Many Top iPhone Apps Collect Unique Device ID

← Back to Stories (view on slashdot.org)

Many Top iPhone Apps Collect Unique Device ID

Posted by Soulskill on Friday October 1, 2010 @11:19AM from the your-computer-is-broadcasting-a-UDID dept.

An anonymous reader writes "It looks like iPhone users are not immune to the types of data leaks recently discovered on the Android platform. Researchers looked at the top free applications available from the App Store and discovered that '68% of these applications were transmitting UDIDs to servers under the application vendor's control each time the application is launched.' The iPhone's Unique Device ID, or UDID, cannot be changed, nor can its transmission be disabled by the user. The full paper is available in PDF form."

194 comments

Min score:

Reason:

Sort:

What's That? by MightyMartian · 2010-10-01 11:21 · Score: 3, Insightful

What's that? Why, I think it's the sound of the other shoe dropping!

--
The world's burning. Moped Jesus spotted on I50. Details at 11.
1. Re:What's That? by MBCook · 2010-10-01 11:26 · Score: 2, Insightful
  
  Some people may not like this, but it doesn't seem that bad to me. After hearing that some Android apps report a user's physical location up to every 30s... this seems pretty tame.
  
  --
  Comment forecast: Bits of genius surrounded by a sea of mediocrity.
2. Re:What's That? by ceoyoyo · 2010-10-01 11:30 · Score: 3, Insightful
  
  And phone number.
  Unless Apple is helpfully giving out your name and address to go along with the UDID (which I very much doubt), it's just a way to see how many people are using your app.
3. Re:What's That? by drachenstern · 2010-10-01 11:38 · Score: 1
  
  how many unique devices it has been installed on...
  Flipside5 does this with their apps, and when I swapped phones, even though I had done a restore (which transferred over all my other settings for everything else) I lost all my game status with them. Hence, based on UDID.
  I didn't mind, but just thought it was interesting that was how they tracked uniques.
  
  --
  2^3 * 31 * 647
4. Re:What's That? by jc42 · 2010-10-01 11:46 · Score: 1
  
  ... some Android apps report a user's physical location up to every 30s ...
  If you're running google maps on your iPhone or Android phone, it does this. This has been mentioned lots of places, when they explain how the maps app gets the traffic data. It gets the data from the phones, of course, which are reporting their position and speed back to a google server every so often,. The green/yellow/red/black color coding of roads is just a summary of how the phones on those roads are moving. It would be surprising if the packets didn't include a phone's ID, since that helps make sense of the strings of packets from different phones on the same stretch of highway that are arriving mingled together.
  I've often used google's traffic reports on my G1 to tell me which of my (Garmin) GPS gadgets routes I should avoid. Supposedly Garmin has released a cell-phone version of their GPS software, but I haven't yet read reports of how well it works.
  The mobile google-maps app with traffic status is sufficiently useful that people will probably consider it an acceptable excuse for google keeping track of where their phone is at all times. ;-)
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
5. Re:What's That? by Lumpy · 2010-10-01 11:53 · Score: 5, Interesting
  
  No but it enables douchebaggery like LOCKING the app to one device. Which is Against apple's Eula. If I have 2 iphones 1 ipod and 2 ipads on my single apple account I get the app on all those devices for one purchase price. Problem is many app makers are greedy assholes and want to make it only work on ONE device.
  
  --
  Do not look at laser with remaining good eye.
6. Re:What's That? by LostCluster · 2010-10-01 11:55 · Score: 1
  
  What was the first shoe?
7. Re:What's That? by ceoyoyo · 2010-10-01 11:59 · Score: 3, Insightful
  
  It enables things like that IF Apple weren't looking over their shoulder. Provided the app got past the approval process in the first place, someone would undoubtedly complain to Apple. Apple would then yank the app from the store and offer everyone refunds. Oh, and as a developer when you give a refund YOU give a refund. Apple doesn't give back their 30%.
  So no, nobody's going to do anything that stupid.
8. Re:What's That? by TheGeneration · 2010-10-01 12:01 · Score: 5, Informative
  
  The UID identifies the iPhone within XCode. It enables things like authentication without passwords for (trivial) applications. For example if I have an app with profiles, and that app is only usable on the iPhone, there is no need for a password or login, I can just use the UID.
  Big whoop.
  
  --
  
  The Generation
  I'd say something witty here, but I'm not that bright.
9. Re:What's That? by Anonymous Coward · 2010-10-01 12:03 · Score: 0
  
  maybe he shares his apple account with his wife and kids.
10. Re:What's That? by Anonymous Coward · 2010-10-01 12:08 · Score: 0
  
  Unless he stole them from the store, I don't see how that makes him greedy.
  Let's see your 1040.
11. Re:What's That? by grub · 2010-10-01 12:15 · Score: 3, Interesting
  
  I've never come across an app that wont install for free on another iOS device (we have 4). What apps have done this? You should definitely report them to Apple is this is the case.
  
  --
  Trolling is a art,
12. Re:What's That? by postbigbang · 2010-10-01 12:23 · Score: 2, Insightful
  
  Your big whoop amounts to someone data mining more stuff about you. You give up too easily protecting your information particulars. If you don't sweat them, they'll steal more.... and maybe already have.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
13. Re:What's That? by Anonymous Coward · 2010-10-01 12:40 · Score: 1, Insightful
  
  Wait, Apple actually steal your money when someone asks for a refund? And people are willing to develop for them?
14. Re:What's That? by allanmackenzie · 2010-10-01 12:46 · Score: 1
  
  TFA did say free apps, right?
15. Re:What's That? by am+2k · 2010-10-01 12:47 · Score: 1
  
  That wouldn't help the dev very much, given that you can purchase any app only once on a single appstore account.
16. Re:What's That? by Anonymous Coward · 2010-10-01 12:57 · Score: 3, Informative
  
  The summary was specific to the top FREE apps. What do you expect they are going to refund? Why are we discussing locking it to one device? They are already free for all your devices. Its about tracking, pure and simple.
17. Re:What's That? by PipsqueakOnAP133 · 2010-10-01 13:43 · Score: 1
  
  That's IF they can steal more. So far, they can get your device ID, and access the address book.
  I'm more concerned about the address book than I am about the device ID.
  Given the APIs, that's probably about all they can take from you.
18. Re:What's That? by hsmith · 2010-10-01 13:56 · Score: 2, Informative
  
  Well you are certainly full of it. Apple gives back their portion of refunds as well. They hold the option to NOT do that though.
19. Re:What's That? by edxwelch · 2010-10-01 14:04 · Score: 1
  
  > Oh, and as a developer when you give a refund YOU give a refund. Apple doesn't give back their 30%.
  I'm an iPhone developer and have never been charged the 30% for refunds - and they do happen occasionly
20. Re:What's That? by Hognoxious · 2010-10-01 14:08 · Score: 1
  
  Wife? Is that what you call him?
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
21. Re:What's That? by ceoyoyo · 2010-10-01 14:10 · Score: 1
  
  All right, Apple may or may not give back their 30%. Maybe not if they're pissed at you for fooling them, breaking your agreement, screwing their customers and refusing to fix it.
  Am I not full of it now? Is your pedantry satisfied?
22. Re:What's That? by ceoyoyo · 2010-10-01 14:17 · Score: 1
  
  Have you ever purposely screwed over your customers and Apple and refused to be reasonable about it, as suggested by the OP?
  I'm an iPhone developer too, and Apple does reserve the right to make you pay the whole refund amount.
  I doubt we're supposed to post excerpts from the actual contract, but the relevant one is reproduced here:
  http://techcrunch.com/2009/03/25/apples-iphone-app-refund-policies-could-bankrupt-developers/
  You can check it in your own distribution contract in iTunes Connect.
23. Re:What's That? by Hognoxious · 2010-10-01 14:19 · Score: 1
  
  I don't know, but it probably looked like this
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
24. Re:What's That? by postbigbang · 2010-10-01 14:19 · Score: 1, Insightful
  
  SO they get a DID, a Mac address, an IP. They follow you around. Maybe they decide to go into various Java cache and sniff around if they can. Java cache locations aren't tough to figure out. There's more than one way to skin a cat, or a bad Java app.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
25. Re:What's That? by edxwelch · 2010-10-01 14:51 · Score: 1
  
  I talked to other developers about this and none of them have ever been stuck for the 30% either.
  I supose it's just another one of the rules that they don't act on.
26. Re:What's That? by Runaway1956 · 2010-10-01 14:56 · Score: 2, Funny
  
  I wanna know how a geek keeps a wife and kids in his momma's basement. Sorry, that seemed to be obligatory, here on slashdot. ;^)
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
27. Re:What's That? by nacturation · 2010-10-01 15:01 · Score: 1
  
  Your big whoop amounts to someone data mining more stuff about you. You give up too easily protecting your information particulars. If you don't sweat them, they'll steal more.... and maybe already have.
  So if this unique hardware device ID didn't exist, my app could generate a GUID (random 128 bit number) the first time it's run and use that as the unique ID on every internet request to my server? What's Apple going to do... prevent apps from using numbers?
  
