Forgot your password?
typodupeerror
Iphone Privacy Software Apple

Many Top iPhone Apps Collect Unique Device ID 194

Posted by Soulskill
from the your-computer-is-broadcasting-a-UDID dept.
An anonymous reader writes "It looks like iPhone users are not immune to the types of data leaks recently discovered on the Android platform. Researchers looked at the top free applications available from the App Store and discovered that '68% of these applications were transmitting UDIDs to servers under the application vendor's control each time the application is launched.' The iPhone's Unique Device ID, or UDID, cannot be changed, nor can its transmission be disabled by the user. The full paper is available in PDF form."
This discussion has been archived. No new comments can be posted.

Many Top iPhone Apps Collect Unique Device ID

Comments Filter:
  • What's That? (Score:3, Insightful)

    by MightyMartian (840721) on Friday October 01, 2010 @07:21PM (#33766404) Journal

    What's that? Why, I think it's the sound of the other shoe dropping!

    • Re:What's That? (Score:3, Insightful)

      by MBCook (132727) <foobarsoft@foobarsoft.com> on Friday October 01, 2010 @07:26PM (#33766442) Homepage

      Some people may not like this, but it doesn't seem that bad to me. After hearing that some Android apps report a user's physical location up to every 30s... this seems pretty tame.

      • Re:What's That? (Score:4, Insightful)

        by ceoyoyo (59147) on Friday October 01, 2010 @07:30PM (#33766484)

        And phone number.

        Unless Apple is helpfully giving out your name and address to go along with the UDID (which I very much doubt), it's just a way to see how many people are using your app.

      • by jc42 (318812) on Friday October 01, 2010 @07:46PM (#33766628) Homepage Journal

        ... some Android apps report a user's physical location up to every 30s ...

        If you're running google maps on your iPhone or Android phone, it does this. This has been mentioned lots of places, when they explain how the maps app gets the traffic data. It gets the data from the phones, of course, which are reporting their position and speed back to a google server every so often,. The green/yellow/red/black color coding of roads is just a summary of how the phones on those roads are moving. It would be surprising if the packets didn't include a phone's ID, since that helps make sense of the strings of packets from different phones on the same stretch of highway that are arriving mingled together.

        I've often used google's traffic reports on my G1 to tell me which of my (Garmin) GPS gadgets routes I should avoid. Supposedly Garmin has released a cell-phone version of their GPS software, but I haven't yet read reports of how well it works.

        The mobile google-maps app with traffic status is sufficiently useful that people will probably consider it an acceptable excuse for google keeping track of where their phone is at all times. ;-)

        • by sortius_nod (1080919) on Saturday October 02, 2010 @03:26AM (#33768800) Homepage

          Actually, no, it gets the data from the same place that all traffic maps get data from. The radio network that transmits traffic.

          The data would be so incomplete from phones (as you have to have the app running) that it would be useless as a measure of traffic.

          • by jc42 (318812) on Saturday October 02, 2010 @09:54AM (#33769846) Homepage Journal

            OTOH, if a traffic app were to do both, that would give more data than either alone. I can't be the first programmer to have had that thought. ;-)

            In any case, there have been many reports that google maps is collecting some of the traffic data from phones running their software. Here's one of the earlier stories [jkontherun.com] that a quick google search turned up, from about a year ago. It's not hard to find other stories about this topic. This story has the additional comment that, at the time, the iPhone was unusual in that it didn't feed data back to the google traffic database. This has supposedly been fixed in the past year.

            I'd think that a sensible design would be to try to consolidate the data from mobile "smart phones" with the data from various highway agencies that monitor traffic. Of course, this would depend on which countries, states, provinces, cities, whatever that you could get data from. There's also the problem that no two of them would be expected to use the same data formats. But we have a lot of smart programmers, right? And the task is easily modularized, since you basically need one package per input source that translates that source's data format to whatever format your database wants.

      • Re:What's That? (Score:5, Informative)

        by TheGeneration (228855) on Friday October 01, 2010 @08:01PM (#33766726) Journal

        The UID identifies the iPhone within XCode. It enables things like authentication without passwords for (trivial) applications. For example if I have an app with profiles, and that app is only usable on the iPhone, there is no need for a password or login, I can just use the UID.

        Big whoop.

