/documentation/security/keychain_services.
On iOS, if two versions of Mobile Authenticator Studio do not use the same Bundle Seed ID, they will not share the device-unique data. Keychain access can be restricted to the application or a group of applications on iOS. The Mobile Authenticator Studio application using the same Bundle Seed ID will be part of the same group and shares the same device-unique data.