  --
  Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
28. Re:What's That? by Haeleth · 2010-10-01 15:01 · Score: 1
  
  Wait, Apple actually steal your money when someone asks for a refund?
  It's not stealing if you explicitly agreed to let them do it. Which you did, if you're developing for iOS.
  
  And people are willing to develop for them?
  Apparently. I assume they have weighed up the potential profits from a captive audience of iPhone/iPad owners against the potential downsides of Apple's draconian policies and have calculated that they'll still make a nice profit even if Apple are dicks.
  I mean, iPhone/iPad owners are the perfect market. By the very fact of that ownership, they prove that they have plenty of disposable income, are eager to part with it in exchange for shiny things, and are not given to shopping around trying to save money. If you can't profit off people like that, you may as well give up.
29. Re:What's That? by JohnFen · 2010-10-01 15:02 · Score: 1
  
  The UID identifies the iPhone within XCode. It enables things like authentication without passwords for (trivial) applications. For example if I have an app with profiles, and that app is only usable on the iPhone, there is no need for a password or login, I can just use the UID.
  Big whoop.
  It may not be a big deal to you, but it sure is to me. Particularly given how atrocious the terms of their license are when it comes to privacy. They can, and do, track you and your physical location at all times, and can do anything they like with that information.
  In my view, it's bad enough that they are so cavalier about personally identifiable information int he first place. It's even worse that such information is readily available to random app developers.
  This is a showstopper.
30. Re:What's That? by postbigbang · 2010-10-01 15:13 · Score: 1
  
  Not necessarily.
  The idea is to have applications STFU unless it's called for.
  No random hey, here's the latest scoop on 0x38df803's location, the local temperature, and the last nine people she called.
  Hey, look! She's on FB again, and just ordered something from Amazon. Upload to the mothership analytics engine NOW!
  Wait, she's going to use us! Get ready to make the fart sound!
  
  --
  ---- Teach Peace. It's Cheaper Than War.
31. Re:What's That? by Anonymous Coward · 2010-10-01 15:14 · Score: 0
  
  It was obligatory five years ago. Now, it is just the sign of a "me too!" newb.
  You suck.
32. Re:What's That? by nacturation · 2010-10-01 15:28 · Score: 1
  
  Hey, look! She's on FB again, and just ordered something from Amazon. Upload to the mothership analytics engine NOW!
  Right, so the risk is cross-app and cross-site correlation, not the fact that a single app can uniquely identify each device it's installed on.
  
  --
  Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
33. Re:What's That? by macs4all · 2010-10-01 15:39 · Score: 0, Informative
  
  SO they get a DID, a Mac address, an IP. They follow you around. Maybe they decide to go into various Java cache and sniff around if they can. Java cache locations aren't tough to figure out. There's more than one way to skin a cat, or a bad Java app.
  Wrong platform!
  
  iOS devices don't run Java ANYTHING. You're thinking of Android.
34. Re:What's That? by iluvcapra · 2010-10-01 16:12 · Score: 1
  
  No random hey, here's the latest scoop on 0x38df803's location, the local temperature, and the last nine people she called.
  As the developer of a hacky (and permanently broken since 4.0) iPhone call log application, I can tell you that the iOS API does not allow an app to access the recently called list. And the local temperature is no trick, since it's an f() of the location.
  
  --
  Don't blame me, I voted for Baltar.
35. Re:What's That? by Anonymous Coward · 2010-10-01 17:01 · Score: 0, Funny
  
  The practice of douching is now largely restricted to the United States, where douching equipment is often available in pharmacies. A 1995 survey quoted in the University of Rochester study found that 27 percent of U.S. women age 15 to 44 douched regularly, but that douching was more common among African-American women (over 50%) than among white women (21%).[2] For other uses, see Pharmacy (disambiguation). ...
  The irrigation of the anus is also known as an enema.
36. Re:What's That? by Anonymous Coward · 2010-10-01 18:21 · Score: 0
  
  This is terrible, someone should do something about this atrocity.
37. Re:What's That? by BasilBrush · 2010-10-01 18:27 · Score: 1
  
  It may not be a big deal to you, but it sure is to me. Particularly given how atrocious the terms of their license are when it comes to privacy. They can, and do, track you and your physical location at all times, and can do anything they like with that information.
  Mobile phone networks know your physical location, near enough, with any mobile phone you might use. Apple doesn't. The iPhone doesn't "track you and your physical location at all times". Only when the application being run requests it, and the user is notified that such a thing is happening, and asked for permission. Plus of course you can disable location services on the iPhone completely if you want.
  The reason it's a big deal to you is because your tin-foil hat is more important to you than finding out how things actually work.
38. Re:What's That? by Anonymous Coward · 2010-10-01 18:35 · Score: 0
  
  moreover, udid is part of anti piracy libs on the apps. there are many and most of them have the same inner working
  moreover, openfeint and other online scoring services uses the udid to track your data.
  moreover, udid is not a personal data, is more like a convenience identification number
  moreover, it's not like they're using the gps to track you or other persona data without your knowledge, because YOU have to enable that feature per app
39. Re:What's That? by interkin3tic · 2010-10-01 18:35 · Score: 1
  
  So no, nobody's going to do anything that stupid.
  Why is it that those words always fill me with dread?
40. Re:What's That? by sortius_nod · 2010-10-01 19:26 · Score: 1
  
  Actually, no, it gets the data from the same place that all traffic maps get data from. The radio network that transmits traffic.
  The data would be so incomplete from phones (as you have to have the app running) that it would be useless as a measure of traffic.
41. Re:What's That? by Anonymous Coward · 2010-10-01 21:49 · Score: 1, Funny
  
  Homophobia is a sin.
42. Re:What's That? by owlstead · 2010-10-02 00:08 · Score: 1
  
  The security model of both phones is quite different. iOS is based on digital trust (only downloading signed authorized apps from the appstore), android's model is permission based (although the default market could count as authorization as well).
  If a free game is requesting permission to use my GPS coordinates or to use maps, then I simply don't install it.
43. Re:What's That? by indiechild · 2010-10-02 01:20 · Score: 1
  
  Exactly. I call BS -- never heard of a developer doing this or attempting to do this.
44. Re:What's That? by jc42 · 2010-10-02 01:54 · Score: 1
  
  OTOH, if a traffic app were to do both, that would give more data than either alone. I can't be the first programmer to have had that thought. ;-)
  In any case, there have been many reports that google maps is collecting some of the traffic data from phones running their software. Here's one of the earlier stories that a quick google search turned up, from about a year ago. It's not hard to find other stories about this topic. This story has the additional comment that, at the time, the iPhone was unusual in that it didn't feed data back to the google traffic database. This has supposedly been fixed in the past year.
  I'd think that a sensible design would be to try to consolidate the data from mobile "smart phones" with the data from various highway agencies that monitor traffic. Of course, this would depend on which countries, states, provinces, cities, whatever that you could get data from. There's also the problem that no two of them would be expected to use the same data formats. But we have a lot of smart programmers, right? And the task is easily modularized, since you basically need one package per input source that translates that source's data format to whatever format your database wants.
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
45. Re:What's That? by Anonymous Coward · 2010-10-02 02:24 · Score: 0
  
  come on, he is not from Austria nor Belgium.
46. Re:What's That? by JohnFen · 2010-10-02 02:50 · Score: 1
  
  Such a shame... your comment started so well but just had to end with a gratuitous insult.
  
  Mobile phone networks know your physical location, near enough, with any mobile phone you might use. Apple doesn't. The iPhone doesn't "track you and your physical location at all times". Only when the application being run requests it, and the user is notified that such a thing is happening, and asked for permission.
  True about the cell phone tracking. However, there are some legal restraints about what can be done with that information. Apple and app developers are only restrained by the license agreement. Perhaps I should have been clearer -- I was going by the license agreement, which states:
  
  We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.
  Maybe you'll be told when you're tracked, maybe it can be disabled, but maybe not. You've given Apple (and whoever they designate) blanket permission to track you without notification, and they don't have to let you disable it.
  If you choose to trust that they don't, and will never, misuse this permission, that's fine. But it's hardly tin-foil-hat to simply assume that they include such language for a reason and will adhere to it.
47. Re:What's That? by CheerfulMacFanboy · 2010-10-02 03:52 · Score: 2, Insightful
  
  The summary was specific to the top FREE apps. What do you expect they are going to refund? Why are we discussing locking it to one device? They are already free for all your devices. Its about tracking, pure and simple.
  And his injection was made on somebody's claim that this was used to "LOCK the app to one device" - why would this be done for a FREE app?
  
  --
  Fandroids hate facts.
48. Re:What's That? by BasilBrush · 2010-10-02 07:07 · Score: 1
  
  You claimed: "They can, and do, track you and your physical location at all times, and can do anything they like with that information."
  As I said, they don't do that at all. Now you're talking about what they might do in the future. Pathetic.
49. Re:What's That? by jeremyp · 2010-10-02 10:17 · Score: 1
  
  A post that talks about Java caches on the iPhone gets modded insightful?
  