        • Re:What's That? (Score:3, Insightful)

          by postbigbang (761081) on Friday October 01, 2010 @08:23PM (#33766870)

          Your big whoop amounts to someone data mining more stuff about you. You give up too easily protecting your information particulars. If you don't sweat them, they'll steal more.... and maybe already have.

          • by PipsqueakOnAP133 (761720) on Friday October 01, 2010 @09:43PM (#33767376)

            That's IF they can steal more. So far, they can get your device ID, and access the address book.
            I'm more concerned about the address book than I am about the device ID.
            Given the APIs, that's probably about all they can take from you.

          • by nacturation (646836) * <<moc.liamg> <ta> <noitarutcan>> on Friday October 01, 2010 @11:01PM (#33767780) Journal

            Your big whoop amounts to someone data mining more stuff about you. You give up too easily protecting your information particulars. If you don't sweat them, they'll steal more.... and maybe already have.

            So if this unique hardware device ID didn't exist, my app could generate a GUID (random 128 bit number) the first time it's run and use that as the unique ID on every internet request to my server? What's Apple going to do... prevent apps from using numbers?

            • by postbigbang (761081) on Friday October 01, 2010 @11:13PM (#33767820)

              Not necessarily.

              The idea is to have applications STFU unless it's called for.

              No random hey, here's the latest scoop on 0x38df803's location, the local temperature, and the last nine people she called.

              Hey, look! She's on FB again, and just ordered something from Amazon. Upload to the mothership analytics engine NOW!

              Wait, she's going to use us! Get ready to make the fart sound!

        • by JohnFen (1641097) on Friday October 01, 2010 @11:02PM (#33767786)

          The UID identifies the iPhone within XCode. It enables things like authentication without passwords for (trivial) applications. For example if I have an app with profiles, and that app is only usable on the iPhone, there is no need for a password or login, I can just use the UID.

          Big whoop.

          It may not be a big deal to you, but it sure is to me. Particularly given how atrocious the terms of their license are when it comes to privacy. They can, and do, track you and your physical location at all times, and can do anything they like with that information.

          In my view, it's bad enough that they are so cavalier about personally identifiable information int he first place. It's even worse that such information is readily available to random app developers.

          This is a showstopper.

          • by BasilBrush (643681) on Saturday October 02, 2010 @02:27AM (#33768612)

            It may not be a big deal to you, but it sure is to me. Particularly given how atrocious the terms of their license are when it comes to privacy. They can, and do, track you and your physical location at all times, and can do anything they like with that information.

            Mobile phone networks know your physical location, near enough, with any mobile phone you might use. Apple doesn't. The iPhone doesn't "track you and your physical location at all times". Only when the application being run requests it, and the user is notified that such a thing is happening, and asked for permission. Plus of course you can disable location services on the iPhone completely if you want.

            The reason it's a big deal to you is because your tin-foil hat is more important to you than finding out how things actually work.

      • by owlstead (636356) on Saturday October 02, 2010 @08:08AM (#33769508)

        The security model of both phones is quite different. iOS is based on digital trust (only downloading signed authorized apps from the appstore), android's model is permission based (although the default market could count as authorization as well).

        If a free game is requesting permission to use my GPS coordinates or to use maps, then I simply don't install it.

    • by LostCluster (625375) * on Friday October 01, 2010 @07:55PM (#33766694)
      What was the first shoe?
    • by SuperKendall (25149) on Friday October 01, 2010 @09:35PM (#33767338)

      What's that? Why, I think it's the sound of the other shoe dropping!

      Honestly, you are equating the release of a phone number and constant GPS feed, to a UDID that had no identifying information about you and is only used to detect if the same device is returning to a server? Really?

  • by aristotle-dude (626586) on Friday October 01, 2010 @07:23PM (#33766434)

    The iPhone's UDID identifies my iPhone, not me so I don't see the problem. Some developers just want to see how many devices apps are installed and in active use on.

    • by Dynedain (141758) <slashdot2 AT anthonymclin DOT com> on Friday October 01, 2010 @07:29PM (#33766468) Homepage

      DoubleClick's cookies identify my computer, not me so I don't see the problem. Some developers just want to see how many computers browsers are installed and in active use on.

    • by grub (11606) * <slashdot@grub.net> on Friday October 01, 2010 @07:32PM (#33766502) Homepage Journal
      Yeah, just IDs the phone. Not email address, GPS location, contacts or anything.

