Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many Top iPhone Apps Collect Unique Device ID

Posted by Soulskill on from the your-computer-is-broadcasting-a-UDID dept.

An anonymous reader writes "It looks like iPhone users are not immune to the types of data leaks recently discovered on the Android platform. Researchers looked at the top free applications available from the App Store and discovered that '68% of these applications were transmitting UDIDs to servers under the application vendor's control each time the application is launched.' The iPhone's Unique Device ID, or UDID, cannot be changed, nor can its transmission be disabled by the user. The full paper is available in PDF form."

12 of 194 comments (clear)

  1. Re:And? Care factor zero by grub · · Score: 2, Informative

    All iOS apps that ask for location info generate a permissions dialog.
    You can set a default per-app in the Location Services option screen.

    --
    Trolling is a art,
  2. Re:And? Care factor zero by Anonymous Coward · · Score: 1, Informative

    From the summary... "We also confirmed that some applications are able to link the UDID to a real-world identity."

  3. If you read the paper... by layertwo · · Score: 3, Informative

    "We also confirmed that some applications are able to link the UDID to a real-world identity."

  4. Re:What's That? by TheGeneration · · Score: 5, Informative

    The UID identifies the iPhone within XCode. It enables things like authentication without passwords for (trivial) applications. For example if I have an app with profiles, and that app is only usable on the iPhone, there is no need for a password or login, I can just use the UID.

    Big whoop.

    --


    The Generation
    I'd say something witty here, but I'm not that bright.
  5. Re:And? Care factor zero by Jazzbunny · · Score: 2, Informative
    You don't see the problem because you didn't read the pdf:

    For example, Amazon’s application communicates the logged-in user’s real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone’s UDID with the name of the phone’s owner. The CBS News application transmits both the UDID and the iPhone device’s user-assigned name, which frequently contains the owner’s real name.

  6. Re:And? Care factor zero by alannon · · Score: 2, Informative

    Incorrect. Without using Location Services (and asking permission) apps have no access to anything involving the Wi-Fi SSIDs surrounding you.

    And as for IP address...
    WARNING! Your computer is broadcasting your IP address!
    Be serious.

    Incidentally, with rare exceptions, the IP address of your phone, as assigned from your carrier, is in a private IP range. If you're connecting to a server, which will then have your public IP address, do you really feel you have any expectation of privacy, as far as the server not attempting to map your IP address to a location?

  7. it's all good by somewhere+in+AU · · Score: 3, Informative

    Unique device ID doesn't violate privacy whatsoever since there is no link to your name, address, etc..

    It DOES however provide a great way of ensuring "trial" or "lite" apps handled by a server and doing what you intended in say limiting results or whatever.. it also is good for internal logs since you can refine your app by looking at how the app is used, both overall as well as individual patterns.

    You don't need GPS, personal or any other information at all to provide LOTS of benefits and an IMPROVED app once you have a access to a unique ID that doesn't involve registering username or whatever as annoying websites do.

    I think a credible business would disclose in an open way what server transactions are involved on a per-app basis and with our new server suite being rolled out I know we will provide a web page per app detailing this so it's all open and above board and the benefits given.

  8. Re:What's That? by Anonymous Coward · · Score: 3, Informative

    The summary was specific to the top FREE apps. What do you expect they are going to refund? Why are we discussing locking it to one device? They are already free for all your devices. Its about tracking, pure and simple.

  9. Re:UDID does not identify a user by TrancePhreak · · Score: 3, Informative

    The UDID is pretty long, doesn't really make for a good user name. This is an example UDID: 2b6f0cc904d137be2e1730235f5664094b831186

    --

    -]Phreak Out[-
  10. Re:What's That? by hsmith · · Score: 2, Informative

    Well you are certainly full of it. Apple gives back their portion of refunds as well. They hold the option to NOT do that though.

  11. Pandora by Culture20 · · Score: 5, Informative

    Yeah, I noticed that with Pandora after my friend sold me his old phone (he had it wiped first). I downloaded Pandora and started screwing around with his stations because I thought they were just default stations Pandora gave me. They were basing access on the UDID.

  12. Re:What's That? by macs4all · · Score: 0, Informative

    SO they get a DID, a Mac address, an IP. They follow you around. Maybe they decide to go into various Java cache and sniff around if they can. Java cache locations aren't tough to figure out. There's more than one way to skin a cat, or a bad Java app.

    Wrong platform!

    iOS devices don't run Java ANYTHING. You're thinking of Android.