  --
  All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
50. Re:What's That? by postbigbang · 2010-10-02 10:36 · Score: 1
  
  Yeah, what's up with that?
  Oops.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
51. Re:What's That? by AppleIsForFags · 2010-10-02 17:28 · Score: 0
  
  Just because all of you iFags love the cock... don't be mad.
  I know you don't really want privacy from Steve Jobs. In fact I'd bet you actually want the complete opposite. I think you guys want him to pretty much come into your house and see you naked n stuff.
  Then you wanna give him a blowjob or something huh? Dontcha?
52. Re:What's That? by JohnFen · 2010-10-03 03:45 · Score: 1
  
  But they do. They are so keen on it that if you opt out of location tracking, you can't use the iTunes store. http://econsultancy.com/us/blog/6126-iphone-users-will-have-to-get-used-to-tracking
53. Re:What's That? by Anonymous Coward · 2010-10-03 08:17 · Score: 0
  
  No, they do not. You are pointing to an article that doesn't know how to read the T&Cs. Apple only uses location data if it is turned on. It is not used to track you.
54. Re:What's That? by Kalriath · 2010-10-03 09:37 · Score: 1
  
  Microsoft has the same rule for the WP7 Marketplace.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
55. Re:What's That? by Anonymous Coward · 2010-10-03 10:24 · Score: 0
  
  My answer to that is: "get your bible hugging ass back to alabama you fucking redneck."
56. Re:What's That? by rjstanford · 2010-10-05 07:51 · Score: 1
  
  Try Pandora. I installed it on my phone, got a new phone, did the serious wipe on my old phone and gave it to a coworker who'd b0rked his somehow. He installed Pandora and, lo and behold, all of my stations were still there.
  That was a relatively harmless wake-up call. What if Mint did the same thing? I mean, they shouldn't, but then again neither should Pandora...
  
  --
  You're special forces then? That's great! I just love your olympics!
Dup story by sproketboy · 2010-10-01 11:23 · Score: 1

Oops. Yeah that was the Android one.
And? Care factor zero by aristotle-dude · 2010-10-01 11:23 · Score: 1

The iPhone's UDID identifies my iPhone, not me so I don't see the problem. Some developers just want to see how many devices apps are installed and in active use on.

--
Jesus was a compassionate social conservative who called individuals to sin no more.
1. Re:And? Care factor zero by Dynedain · 2010-10-01 11:29 · Score: 2, Interesting
  
  DoubleClick's cookies identify my computer, not me so I don't see the problem. Some developers just want to see how many computers browsers are installed and in active use on.
  
  --
  I'm out of my mind right now, but feel free to leave a message.....
2. Re:And? Care factor zero by Anonymous Coward · 2010-10-01 11:29 · Score: 0
  
  That could be done just as easily without sending the UDID.
3. Re:And? Care factor zero by grub · 2010-10-01 11:32 · Score: 1
  
  Yeah, just IDs the phone. Not email address, GPS location, contacts or anything.
  
  Not much of a story although I do block call-homes with FirewallIP from the Cydia Store.
  
  --
  Trolling is a art,
4. Re:And? Care factor zero by Anonymous Coward · 2010-10-01 11:33 · Score: 0
  
  The iPhone's UDID identifies my iPhone, not me so I don't see the problem.
  If one of the apps which phones home happens to send GPS data, it's just a small step to figuring out where you spend most of your time (i.e. your house) and then the UDID is tied to your identity.
5. Re:And? Care factor zero by Anonymous Coward · 2010-10-01 11:36 · Score: 2, Insightful
  
  Then they should set a cookie. We already went over this in the late 90s with the pentium 3. Universal hardware id = bad. Set a cookie unique to one company = good.
6. Re:And? Care factor zero by grub · 2010-10-01 11:37 · Score: 2, Informative
  
  All iOS apps that ask for location info generate a permissions dialog.
  You can set a default per-app in the Location Services option screen.
  
  --
  Trolling is a art,
7. Re:And? Care factor zero by Anonymous Coward · 2010-10-01 11:37 · Score: 2, Funny
  
  The iPhone's UDID identifies my iPhone, not me so I don't see the problem.
  Just wait... soon we will ALL have Apple's most important creation ever... the "iD".
8. Re:And? Care factor zero by ceoyoyo · 2010-10-01 11:40 · Score: 1
  
  I'm a lot less worried about DoubleClick having a cookie on my computer than I am about a piece of software that grabs my phone number, physical location, my contact information, my contacts' information, the contents of my drive....
9. Re:And? Care factor zero by SilverHatHacker · 2010-10-01 11:41 · Score: 1
  
  I seem to remember when the Ubuntu OEM team proposed a package that would report your computer model so they could count installations, many people freaked out. Even though it sent nothing personally identifiable, the concept of your computer "phoning home" was anathema to the gathered masses. Funny how on an Apple product, the common response is "no big deal, it's not personally identifiable" but on anything else its "ZOMG! Teh evulz!"
  
  --
  Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
10. Re:And? Care factor zero by Anonymous Coward · 2010-10-01 11:42 · Score: 1, Informative
  
  From the summary... "We also confirmed that some applications are able to link the UDID to a real-world identity."
11. Re:And? Care factor zero by scdeimos · 2010-10-01 11:50 · Score: 1
  
  The Location Services permissions only "secure" the GPS receiver on the phone. There's plenty of other methods of locating a device without popping the Location Services prompt, such as by Wi-Fi SSIDs and signal strengths (thanks Google), and Geolocation by IP address. They may not be as accurate as GPS, but in a lot of cases near enough can be good enough.
12. Re:And? Care factor zero by LostCluster · 2010-10-01 11:50 · Score: 1
  
  You must be the Cookie Monster.
  Most cookies are unique values to identify you to web sites, and therefore also to ad networks. The more info about you that can be associated with that ID, the more they can specifically target you.
  The UDID might be a value that's random, but if ad networks can tie your usernames to the UDID, then they can uniquely identify your phone as you, and tie that to the targeted information.
13. Re:And? Care factor zero by Klync · 2010-10-01 11:54 · Score: 2, Insightful
  
  Hmmm... maybe we should ask Mr. Gathered Mass why he keeps changing his mind. Oh, what's that? You're talking about millions of *different* people holding *different* opinions? Wow, who would've thought! I think you've found the real story in all of this: apparently, not everybody feels the exact same way about different, although similar, events. Thanks for sharing this insight - you just blew my mind.
  
  --
  
  ----
  Not to be confused with Col.
14. Re:And? Care factor zero by by+(1706743) · 2010-10-01 12:01 · Score: 1, Insightful
  
  Universal hardware id = bad.
  I assume you assign your network card a random MAC address before connecting to the internet?
15. Re:And? Care factor zero by Jazzbunny · 2010-10-01 12:05 · Score: 2, Informative
  
  You don't see the problem because you didn't read the pdf:
  
  For example, Amazon’s application communicates the logged-in user’s real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone’s UDID with the name of the phone’s owner. The CBS News application transmits both the UDID and the iPhone device’s user-assigned name, which frequently contains the owner’s real name.
16. Re:And? Care factor zero by alannon · 2010-10-01 12:09 · Score: 2, Informative
  
  Incorrect. Without using Location Services (and asking permission) apps have no access to anything involving the Wi-Fi SSIDs surrounding you.
  And as for IP address...
  WARNING! Your computer is broadcasting your IP address!
  Be serious.
  Incidentally, with rare exceptions, the IP address of your phone, as assigned from your carrier, is in a private IP range. If you're connecting to a server, which will then have your public IP address, do you really feel you have any expectation of privacy, as far as the server not attempting to map your IP address to a location?
17. Re:And? Care factor zero by grub · 2010-10-01 12:10 · Score: 1
  
  I think the Location permissions also block against wifi type geolocation as it also works on the iPod Touch which has no GPS.
  