      Not much of a story although I do block call-homes with FirewallIP from the Cydia Store.
    • by Anonymous Coward on Friday October 01, 2010 @07:37PM (#33766556)

      The iPhone's UDID identifies my iPhone, not me so I don't see the problem.

      Just wait... soon we will ALL have Apple's most important creation ever... the "iD".

    • by SilverHatHacker (1381259) on Friday October 01, 2010 @07:41PM (#33766594)
      I seem to remember when the Ubuntu OEM team proposed a package that would report your computer model so they could count installations, many people freaked out. Even though it sent nothing personally identifiable, the concept of your computer "phoning home" was anathema to the gathered masses. Funny how on an Apple product, the common response is "no big deal, it's not personally identifiable" but on anything else its "ZOMG! Teh evulz!"
      • by Klync (152475) on Friday October 01, 2010 @07:54PM (#33766688)

        Hmmm... maybe we should ask Mr. Gathered Mass why he keeps changing his mind. Oh, what's that? You're talking about millions of *different* people holding *different* opinions? Wow, who would've thought! I think you've found the real story in all of this: apparently, not everybody feels the exact same way about different, although similar, events. Thanks for sharing this insight - you just blew my mind.

      • by Nyeerrmm (940927) on Friday October 01, 2010 @08:34PM (#33766962)

        I'd say that the two sets are fairly distinct. While there are iPhone using Ubuntu users (myself included), I'm guessing the majority on each platform wouldn't use the other. Ubuntu users are going to in general be more libertarian leaning and privacy minded than iPhone users.

        That said, I personally feel the opposite. Ubuntu collecting that data doesn't bother me at all, and I definitely see the value. App developers doing so makes me a little bit uncomfortable, but I see the value in it to them too.

    • by layertwo (1913436) on Friday October 01, 2010 @07:47PM (#33766634)
      "We also confirmed that some applications are able to link the UDID to a real-world identity."
    • by LostCluster (625375) * on Friday October 01, 2010 @07:50PM (#33766660)

      You must be the Cookie Monster.

      Most cookies are unique values to identify you to web sites, and therefore also to ad networks. The more info about you that can be associated with that ID, the more they can specifically target you.

      The UDID might be a value that's random, but if ad networks can tie your usernames to the UDID, then they can uniquely identify your phone as you, and tie that to the targeted information.

      • by BasilBrush (643681) on Saturday October 02, 2010 @02:37AM (#33768656)

        Most cookies are unique values to identify you to web sites, and therefore also to ad networks. The more info about you that can be associated with that ID, the more they can specifically target you.

        Target me?!? Oh no that sounds bad. That sounds like a hit man or something. Oh noes!!!

        Wait, you mean they're going to use the information to display adverts for things I might actually be interested in, rather than random stuff I'm not interested in. How does this harm me again?

        No hit man?

    • by Jazzbunny (1251002) on Friday October 01, 2010 @08:05PM (#33766752)
      You don't see the problem because you didn't read the pdf:

      For example, Amazon’s application communicates the logged-in user’s real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone’s UDID with the name of the phone’s owner. The CBS News application transmits both the UDID and the iPhone device’s user-assigned name, which frequently contains the owner’s real name.

      • by MrHanky (141717) on Friday October 01, 2010 @08:14PM (#33766796) Homepage Journal

        Sorry, but it has already been established in the discussion about possible privacy invasions in Android software that this can't happen on iOS. Because it simply can't happen.

        • by BasilBrush (643681) on Saturday October 02, 2010 @03:00AM (#33768728)

          I know you find it hard to distinguish one thing from another and don't RTFAs, but the Android apps which were the topic of that discussion were sending phone numbers from your address book. Which you might not realise is a different thing from the UID of your phone.

          It's perfectly reasonable, and allowable under both developer and user agreements for apps to send the UID to a server for the purpose of distinguishing one phone from another. It's not reasonable, nor allowed, to send user data, such as phone numbers.

          • by MrHanky (141717) on Saturday October 02, 2010 @07:14AM (#33769406) Homepage Journal

            I know you find it hard to read comments, but some of the apps mentioned here send your name in plain text along with the UID, making the UID into an alias for your name. Perfectly reasonable when it's done with Apple's products, of course, as the limits of the reasonable moves along with them.

            Notice how you go from full attack mode to full defensive mode along with corporate loyalty. You're a pathetic excuse of a human being.

