Many Top iPhone Apps Collect Unique Device ID

An anonymous reader writes "It looks like iPhone users are not immune to the types of data leaks recently discovered on the Android platform. Researchers looked at the top free applications available from the App Store and discovered that '68% of these applications were transmitting UDIDs to servers under the application vendor's control each time the application is launched.' The iPhone's Unique Device ID, or UDID, cannot be changed, nor can its transmission be disabled by the user. The full paper is available in PDF form."

What's That?

[MightyMartian]

What's that? Why, I think it's the sound of the other shoe dropping!

Re:What's That?

[MBCook]

Some people may not like this, but it doesn't seem that bad to me. After hearing that some Android apps report a user's physical location up to every 30s... this seems pretty tame.

Re:What's That?

[ceoyoyo]

And phone number.

Unless Apple is helpfully giving out your name and address to go along with the UDID (which I very much doubt), it's just a way to see how many people are using your app.

Re:And? Care factor zero

[Anonymous Coward]

Then they should set a cookie. We already went over this in the late 90s with the pentium 3 [wikipedia.org]. Universal hardware id = bad. Set a cookie unique to one company = good.

Re:And? Care factor zero

[Klync]

Hmmm... maybe we should ask Mr. Gathered Mass why he keeps changing his mind. Oh, what's that? You're talking about millions of *different* people holding *different* opinions? Wow, who would've thought! I think you've found the real story in all of this: apparently, not everybody feels the exact same way about different, although similar, events. Thanks for sharing this insight - you just blew my mind.

Re:What's That?

[ceoyoyo]

It enables things like that IF Apple weren't looking over their shoulder. Provided the app got past the approval process in the first place, someone would undoubtedly complain to Apple. Apple would then yank the app from the store and offer everyone refunds. Oh, and as a developer when you give a refund YOU give a refund. Apple doesn't give back their 30%.

So no, nobody's going to do anything that stupid.

Re:And? Care factor zero

[by (1706743)]

Universal hardware id = bad.

I assume you assign your network card a random MAC address before connecting to the internet?

Is there a difference?

[blair1q]

iPhone and Android. Two peas in different pods.

The Internet is not secure.

Your phone company is not your mommy.

Software is more complex than humans can comprehend, and there will be holes in its behavior relative to your expectation, especially but not exclusively when you were not the one who wrote the requirements for it, but especially again when the people writing it want to leave avenues for future revenue growth.

Re:And? Care factor zero

[MrHanky]

Sorry, but it has already been established in the discussion about possible privacy invasions in Android software that this can't happen on iOS. Because it simply can't happen.

Retarded

[Anonymous Coward]

So a random identifier is somehow comparable to my GPS location?! Gimme a break

Re:What's That?

[postbigbang]

Your big whoop amounts to someone data mining more stuff about you. You give up too easily protecting your information particulars. If you don't sweat them, they'll steal more.... and maybe already have.

Re:What's That?

[Anonymous Coward]

Wait, Apple actually steal your money when someone asks for a refund? And people are willing to develop for them?

Re:UDID does not identify a user

[Anonymous Coward]

You also run into problems going the other direction: someone sells their old iPhone when they upgrade is suddenly unable to get into an account that was tied into their UDID while the person who bought the phone would have access to the account (assuming they went and bought the same app...so, if you plan/hope on becoming popular, it's worth thinking about) and any personal information that might be associated with that account.

Re:it's all good

[Anonymous Coward]

You're a fag.

Like so many others have pointed out, some of the apps do send the user's name -- along with the UID -- in plaintext.

Re:What's That?

[postbigbang]

SO they get a DID, a Mac address, an IP. They follow you around. Maybe they decide to go into various Java cache and sniff around if they can. Java cache locations aren't tough to figure out. There's more than one way to skin a cat, or a bad Java app.

Re:UDID does not identify a user

[deimtee]

So you have buttons that say "Use device ID" and "Select a Username". You don't have to actually display the ID.
Would also give you some data about how many people care enough to create a username rather than use the UDID.
On the server side you need to come up with a way to tie multiple devices to the one account if they use the UDID option. Possibly have a "link another device" option that has the server generate a code transmitted back to the first device, that they have to key in on the second.

Re:What's That?

[CheerfulMacFanboy]

The summary was specific to the top FREE apps. What do you expect they are going to refund? Why are we discussing locking it to one device? They are already free for all your devices. Its about tracking, pure and simple.

And his injection was made on somebody's claim that this was used to "LOCK the app to one device" - why would this be done for a FREE app?