  --
  Trolling is a art,
18. Re:And? Care factor zero by Anonymous Coward · 2010-10-01 12:10 · Score: 0
  
  Yes. I also run anything I don't trust inside a VM which has a fake MAC address and fake IP address (nat).
  I don't think apps on phones should be able to access unique BT addresses, MAC addresses, ESN, universal hardware id, or anything like that without asking the user first.
  Cookies are just fine. At least I can wipe them if I want to. I'm not livestock and I shouldn't be branded. The serial number under the battery is good enough for me, and not remotely accessible.
19. Re:And? Care factor zero by MrHanky · 2010-10-01 12:14 · Score: 2, Insightful
  
  Sorry, but it has already been established in the discussion about possible privacy invasions in Android software that this can't happen on iOS. Because it simply can't happen.
20. Re:And? Care factor zero by Anonymous Coward · 2010-10-01 12:15 · Score: 0
  
  From the summary... "We also confirmed that some applications are able to link the UDID to a real-world identity."
  So what?
21. Re:And? Care factor zero by jo42 · 2010-10-01 12:28 · Score: 1
  
  Without using Location Services (and asking permission) apps have no access to anything involving the Wi-Fi SSIDs surrounding you.
  I guess you haven't seen some of the new APIs in iOS 4.1/4.2, have you?
22. Re:And? Care factor zero by Nyeerrmm · 2010-10-01 12:34 · Score: 1
  
  I'd say that the two sets are fairly distinct. While there are iPhone using Ubuntu users (myself included), I'm guessing the majority on each platform wouldn't use the other. Ubuntu users are going to in general be more libertarian leaning and privacy minded than iPhone users.
  That said, I personally feel the opposite. Ubuntu collecting that data doesn't bother me at all, and I definitely see the value. App developers doing so makes me a little bit uncomfortable, but I see the value in it to them too.
23. Re:And? Care factor zero by sqlrob · 2010-10-01 13:01 · Score: 1
  
  MAC only survives one hop.
24. Re:And? Care factor zero by E+IS+mC(Square) · 2010-10-01 13:18 · Score: 1
  
  Of course, it's apple. So "so what?". If it's android, it's "WTF??!! ZOMG!!!??!"
25. Re:And? Care factor zero by Jazzbunny · 2010-10-01 13:18 · Score: 1
  
  Well how about you redo the experiment and prove to the world that this security expert is wrong, from the pdf you can find how he captured the data:
  
  Packet captures were recorded using tshark, the console-based libpcap capture utility. The resulting files were then analyzed using a suite of open-source tools including Wireshark, ngrep, and the Perl Net::Pcap libraries in order to determine what, if any, personally-identifiable information was being shared with third parties.
  Happy hacking.
26. Re:And? Care factor zero by ceoyoyo · 2010-10-01 14:42 · Score: 1
  
  I have. If you're referring to what I think you're referring to, you still can't access the network settings to actually scan for SSIDs. You can get the CURRENT one, but that's it. That might identify the device's position. Maybe. Wifi location services generally require several SSIDs for a location.
  It's a lot less of an issue than sending GPS coordinates back to the server.
27. Re:And? Care factor zero by Haeleth · 2010-10-01 15:07 · Score: 1
  
  All iOS apps that ask for location info generate a permissions dialog.
  Oh, that's OK then. That's totally secure. It's not like 99% of all computer users blindly click "yes" on every dialog that appears without so much as glancing at the message or anything.
28. Re:And? Care factor zero by Sparks23 · 2010-10-01 15:30 · Score: 1
  
  I think the problem is that most people are reading this as "apps are sending off the UDID" and going "eh, who cares" because the UDID doesn't have any real inherent useful meaning outside of iOS development provisioning. Even when they read that you can associate the UDID with a real name somehow (as in the Amazon and CBS apps), they still see UDID isn't really useful data. All you know is "this hexadecimal value -- which, for all practical purposes, may as well be random -- is Joe Public." If Amazon generated a blob of random binary data and used that to identify that device to the server instead of the UDID, but changed no other part of their protocol, you'd still be able to associate the random blob of data with Joe Public.
  Where this becomes a privacy concern is that since multiple services take the shortcut of using the UDID as their tracking token, if you had, say, both Amazon's tracking data and CBS's tracking data, you could take Amazon's realname data and combine it with the CBS program's demographic data, and have a bigger, badder demographic database. Because they both use the UDID as their tracking token, there's a shared bit of data you can use to combine those sorts of tracking databases. But that's not really presented as the problem here, so most people just think "why should I care that the UDID is being sent? Thats no different than any other random data-tracking cookie."
  In contrast, I think why people reacted more vehemently to the Android article was that the TaintDroid folks reported that Android apps were not merely using device identifiers as tracking tokens, but were also reporting back the actual phone number, or in some cases the IMSI. While I don't care much about my UDID being sent off as a tracking token -- it's not meaningful data in and of itself -- I am going to be a lot more disturbed if I find some app is sending my cellular subscriber data to a server without a damned good reason, regardless of what data they're tracking.
  That said, the growing popularity of smartphones means that privacy and malware/trojan prevention on mobile platforms /is/ going to become more and more of a real concern, I think. There are already security suites available for them, like Android Firewall on Android, or FirewallIP on iOS; they all require rooting/jailbreaking to use, but they're there as an option. But because of how much computing people do on their mobile devices, I think eventually we're going to see -- of necessity -- these sort of privacy/security tools for mobile platforms becoming more common and mainstream, whether Apple and Google open up the platform to allow third-party security tools or whether they start providing a higher level of security themselves, /something/ is going to change in time.
  
  --
  --Rachel
29. Re:And? Care factor zero by iluvcapra · 2010-10-01 16:15 · Score: 1
  
  We're talking about using the MAC address outside of the scope of networking here; for all intents and purposes it is a serial number for your computer, readable by any application on the system. No one ever changes (or probably even knows how to change) their MAC address.
  
  --
  Don't blame me, I voted for Baltar.
30. Re:And? Care factor zero by BasilBrush · 2010-10-01 18:37 · Score: 1
  
  Most cookies are unique values to identify you to web sites, and therefore also to ad networks. The more info about you that can be associated with that ID, the more they can specifically target you.
  Target me?!? Oh no that sounds bad. That sounds like a hit man or something. Oh noes!!!
  Wait, you mean they're going to use the information to display adverts for things I might actually be interested in, rather than random stuff I'm not interested in. How does this harm me again?
  No hit man?
31. Re:And? Care factor zero by BasilBrush · 2010-10-01 18:52 · Score: 1
  
  If I'm logged in, they already know my name. I wanted them to have it.
32. Re:And? Care factor zero by BasilBrush · 2010-10-01 19:00 · Score: 1
  
  I know you find it hard to distinguish one thing from another and don't RTFAs, but the Android apps which were the topic of that discussion were sending phone numbers from your address book. Which you might not realise is a different thing from the UID of your phone.
  It's perfectly reasonable, and allowable under both developer and user agreements for apps to send the UID to a server for the purpose of distinguishing one phone from another. It's not reasonable, nor allowed, to send user data, such as phone numbers.
33. Re:And? Care factor zero by BasilBrush · 2010-10-01 19:16 · Score: 1
  
  You're right, that is a problem. And the problem is even worse with Android, that asks for such permission at install time, before the user knows why the app might need the permission. iOS at least asks at the time the first request is made, giving users more of a clue why the app is asking.
  But iOS has a further line of defense. The one stop App Store. Badly behaved apps may be caught in the approval process, and if the do make it on to the store, can be removed again if user complaints come in.
  The much vaunted "openness" of Android, multiple app stores that means that any developer is free to distribute any app, means that no one can pull the plug on Android malware.
34. Re:And? Care factor zero by Anonymous Coward · 2010-10-01 19:39 · Score: 0
  
  I guess you haven't seen some of the new APIs in iOS 4.1/4.2, have you?
  Such as?
35. Re:And? Care factor zero by Anonymous Coward · 2010-10-01 22:22 · Score: 0
  
  How far beyond your own router does your computer's MAC address travel?
36. Re:And? Care factor zero by MrHanky · 2010-10-01 23:14 · Score: 1
  
  I know you find it hard to read comments, but some of the apps mentioned here send your name in plain text along with the UID, making the UID into an alias for your name. Perfectly reasonable when it's done with Apple's products, of course, as the limits of the reasonable moves along with them.
  Notice how you go from full attack mode to full defensive mode along with corporate loyalty. You're a pathetic excuse of a human being.
37. Re:And? Care factor zero by Anonymous Coward · 2010-10-02 02:14 · Score: 0
  
  No. but the MAC address never goes beyond the local gateway. only the IP packet leaves so MAC is never transmitted on the internet.
38. Re:And? Care factor zero by BasilBrush · 2010-10-02 06:50 · Score: 1
  
  I know you find it hard to read comments, but some of the apps mentioned here send your name in plain text along with the UID, making the UID into an alias for your name.
  
  I read the fucking paper, unlike you, so I don't have to infer what it says from other people's posts. You are wrong as usual. The paper provides no evidence whatsoever that any app sends the users name along with the UDID from the iPhone. What's confused the others who's posts you've read, and therefore misinformed you, is that the Amazon app sends the UDID to the server. The server then responds with various information including your name, because it already knows it, because you chose to tell Amazon what it is when you chose to set up an account.
  As usual you don't know what you're talking about.
  
  You're a pathetic excuse of a human being.
  Says the man who is not only wrong again, but chose to name himself after a turd.
39. Re:And? Care factor zero by MrHanky · 2010-10-02 10:11 · Score: 1
  
  Oh, so when it's Amazon and not their app that sends the UDID along with the user's name in plain text it's entirely secure.
  Fact 1) is, the UDID is trivially correlated to your real life identity, and it can be trivially used to track your location and movement. Fact 2) is that this article found sharing of your identity in close to 70% percent of the top iPhone apps, whereas the Android story the other day found such sharing in, what, 50% or so, two of which shared the phone number (one app on the list is designed to share phone numbers via a network server, and also exists for the iPhone, with equal risk).
  The Android story is filled with fanboys like yourself pretending what's in this story could never happen on the iPhone. This story is filled with fanboys like yourself pretending it doesn't matter anyway, and that the Android story is about something completely different. "True", but only for one application.
  What you're doing is fraudulent advertising of Apple's unproven security, based on nothing but corporate loyalty and wishful thinking. Hello, you just said, yesterday, that "this kind of stuff will mean an app won't get into the App Store". But Apple actually provides an API for it.
  Reality Distortion Field is in full effect.
40. Re:And? Care factor zero by BasilBrush · 2010-10-02 11:24 · Score: 1
  
  You're determined to demonstrate you're an idiot I see.
  