      • by Sparks23 (412116) on Friday October 01, 2010 @11:30PM (#33767896)

        I think the problem is that most people are reading this as "apps are sending off the UDID" and going "eh, who cares" because the UDID doesn't have any real inherent useful meaning outside of iOS development provisioning. Even when they read that you can associate the UDID with a real name somehow (as in the Amazon and CBS apps), they still see UDID isn't really useful data. All you know is "this hexadecimal value -- which, for all practical purposes, may as well be random -- is Joe Public." If Amazon generated a blob of random binary data and used that to identify that device to the server instead of the UDID, but changed no other part of their protocol, you'd still be able to associate the random blob of data with Joe Public.

        Where this becomes a privacy concern is that since multiple services take the shortcut of using the UDID as their tracking token, if you had, say, both Amazon's tracking data and CBS's tracking data, you could take Amazon's realname data and combine it with the CBS program's demographic data, and have a bigger, badder demographic database. Because they both use the UDID as their tracking token, there's a shared bit of data you can use to combine those sorts of tracking databases. But that's not really presented as the problem here, so most people just think "why should I care that the UDID is being sent? Thats no different than any other random data-tracking cookie."

        In contrast, I think why people reacted more vehemently to the Android article was that the TaintDroid folks reported that Android apps were not merely using device identifiers as tracking tokens, but were also reporting back the actual phone number, or in some cases the IMSI. While I don't care much about my UDID being sent off as a tracking token -- it's not meaningful data in and of itself -- I am going to be a lot more disturbed if I find some app is sending my cellular subscriber data to a server without a damned good reason, regardless of what data they're tracking.

        That said, the growing popularity of smartphones means that privacy and malware/trojan prevention on mobile platforms /is/ going to become more and more of a real concern, I think. There are already security suites available for them, like Android Firewall on Android, or FirewallIP on iOS; they all require rooting/jailbreaking to use, but they're there as an option. But because of how much computing people do on their mobile devices, I think eventually we're going to see -- of necessity -- these sort of privacy/security tools for mobile platforms becoming more common and mainstream, whether Apple and Google open up the platform to allow third-party security tools or whether they start providing a higher level of security themselves, /something/ is going to change in time.

      • by BasilBrush (643681) on Saturday October 02, 2010 @02:52AM (#33768696)

        If I'm logged in, they already know my name. I wanted them to have it.

  • by schnikies79 (788746) on Friday October 01, 2010 @07:32PM (#33766498)

    I except to see a cydia patch in the new few weeks.

  • by zentechno (800941) on Friday October 01, 2010 @07:39PM (#33766572)
    As has been said, it identifies the phone, and not the user (though a majority of the time it'll be the phone's owner). Many apps use the UUID as a unique ID (ahem) to store state, e.g. viewed pages, favorites, etc. Yes, this is also done with a log in, or it could be done transparently via the UUID; not sure there's a best/worse here. I know -- it's the transparency that's the controversy, but I'm a bit pressed to think of anything that's revealed that couldn't also be revealed with (or without) "vendor collusion" (e.g. an App-to-UUID database to see which apps are on the same phone -- oh, wait, Apple knows that).
  • by swamp boy (151038) on Friday October 01, 2010 @07:58PM (#33766712)

    This article is very timely for me. I'm an iPhone developer who's planning to add a server component for some of my iPhone apps. My initial thinking was to simply make use of the built-in UDID since it's there and doesn't require any effort on the part of the user. I did RTFA and I can see how the use of UDIDs could lead to unethical situations.

    On the other hand, what's the alternative? Generally speaking, an iPhone app that has a server component with functionality that's geared to a specific user needs something to identify that user. Sure, I could force the user to enter their email address or make up a user id. Unless a user goes to the trouble of making sure that each service/app they deal with uses a separate and distinct user id or email address, you're back in the same situation (or close to it).

    I'm genuinely interested in hearing suggestions on the preferred mechanism that helps to maintain privacy.

  • by blair1q (305137) on Friday October 01, 2010 @08:10PM (#33766770) Journal

    iPhone and Android. Two peas in different pods.

    The Internet is not secure.

    Your phone company is not your mommy.

    Software is more complex than humans can comprehend, and there will be holes in its behavior relative to your expectation, especially but not exclusively when you were not the one who wrote the requirements for it, but especially again when the people writing it want to leave avenues for future revenue growth.

