Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many Top iPhone Apps Collect Unique Device ID

Posted by Soulskill on from the your-computer-is-broadcasting-a-UDID dept.

An anonymous reader writes "It looks like iPhone users are not immune to the types of data leaks recently discovered on the Android platform. Researchers looked at the top free applications available from the App Store and discovered that '68% of these applications were transmitting UDIDs to servers under the application vendor's control each time the application is launched.' The iPhone's Unique Device ID, or UDID, cannot be changed, nor can its transmission be disabled by the user. The full paper is available in PDF form."

16 of 194 comments (clear)

  1. What's That? by MightyMartian · · Score: 3, Insightful

    What's that? Why, I think it's the sound of the other shoe dropping!

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
    1. Re:What's That? by ceoyoyo · · Score: 3, Insightful

      And phone number.

      Unless Apple is helpfully giving out your name and address to go along with the UDID (which I very much doubt), it's just a way to see how many people are using your app.

    2. Re:What's That? by Lumpy · · Score: 5, Interesting

      No but it enables douchebaggery like LOCKING the app to one device. Which is Against apple's Eula. If I have 2 iphones 1 ipod and 2 ipads on my single apple account I get the app on all those devices for one purchase price. Problem is many app makers are greedy assholes and want to make it only work on ONE device.

      --
      Do not look at laser with remaining good eye.
    3. Re:What's That? by ceoyoyo · · Score: 3, Insightful

      It enables things like that IF Apple weren't looking over their shoulder. Provided the app got past the approval process in the first place, someone would undoubtedly complain to Apple. Apple would then yank the app from the store and offer everyone refunds. Oh, and as a developer when you give a refund YOU give a refund. Apple doesn't give back their 30%.

      So no, nobody's going to do anything that stupid.

    4. Re:What's That? by TheGeneration · · Score: 5, Informative

      The UID identifies the iPhone within XCode. It enables things like authentication without passwords for (trivial) applications. For example if I have an app with profiles, and that app is only usable on the iPhone, there is no need for a password or login, I can just use the UID.

      Big whoop.

      --


      The Generation
      I'd say something witty here, but I'm not that bright.
    5. Re:What's That? by grub · · Score: 3, Interesting

      I've never come across an app that wont install for free on another iOS device (we have 4). What apps have done this? You should definitely report them to Apple is this is the case.

      --
      Trolling is a art,
    6. Re:What's That? by Anonymous Coward · · Score: 3, Informative

      The summary was specific to the top FREE apps. What do you expect they are going to refund? Why are we discussing locking it to one device? They are already free for all your devices. Its about tracking, pure and simple.

  2. If you read the paper... by layertwo · · Score: 3, Informative

    "We also confirmed that some applications are able to link the UDID to a real-world identity."

  3. Recommended alternatives? by swamp+boy · · Score: 5, Interesting

    This article is very timely for me. I'm an iPhone developer who's planning to add a server component for some of my iPhone apps. My initial thinking was to simply make use of the built-in UDID since it's there and doesn't require any effort on the part of the user. I did RTFA and I can see how the use of UDIDs could lead to unethical situations.

    On the other hand, what's the alternative? Generally speaking, an iPhone app that has a server component with functionality that's geared to a specific user needs something to identify that user. Sure, I could force the user to enter their email address or make up a user id. Unless a user goes to the trouble of making sure that each service/app they deal with uses a separate and distinct user id or email address, you're back in the same situation (or close to it).

    I'm genuinely interested in hearing suggestions on the preferred mechanism that helps to maintain privacy.

    1. Re:Recommended alternatives? by alannon · · Score: 5, Interesting

      Additionally, Apple's documentation on the API that provides the UDID specifically indicates that Apple considers it appropriate to use as a method of identifying a user/device.

      Of course, that doesn't change the privacy implications, but it indicates that the UDID is provided by Apple to developers for precisely that purpose.

  4. Is there a difference? by blair1q · · Score: 4, Insightful

    iPhone and Android. Two peas in different pods.

    The Internet is not secure.

    Your phone company is not your mommy.

    Software is more complex than humans can comprehend, and there will be holes in its behavior relative to your expectation, especially but not exclusively when you were not the one who wrote the requirements for it, but especially again when the people writing it want to leave avenues for future revenue growth.

  5. it's all good by somewhere+in+AU · · Score: 3, Informative

    Unique device ID doesn't violate privacy whatsoever since there is no link to your name, address, etc..

    It DOES however provide a great way of ensuring "trial" or "lite" apps handled by a server and doing what you intended in say limiting results or whatever.. it also is good for internal logs since you can refine your app by looking at how the app is used, both overall as well as individual patterns.

    You don't need GPS, personal or any other information at all to provide LOTS of benefits and an IMPROVED app once you have a access to a unique ID that doesn't involve registering username or whatever as annoying websites do.

    I think a credible business would disclose in an open way what server transactions are involved on a per-app basis and with our new server suite being rolled out I know we will provide a web page per app detailing this so it's all open and above board and the benefits given.

  6. Re:As a developer thinking about such things ... by perpenso · · Score: 4, Interesting

    One of my concerns would be that having the UDID allows for more general impersonation. With a hash specific to a particular app the impersonation is limited to your app.

    Another concern would be related to personally identifiable information (PII). When non-PII is associated with PII the non-PII now falls under all the PII regulations. If you use a hash you do not have to worry about what others at the university are collecting. Keep in mind that what constitutes an association between non-PII and PII may be defined by a hostile lawyer. Maybe your team's data being on the same server as another team's.

  7. Re:UDID does not identify a user by TrancePhreak · · Score: 3, Informative

    The UDID is pretty long, doesn't really make for a good user name. This is an example UDID: 2b6f0cc904d137be2e1730235f5664094b831186

    --

    -]Phreak Out[-
  8. Pandora by Culture20 · · Score: 5, Informative

    Yeah, I noticed that with Pandora after my friend sold me his old phone (he had it wiped first). I downloaded Pandora and started screwing around with his stations because I thought they were just default stations Pandora gave me. They were basing access on the UDID.

  9. Re:UDID does not identify a user by deimtee · · Score: 3, Insightful

    So you have buttons that say "Use device ID" and "Select a Username". You don't have to actually display the ID.
    Would also give you some data about how many people care enough to create a username rather than use the UDID.
    On the server side you need to come up with a way to tie multiple devices to the one account if they use the UDID option. Possibly have a "link another device" option that has the server generate a code transmitted back to the first device, that they have to key in on the second.

    --
    I'm guessing that wasn't on their radar screen...