  Fact 1) is, the UDID is trivially correlated to your real life identity, and it can be trivially used to track your location and movement.
  No, it can't be used to track your location and movement unless your location and movement is also sent. And let me remind you once again, that was information sent by the Android apps, but not by the iOS apps.
  Furthermore I repeat, the reason Amazon know your full name, is because you're logged in and have preciously explicitly told them what your name is. They send it in plain text, just as they will if you use any ordinary web browser to visit their web site. Take a look: provided you have an account and are logged in, your name is shown top left on the web site. Plain text HTTP.
  
  Fact 2) is that this article found sharing of your identity in close to 70% percent of the top iPhone apps, whereas the Android story the other day found such sharing in, what, 50% or so, two of which shared the phone number
  No, the UDID was transmitted in close to 70% of the top free apps, in exactly the way it is supposed to be used. It's NOT personal information, any more than a TCP/IP address is.
  50% or so of the top free Android apps were sending PERSONAL INFORMATION such as GPS location and phone number.
  Clearly you don't understand the difference. That's because you are a ignorant turd.
41. Re:And? Care factor zero by illtud · 2010-10-02 11:45 · Score: 1
  
  Your MAC doesn't get to the internet. Learn a bit about routing.
42. Re:And? Care factor zero by MrHanky · 2010-10-02 12:05 · Score: 1
  
  Your location is transmitted through the use of an ip address, made even simpler by the iPhone's preference of wifi, as the PDF stated. You claimed to have read it, but evidently you didn't.
  And once again, you lie: the "50%" Android phones transmitting personal information such as GPS and phone number were in fact "Seven applications collected the deviceID [UDID] and, in some cases, the phone number and the SIM card serial number." So 7 out of 30 did the same as 70% of the iOS apps, and not quite your 50% shared phone numbers. Also, what you call "GPS location" is actually called "location data" in the PDF, which for the most part is actually not based on GPS but on (oh, guess) the wifi spot or the wireless tower. Like what you're doing anyway.
  So, to reiterate: you're a fraud, deliberately trying to distort statistics to make Apple look good.
43. Re:And? Care factor zero by BasilBrush · 2010-10-02 12:30 · Score: 1
  
  Your location is transmitted through the use of an ip address, made even simpler by the iPhone's preference of wifi, as the PDF stated.
  
  Like using any web browser or any other TCP/IP app then. Once again, go to the Amazon.com website, they have your name and your TCP/IP number.
  
  And once again, you lie: the "50%" Android phones transmitting personal information such as GPS and phone number were in fact "Seven applications collected the deviceID [UDID] and, in some cases, the phone number and the SIM card serial number." So 7 out of 30 did the same as 70% of the iOS apps, and not quite your 50% shared phone numbers. Also, what you call "GPS location" is actually called "location data" in the PDF, which for the most part is actually not based on GPS but on (oh, guess) the wifi spot or the wireless tower. Like what you're doing anyway.
  See page 10:
  "Applications sent lo- cation data in plaintext to admob.com, ad.qwapi.com, ads.mobclix.com (11 applications) and in binary format to FlurryAgent (4 applications). The plaintext location exposure to AdMob occurred in the HTTP GET string: ...&s=a14a4a93f1e4c68&..&t=062A1CB1D476DE85 B717D9195A6722A9&d%5Bcoord%5D=47.6612278900 00006%2C-122.31589477&...
  Investigating the AdMob SDK revealed the s= parameter is an identifier unique to an application publisher, and the coord= parameter provides the geographic coordinates."
  and
  "Half of the studied applications share location data with advertisement servers."
  So no, I'm not mistaken, you are. It's 50%, and it's actual geographical coordinates. As compared to the ability to usually identify a city from a TCP/IP address, that you are complaining about with the iPhone (and any device using a browser.)
  The Android apps are uploading personal user data as a matter of course. The iOS apps are not. You have to be stupid or a troll not to admit that.
44. Re:And? Care factor zero by Tharsman · 2010-10-02 15:39 · Score: 1
  
  But any application that is installed within your computer can read it and transmit it wherever they want.
45. Re:And? Care factor zero by Anonymous Coward · 2010-10-02 17:19 · Score: 0
  
  You do realize that all cellphones have many unique hardware identifiers, right? The IMSI, ICC-ID, IMEI...
46. Re:And? Care factor zero by Anonymous Coward · 2010-10-02 17:27 · Score: 0
  
  Which is why is a good thing that Apple bans most of that, requires explicit or implicit notification of when it does allow it, has strict rules for the separate categories of user data and device data, and bans anyone who attempts to abuse its requirements.
47. Re:And? Care factor zero by Anonymous Coward · 2010-10-02 18:27 · Score: 0
  
  There's no reason to prove he's wrong: he's only pointing out the patently obvious. The UDID is supposed to be used to id unique devices. Saying that it's being used by apps to identify unique devices is perfectly obvious and doesn't carry with it any scary conclusions about privacy at all.
  What the author needs to prove is that this device data is being correlated with personal data. Something which is explicitly banned by Apple and not at all proved in his paper.
  In fact, the author needs to retract several clear errors: 1) he claims there are no measures to prevent personal information being used by third parties or tracking to occur - WRONG and 2) he claims Apple withholds the right to use location information at all times without specific approval jsut by visiting the App Store for activation while ignoring the first clause of the sentence that says "By using any location-services on the iPhone" i.e. Apple can't use location services until you turn it on at which point it warns you.
48. Re:And? Care factor zero by lavagolemking · 2010-10-02 19:03 · Score: 1
  
  Eh, what good is a MAC address in comparison to other identifiable bits of information? If I were tracking you, unless you're on my network (ok, if I'm Apple I guess you are in this case), I wouldn't care about your MAC address nearly as much as I would care about your device serial numbers, or your subscriber information if I can get that.
49. Re:And? Care factor zero by Tharsman · 2010-10-03 04:45 · Score: 1
  
  MAC address are unique and therefore as valid to identify unique devices as any UDID.
  The point is not about it being optimal, but instead that any one complaining about it existing in the iPhone or being transmissible is missing the bigger picture: every network connected device already has unique identifiers.
Another app? by Delarth799 · 2010-10-01 11:29 · Score: 1

Want to see how many of your applications are currently sending your UDID to their vendor's server?
Well there's an app for that!
Now that it's out there by schnikies79 · 2010-10-01 11:32 · Score: 1

I except to see a cydia patch in the new few weeks.

--
Gone!
1. Re:Now that it's out there by grub · 2010-10-01 11:35 · Score: 1
  
  Use FirewallIP off Cydia. It's a few bucks but works very well.
  
  --
  Trolling is a art,
2. Re:Now that it's out there by Anonymous Coward · 2010-10-01 18:56 · Score: 0
  
  I second that. I think it's funny that my jailbroken iPhone gives me way more control over exactly what I let each app connect to than people using android.
3. Re:Now that it's out there by jojoba_oil · 2010-10-02 00:02 · Score: 1
  
  I except
  Coding something that has to do with exceptions lately? I think you meant to say you expect.
I can see... by Anonymous Coward · 2010-10-01 11:33 · Score: 0

the smile in Richard Stallman`s face...
1. Re:I can see... by grub · 2010-10-01 11:40 · Score: 1
  
  Your X-Ray glasses can penetrate greasy beard?
  
  --
  Trolling is a art,
Error in the abstract? by Anonymous Coward · 2010-10-01 11:39 · Score: 0

They really should have done more proofreading
hint - it is NOT 13 years old
Well, probably NOT a problem by zentechno · 2010-10-01 11:39 · Score: 2, Interesting

As has been said, it identifies the phone, and not the user (though a majority of the time it'll be the phone's owner). Many apps use the UUID as a unique ID (ahem) to store state, e.g. viewed pages, favorites, etc. Yes, this is also done with a log in, or it could be done transparently via the UUID; not sure there's a best/worse here. I know -- it's the transparency that's the controversy, but I'm a bit pressed to think of anything that's revealed that couldn't also be revealed with (or without) "vendor collusion" (e.g. an App-to-UUID database to see which apps are on the same phone -- oh, wait, Apple knows that).

--
âoeThe wall between art and engineering exists only in our minds.â -- Theo Jansen
If you read the paper... by layertwo · 2010-10-01 11:47 · Score: 3, Informative

"We also confirmed that some applications are able to link the UDID to a real-world identity."
1. Re:If you read the paper... by Anonymous Coward · 2010-10-02 17:38 · Score: 0
  
  Are "able to" does not mean they are. Obviously if you are telling Amazon who you are and they are using a unique identifier, they could correlate a user identity with that unique identifier, but Apple explicitly bans doing so and this "report" does not prove anyone is doing so by any means.
1997? by Anonymous Coward · 2010-10-01 11:53 · Score: 0

The beginning of the abstract:

Every Apple iPhone shipped since its introduction in 1997
contains a unique, software-visible serial number
And people are complaining now? Pfft
easy solution... by Mike+Dav.+Kristopeit · 2010-10-01 11:54 · Score: 0

develop your own apps.
Recommended alternatives? by swamp+boy · 2010-10-01 11:58 · Score: 5, Interesting

This article is very timely for me. I'm an iPhone developer who's planning to add a server component for some of my iPhone apps. My initial thinking was to simply make use of the built-in UDID since it's there and doesn't require any effort on the part of the user. I did RTFA and I can see how the use of UDIDs could lead to unethical situations.
On the other hand, what's the alternative? Generally speaking, an iPhone app that has a server component with functionality that's geared to a specific user needs something to identify that user. Sure, I could force the user to enter their email address or make up a user id. Unless a user goes to the trouble of making sure that each service/app they deal with uses a separate and distinct user id or email address, you're back in the same situation (or close to it).
I'm genuinely interested in hearing suggestions on the preferred mechanism that helps to maintain privacy.
1. Re:Recommended alternatives? by alannon · 2010-10-01 12:13 · Score: 5, Interesting
  
  Additionally, Apple's documentation on the API that provides the UDID specifically indicates that Apple considers it appropriate to use as a method of identifying a user/device.
  Of course, that doesn't change the privacy implications, but it indicates that the UDID is provided by Apple to developers for precisely that purpose.
2. Re:Recommended alternatives? by hsmith · 2010-10-01 13:33 · Score: 1
  
  You could provision your own GUID and store it in the Keychain. Keychain is restored to the devices upon a restore operation (even device to device).
  
  I see nothing wrong with collecting UDID's, we do so to identify devices with APNS.
  
  Just FUDD.
3. Re:Recommended alternatives? by Wormholio · 2010-10-01 14:47 · Score: 1
  
  If you take a hash (eg SHA1 is better than MD5) of the UDID you get a unique string that is not the UDID. Of course if other apps do the same then these could be compared to identify users -- not necessarily by name, but connecting a user on one server with a user on another.
  So concatenate the App Id, which is unique to the app, with the UDID, which is unique to the device, and then take the hash, which is then unique to both and not invertible. Do this once, on the device (not on your server, or the UDID has to be transmitted), and use that as a unique identifier of the user/device.
  
  --
  "Education is not the filling of a pail, but the lighting of a fire." -- William Butler Yeats
4. Re:Recommended alternatives? by Anonymous Coward · 2010-10-01 22:33 · Score: 0
  
  "I'm genuinely interested in hearing suggestions on the preferred mechanism that helps to maintain privacy."
  How about asking the user if they would like to use the UDID or if they would prefer some other method of identification (such as a PIN or somesuch)? There are many reasons beyond the few scenarios I can dream up that would make using a UDID a bad idea by default. Of course, I am sure that a majority of users would prefer the ease of use that comes along with you using the UDID, so offering it as a choice and ASKING them is a simple way to solve your conundrum. :)
  Regards,
  strike
  (CAPTCHA was battler. Is the CAPTCHA system prescient? This is not the first time it has seemed especially apropos to the content.)
5. Re:Recommended alternatives? by tumbak · 2010-10-02 03:01 · Score: 1
  
  use the md5sum of the UDID, it will be almost always unique and it wont identify the user since you can't reverse it into the UDID again.
6. Re:Recommended alternatives? by jeremyp · 2010-10-02 10:41 · Score: 1
  
  Generate your own unique id.
  The first time the phone phones home, it uses a designated null id. The server generates a unique id and sends it to the phone which stores it in the user prefs. On each subsequent phone home the app uses the generated id.
  
  --
  All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
7. Re:Recommended alternatives? by Anonymous Coward · 2010-10-02 17:52 · Score: 0
  
  just use a hash of the UUID.
  Assuming the UUID was sufficient, this will do the trick for you, and there is no way to get the UUID from the hash, short of direct comparison. The hash will identify unique devices, but then again, so will a user-picked login name.
8. Re:Recommended alternatives? by Anonymous Coward · 2010-10-03 08:34 · Score: 0
  
  Ask the user to type something in, name, email, etc, or ask the server to give you a unique random number on first launch.
  Sould only take a few minutes to implement that,
As a developer thinking about such things ... by perpenso · 2010-10-01 11:59 · Score: 1

That could be done just as easily without sending the UDID.
Agreed. I would use a hash of the UDID.

However for some circumstances I don't think the developer needs any sort of device ID. For example I have a scientific and hex calculator app, other modes are about to be released. I would like to get some usage data showing how much use the various modes get. I've considered adding counters that indicate how many operations are performed in each mode and sending these counters to a server periodically. All I want is aggregate data, I don't need any device ID in this case.
1. Re:As a developer thinking about such things ... by raddan · 2010-10-01 12:11 · Score: 2, Interesting
  
  I am a university researcher doing iPhone development as a part of our project. We use UDIDs to allow our users to control information exchange between themselves and other iPhone users. We could probably use a hash of UDIDs (really, you'd probably want a hash of a UDID and a salt if you're hashing) or maybe even some other identifier, but I'm not really sure what additional privacy that gains iPhone users. From our perspective, we track them either way. Is the concern that someone else gets our users' UDIDs and combines that information with other UDID information? We were thinking that UDIDs were a step up from username + password, since this allows participation with a minimal amount of information being collected.
2. Re:As a developer thinking about such things ... by perpenso · 2010-10-01 12:49 · Score: 4, Interesting
  
  One of my concerns would be that having the UDID allows for more general impersonation. With a hash specific to a particular app the impersonation is limited to your app.
  
  Another concern would be related to personally identifiable information (PII). When non-PII is associated with PII the non-PII now falls under all the PII regulations. If you use a hash you do not have to worry about what others at the university are collecting. Keep in mind that what constitutes an association between non-PII and PII may be defined by a hostile lawyer. Maybe your team's data being on the same server as another team's.
UDID does not identify a user by perpenso · 2010-10-01 12:05 · Score: 1

The UDID would be a poor choice to identify a user. A person may have multiple devices, say an iPhone and an iPad, or they may replace/upgrade their device to a newer model. I think you will have to use an account name chosen by the user, an email address, etc.
1. Re:UDID does not identify a user by swamp+boy · 2010-10-01 12:12 · Score: 1
  
  Good point. I hadn't considered the multi-device situation for a single user. Like I said, it's all very preliminary ideas at the moment (having started work on any of the implementation yet).
2. Re:UDID does not identify a user by Jah-Wren+Ryel · 2010-10-01 12:36 · Score: 2, Interesting
  
  Go with a user-editable field that defaults to the unit's UDID for username and also defaults to a reasonably unguessable password.
  That way you have a sane default that user can change if they have a need to.
  Make sure to include a brief help description of that field and its purpose so that the user will know that it need not be a bunch of hex digits.
  Also, on the server side keep a unique "user id" that never goes to the phone - that way changing the username on the phone side doesn't result in a brand new account on the server side.
  Also, watch out for collisions - don't want some poor schmuck changing their username to one that already exists and then being both locked out and unable to change it to something else.
  
  --
  When information is power, privacy is freedom.
3. Re:UDID does not identify a user by dreamchaser · 2010-10-01 12:36 · Score: 1
  
  Perhaps we need something like OpenID for Apple iOS. Not that I care much as I don't plan on ever owning an iOS device. I'll wait for a capable Linux based tablet, and unless they put a real keyboard on the iPhone I won't be going there either. Still, maybe that's another project you could look into.
4. Re:UDID does not identify a user by am+2k · 2010-10-01 12:49 · Score: 1
  
  Using the Apple ID would help there, but I guess you can't access that from an iOS app.
5. Re:UDID does not identify a user by perpenso · 2010-10-01 12:54 · Score: 1
  
  ... unless they put a real keyboard on the iPhone ...
  Bluetooth keyboards work. I think there is at least one case that accommodates both.
6. Re:UDID does not identify a user by TrancePhreak · 2010-10-01 13:23 · Score: 3, Informative
  
  The UDID is pretty long, doesn't really make for a good user name. This is an example UDID: 2b6f0cc904d137be2e1730235f5664094b831186
  
  --
  
  -]Phreak Out[-
7. Re:UDID does not identify a user by Anonymous Coward · 2010-10-01 13:30 · Score: 1, Insightful
  
  You also run into problems going the other direction: someone sells their old iPhone when they upgrade is suddenly unable to get into an account that was tied into their UDID while the person who bought the phone would have access to the account (assuming they went and bought the same app...so, if you plan/hope on becoming popular, it's worth thinking about) and any personal information that might be associated with that account.
8. Re:UDID does not identify a user by Jah-Wren+Ryel · 2010-10-01 14:41 · Score: 1
  
  So? The point is to have something to fill in for a default of a field that 99% of the users won't ever even see.
  If it ever needs to be changed, the user gets to pick something much shorter and more meaningful to them.
  
  --
  When information is power, privacy is freedom.
9. Re:UDID does not identify a user by deimtee · 2010-10-01 15:20 · Score: 3, Insightful
  
  So you have buttons that say "Use device ID" and "Select a Username". You don't have to actually display the ID.
  Would also give you some data about how many people care enough to create a username rather than use the UDID.
  On the server side you need to come up with a way to tie multiple devices to the one account if they use the UDID option. Possibly have a "link another device" option that has the server generate a code transmitted back to the first device, that they have to key in on the second.
  
  --
  I'm guessing that wasn't on their radar screen...
10. Re:UDID does not identify a user by an+unsound+mind · 2010-10-01 16:50 · Score: 1
  
  Have an username and password, and give the user the option to "automatically log in when connecting from this device".
  That way you get the good sides of both implementations.
11. Re:UDID does not identify a user by BasilBrush · 2010-10-01 19:29 · Score: 1
  
  Go with a user-editable field that defaults to the unit's UDID for username and also defaults to a reasonably unguessable password.
  That way you have a sane default that user can change if they have a need to.
  Make sure to include a brief help description of that field and its purpose so that the user will know that it need not be a bunch of hex digits.
  Sounds more like a typical Linux UI than the sort of user friendly UI iPhone apps should have. Hex digits should never be displayed, especially not a scarily long string of them. Nor should a username field need help text.
12. Re:UDID does not identify a user by Anonymous Coward · 2010-10-01 23:01 · Score: 0
  
  Nor should a username field need help text.
  
  But the field where you permanently change it should - which is what he was talking about. I guess UI stuff is hard if people can't even assume a reasonable baseline when talking about it.
13. Re:UDID does not identify a user by jojoba_oil · 2010-10-02 00:06 · Score: 1
  
  I think that's the way OpenFeint and the TapTapRevolution games do it. Make sure to get optionally provided email address for account retrieval...
14. Re:UDID does not identify a user by dreamchaser · 2010-10-05 07:01 · Score: 1
  
  I shouldn't have to buy and carry extra gear for features that I, for my uses, consider to be core necessities.
15. Re:UDID does not identify a user by perpenso · 2010-10-05 10:59 · Score: 1
  
  I shouldn't have to buy and carry extra gear for features that I, for my uses, consider to be core necessities.
  I think the majority of users would have reciprocal complaints if the iPad had a built-in keyboard. Why do they have to add the bulk, weight and cost of a keyboard they don't want. For many years Macs were "gold plated" and included many premium features that most users didn't care about. I think Apple has learned from that mistake and rightfully makes such features options.
  
  It sounds like your needs make a netbook a better option for you.
Is there a difference? by blair1q · 2010-10-01 12:10 · Score: 4, Insightful

iPhone and Android. Two peas in different pods.
The Internet is not secure.
Your phone company is not your mommy.
Software is more complex than humans can comprehend, and there will be holes in its behavior relative to your expectation, especially but not exclusively when you were not the one who wrote the requirements for it, but especially again when the people writing it want to leave avenues for future revenue growth.
OH YES by GameboyRMH · 2010-10-01 12:15 · Score: 1

Mine too. I just came in here to gloat and feel smug as fuck about how this won't happen on my Maemo device, as pretty much all of my apps are open source, and I can see what's going on anyways with tools like ps, top, netstat and whatever else I can make run on my device. Because I have root access. That makes me the fucking boss.
Decision to choose Maemo over Android: 100% ~Vindicated~ B-)
Now excuse me while I put on my pimp suit and strut around to some 70s-tastic beats.

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
1. Re:OH YES by Anonymous Coward · 2010-10-03 10:44 · Score: 0
  
  That's nice. But Maemo isn't magically immune to this. Do you know how to monitor for suspicious behaviour, you might, but the average user won't, and even if you do can you stop random apps phoning home before they have done it and not just be able to say what they have done after the fact?
  Yoy might only use open source apps on your N900, but the apps from the Ovi store aren't open source, and there is no reason why they couldn't collect your personal data and send it off somewhere. And the average user isn't going to want to restrict themselves to just the open source software.
  Another point, even if you use only open source software, have you actually looked at the source yourself? If not, who has and if anybody actually has do you trust whoever did? Just being open source does not automatically make software free of bad stuff, just look at how long debian was shipping a version of ssh that didn't generate secure keys even though debian's patches were open for anyone to look at.
  Yeah Maemo is probably safer in this regard than Android or iOS, but that is mostly because it has a small user base with a poor selection of apps in its app store. Maemo could just as easily e affected by software like this, it is just less likely to.
  PS I'm posting this from my N900 which I love, I'm just not blind to its flaws and weaknesses.
2. Re:OH YES by GameboyRMH · 2010-10-03 13:17 · Score: 1
  
  I have looked at the source of some apps and so have other people who I trust.
  I have a couple of closed-source apps installed from the Ovi Store, yeah I wouldn't be able to see what they've done until after the fact, but it's better for anyone to be able to see what happened just after it happened than to let it go on for months or years until some officially ordained developer with an R&D unit can do some proper testing.
  The small selection of apps in the app store probably does give malware writers less incentive, but all the good apps are in the community repos, and they're free, so win/win!
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
Retarded by Anonymous Coward · 2010-10-01 12:21 · Score: 1, Insightful

So a random identifier is somehow comparable to my GPS location?! Gimme a break
1. Re:Retarded by bm_luethke · 2010-10-01 15:59 · Score: 1
  
  Yea, because we all know Apple wouldn't let that happen. (but don't worry, they do not associate it with you - they just associate it with the co-ordinates of where you live and work so it is totally anonymous).
  Face it, your phone is a little general purpose computer that happens to have the ability to talk to cell networks. Treat it as such and you will be happy, pretend it isn't and you are going to get bit. If developers have access to that information, the ability to transmit it anywhere, and it is really difficult to track if they are doing that then I can assure you that it occurs VERY often. Apple isn't remotely immune to it, their app approval process doesn't include inspecting source code. If this can make it through then you can be sure gathering GPS data and sending it over a socket can occur and does.
  All Apple does is give you a false sense of security.
  
  --
  ------- Sorry about the spelling, I suffer from two problems. Dyslexia makes it difficult to spell well, lazy makes it
Push by mr100percent · 2010-10-01 12:24 · Score: 1

How is this different than registering the Apple device with the app for Push notifications? The article is pretty thin on details and the PDF is kinda slashdotted. Granted, push access requires the user to agree to it via a popup on first launch.
Re:Laughable by dreamchaser · 2010-10-01 12:33 · Score: 1

Steve Jobs rapes ninjas???
Seriously though, you must be new here if you expect the Slashdot crowd to bash Apple about anything. That's almost as bad as asking them to admit that Linux has a few flaws.
Disclaimer: I like Linux and run it on several machines as well as in VM's. Just sayin'...
it's all good by somewhere+in+AU · 2010-10-01 12:39 · Score: 3, Informative

Unique device ID doesn't violate privacy whatsoever since there is no link to your name, address, etc..
It DOES however provide a great way of ensuring "trial" or "lite" apps handled by a server and doing what you intended in say limiting results or whatever.. it also is good for internal logs since you can refine your app by looking at how the app is used, both overall as well as individual patterns.
You don't need GPS, personal or any other information at all to provide LOTS of benefits and an IMPROVED app once you have a access to a unique ID that doesn't involve registering username or whatever as annoying websites do.
I think a credible business would disclose in an open way what server transactions are involved on a per-app basis and with our new server suite being rolled out I know we will provide a web page per app detailing this so it's all open and above board and the benefits given.
1. Re:it's all good by Anonymous Coward · 2010-10-01 13:54 · Score: 0, Insightful
  
  You're a fag.
  Like so many others have pointed out, some of the apps do send the user's name -- along with the UID -- in plaintext.
2. Re:it's all good by Anonymous Coward · 2010-10-03 06:55 · Score: 0
  
  Unique device ID doesn't violate privacy whatsoever since there is no link to your name, address, etc..
  You don't know that. Yes its just a unique id, just like your doubleclick tracking cookie or any other cookie on your computer. On its own, all it does is let the server know which iphone you are.
  But what if this is a twitter, IM client, or any other social networking app? Then they can tie that UDID to personal identifiable information.
  Even worse is that since this is a single UDID for the device (not a per-developer hash of the UDID), someone like Twitter or Beejive could sell access to their UDID->Personal Info database to other developers
Re:Laughable by MrHanky · 2010-10-01 12:44 · Score: 1

Bashing Apple has been OK for some time, but there's still a very vocal minority that goes into full denial every time Apple does something objectionable. Like most of the first comments here.
No one wants extra goverment involvement by Stan92057 · 2010-10-01 13:25 · Score: 1

No one wants extra government involvement but this industry has shown and proven time and time again they will not police itself nor make policy's that protect privacy. Our Government must step in. And to those who disagree,whats your idea?? knowing theses company's can not be trusted

--
Jack of all trades,master of none
Against app rules by SuperKendall · 2010-10-01 13:33 · Score: 1

No but it enables douchebaggery like LOCKING the app to one device.
Specifically not permitted by application developer guidelines. In fact if you support things like in-app purchase, you MUST make sure purchases transfer across user devices.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
More like the shoe is in your mouth with foot by SuperKendall · 2010-10-01 13:35 · Score: 1

What's that? Why, I think it's the sound of the other shoe dropping!
Honestly, you are equating the release of a phone number and constant GPS feed, to a UDID that had no identifying information about you and is only used to detect if the same device is returning to a server? Really?

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Blown out of proportion by mr_zorg · 2010-10-01 13:37 · Score: 1

Bah, this is blown out of proportion a little bit. The UDID, by itself, tells a developer nothing about YOU. Its use is documented and encouraged by Apple for tracking user devices (which TFA admits). Now sure, if I were to also grab your address book I can tie that to your UDID, but it's my grabbing your address book that's the problem, not the UDID. I suppose if Apple wanted to make this more secure they could make the API automatically hash the UDID with your Application ID (also unique) and return that instead. You would still be able to use it for the same purposes as UDID was intended for, but NOT between apps.
1. Re:Blown out of proportion by Anonymous Coward · 2010-10-01 18:00 · Score: 0
  
  Automatically hashing the UDID with the App ID is a great idea. If only I had some mod points...
Pandora by Culture20 · 2010-10-01 14:16 · Score: 5, Informative

Yeah, I noticed that with Pandora after my friend sold me his old phone (he had it wiped first). I downloaded Pandora and started screwing around with his stations because I thought they were just default stations Pandora gave me. They were basing access on the UDID.
1. Re:Pandora by gabebear · 2010-10-01 14:58 · Score: 1
  
  It seems more likely that he just deleted all his apps(which would take their data with them), but didn't restore/fully-blank the phone. If an app stores a login/password in the keychain, then it will still be their when you reinstall the application.
2. Re:Pandora by Anonymous Coward · 2010-10-01 15:29 · Score: 0
  
  Hey, you're buying it wrong.
  You need to buy your own phone.
3. Re:Pandora by hackshack · 2010-10-01 16:35 · Score: 1
  
  Happened to me, too. You can change your Pandora password 'til the cows come home, and the old phone will still be able to login!
  Best part is, Pandora keeps their UDID databases inaccessible from your account, so you can't just login to Pandora and see the device(s) associated with that account. You have to email Customer Service and ask them to delete all your devices, whatever those may be. Happens on their (paid) desktop client, too. I put in a feature request to make our devices available in our account settings, but I'm not holding my breath.
  For what it's worth, Pandora Support told me that if I chose "log out" on the Pandora iPhone client before getting rid of my old phone, it would have removed the UDID from their database. I half-believe this: more likely it's just marked it as "logged off."
  
  --
  Wrists killing you? Not in 2 weeks. Learn Dvorak.
4. Re:Pandora by Culture20 · 2010-10-02 04:17 · Score: 1
  
  Happened to me, too. You can change your Pandora password 'til the cows come home, and the old phone will still be able to login!
  
  Best part is, Pandora keeps their UDID databases inaccessible from your account, so you can't just login to Pandora and see the device(s) associated with that account. You have to email Customer Service and ask them to delete all your devices, whatever those may be. Happens on their (paid) desktop client, too. I put in a feature request to make our devices available in our account settings, but I'm not holding my breath.
  
  For what it's worth, Pandora Support told me that if I chose "log out" on the Pandora iPhone client before getting rid of my old phone, it would have removed the UDID from their database. I half-believe this: more likely it's just marked it as "logged off."
  Either way, that was what allowed me to use a new account for myself. Pandora's devs made some really stupid assumptions.
5. Re:Pandora by Anonymous Coward · 2010-10-09 18:34 · Score: 0
  
  funny++;
  sad++;
  true++;
Okay, so apps set cookies and collect your UDID by Brian+Recchia · 2010-10-01 14:36 · Score: 1

http://brian.recchia.name/drops/1285986908.png
I'm guessing people who actually are afraid of this don't like Slashdot, either.
Ads or Developer by kimble3 · 2010-10-01 15:10 · Score: 1

I would be curious to know how many of the developers are actually collecting ID's or if it is because they are using something like AdMob or iAd in their app and that is what is collecting them...
I guess I don't see a huge issue, really? by King_TJ · 2010-10-01 15:56 · Score: 1

For decades now, your network cards all had unique MAC addresses which could theoretically identify you, too. So what?
It only identifies the particular piece of HARDWARE as unique. It doesn't prove anything about WHO owns the device, or even who is actually operating it at a given point in time.
Any privacy issues only come up because of specific implementations that do "bad" things. Anger at the hardware maker for including some sort of unique ID with the device is misplaced, IMO.
(You know, kind of like that "Guns don't kill people.... People do." argument.)
1. Re:I guess I don't see a huge issue, really? by Anonymous Coward · 2010-10-01 17:07 · Score: 0
  
  For decades now, your network cards all had unique MAC addresses which could theoretically identify you, too.
  Ethernet MAC addresses are only used on your local network and are not normally passed to remote servers, so your comparison isn't a good one.
2. Re:I guess I don't see a huge issue, really? by Anonymous Coward · 2010-10-02 00:52 · Score: 0
  
  It only identifies the particular piece of HARDWARE as unique. It doesn't prove anything about WHO owns the device, or even who is actually operating it at a given point in time.
  Actually it does. It can't distinguish who is USING the device, but Apple and their providers have extensive lists of who is registered as the owner of what ID, which gets updated in the event that the owner of a specific ID changes. You under-estimate how easy this is to do.
3. Re:I guess I don't see a huge issue, really? by petermgreen · 2010-10-02 12:24 · Score: 1
  
  Any app that wants to do so can pass them though and afaict many activation/license management systems do.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Same thing? Really? A test for you. by SuperKendall · 2010-10-01 16:32 · Score: 1

iPhone and Android. Two peas in different pods.
Really? Here's a test. Here's my actual iPhone UDID:
cf3e2f8e6515207d5d93ac315a8e07081d2ac3d9
Now you post your phone number and current GPS location as the Android apps were recording and we'll see how much each can find out about the other.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Jailbreak FTW by tlhIngan · 2010-10-01 17:26 · Score: 1

This isn't a new problem - I think /. reported on it a couple of years ago. Sure it wasn't a UDID, but it was the phone number or other more identifiers. ICCID and IMEI is probably more risky to leak out - the UDID doesn't really tell you much of anything. It doesn't tell you the phone model, the user's phone number (which can change), ICCID, IMEI, etc. unless it's purposely linked. All it identifies is the particular piece of hardware.
And naturally, jailbreakers have solutions for all this.
First, there's UDIDFaker, which changes your UDID on a per-app basis. On iOS 4.x, the GUI doesn't work, but you can manually edit the plist file with the app and UDID you desire to use.
Seocnd, there's Firewall IP, which pops up a dialog whenever an app wants to open a network connection, where you can control which connections fail and which ones succeed.
There used to be a blog that tested apps and reported what was sent back to the user - it's not a new problem, but a very old one...
most apps are likely using it for analytics by updog · 2010-10-01 17:55 · Score: 1

The UDID is really useful for collecting analytics, such as with Flurry Analytics. You can really easily get nice graphs and charts on how users in aggregate are using your app, or drill down to any particular (anyonymous) user based on the UDID. For these analytics to be useful, you need to specify some type of unique identifier for the device. A UDID makes perfect sense, and there really isn't any standard or easy way to map the UDID to any particular user anyway, so it's hard to see what all the fuss is about. Regardless, the app should let the user know the UDID is being logged, and allow them the option to turn the logging off.
So what? by chrysalis · 2010-10-02 02:47 · Score: 1

UDIDs are commonly used in order to estimate how many users an application has, especially on applications that don't require people to register an account.
Tons of web sites and ad servers are also sending cookies for this very purpose. It's not bullet proof, but it's better than nothing.
UDIDs can be also useful in order to block users (spammers, people sending illegal content, etc) on social networks, as it's more difficult to buy a new device that it is to create a new account.

--
{{.sig}}
What about push? by Anonymous Coward · 2010-10-02 20:37 · Score: 0

How are push notifications suppose to work without udid?
As an app provider, you use it to send to apple the notification, so naturally you need to have it , use it and sometimes store it... I don't see what the big news is here.
Re:Same thing? Really? A test for you. by blair1q · 2010-10-04 05:59 · Score: 1

http://nexus404.com/Blog/2010/10/04/new-iphone-privacy-issue-uncovered-by-hacker-the-iphone-is-now-said-to-send-udid-through-apps-serious-privacy-concerned-raised-probably-a-non-issue/
air jordan shoes by aotian · 2010-10-04 20:05 · Score: 1

Looking for a better, cheaper and smarter software to convert nfl jerseys? We provide the MBT shoes online. where you can find the Christian Louboutin shoes with latest .

--
http://www.mbt-shoes.com