  • by mr100percent (57156) on Friday October 01, 2010 @08:24PM (#33766878) Homepage Journal

    How is this different than registering the Apple device with the app for Push notifications? The article is pretty thin on details and the PDF is kinda slashdotted. Granted, push access requires the user to agree to it via a popup on first launch.

  • it's all good (Score:3, Informative)

    by somewhere in AU (628338) <alexm@findmap.com.au> on Friday October 01, 2010 @08:39PM (#33767000) Homepage

    Unique device ID doesn't violate privacy whatsoever since there is no link to your name, address, etc..

    It DOES however provide a great way of ensuring "trial" or "lite" apps handled by a server and doing what you intended in say limiting results or whatever.. it also is good for internal logs since you can refine your app by looking at how the app is used, both overall as well as individual patterns.

    You don't need GPS, personal or any other information at all to provide LOTS of benefits and an IMPROVED app once you have a access to a unique ID that doesn't involve registering username or whatever as annoying websites do.

    I think a credible business would disclose in an open way what server transactions are involved on a per-app basis and with our new server suite being rolled out I know we will provide a web page per app detailing this so it's all open and above board and the benefits given.

  • by mr_zorg (259994) on Friday October 01, 2010 @09:37PM (#33767346)

    Bah, this is blown out of proportion a little bit. The UDID, by itself, tells a developer nothing about YOU. Its use is documented and encouraged by Apple for tracking user devices (which TFA admits). Now sure, if I were to also grab your address book I can tie that to your UDID, but it's my grabbing your address book that's the problem, not the UDID. I suppose if Apple wanted to make this more secure they could make the API automatically hash the UDID with your Application ID (also unique) and return that instead. You would still be able to use it for the same purposes as UDID was intended for, but NOT between apps.

  • Pandora (Score:5, Informative)

    by Culture20 (968837) on Friday October 01, 2010 @10:16PM (#33767562)
    Yeah, I noticed that with Pandora after my friend sold me his old phone (he had it wiped first). I downloaded Pandora and started screwing around with his stations because I thought they were just default stations Pandora gave me. They were basing access on the UDID.
    • by hackshack (218460) on Saturday October 02, 2010 @12:35AM (#33768204)

      Happened to me, too. You can change your Pandora password 'til the cows come home, and the old phone will still be able to login!

      Best part is, Pandora keeps their UDID databases inaccessible from your account, so you can't just login to Pandora and see the device(s) associated with that account. You have to email Customer Service and ask them to delete all your devices, whatever those may be. Happens on their (paid) desktop client, too. I put in a feature request to make our devices available in our account settings, but I'm not holding my breath.

      For what it's worth, Pandora Support told me that if I chose "log out" on the Pandora iPhone client before getting rid of my old phone, it would have removed the UDID from their database. I half-believe this: more likely it's just marked it as "logged off."

  • by tlhIngan (30335) <<ten.frow> <ta> <todhsals>> on Saturday October 02, 2010 @01:26AM (#33768418)

    This isn't a new problem - I think /. reported on it a couple of years ago. Sure it wasn't a UDID, but it was the phone number or other more identifiers. ICCID and IMEI is probably more risky to leak out - the UDID doesn't really tell you much of anything. It doesn't tell you the phone model, the user's phone number (which can change), ICCID, IMEI, etc. unless it's purposely linked. All it identifies is the particular piece of hardware.

    And naturally, jailbreakers have solutions for all this.

    First, there's UDIDFaker, which changes your UDID on a per-app basis. On iOS 4.x, the GUI doesn't work, but you can manually edit the plist file with the app and UDID you desire to use.

    Seocnd, there's Firewall IP, which pops up a dialog whenever an app wants to open a network connection, where you can control which connections fail and which ones succeed.

    There used to be a blog that tested apps and reported what was sent back to the user - it's not a new problem, but a very old one...

  • by updog (608318) on Saturday October 02, 2010 @01:55AM (#33768494) Homepage
    The UDID is really useful for collecting analytics, such as with Flurry Analytics [flurry.com]. You can really easily get nice graphs and charts on how users in aggregate are using your app, or drill down to any particular (anyonymous) user based on the UDID. For these analytics to be useful, you need to specify some type of unique identifier for the device. A UDID makes perfect sense, and there really isn't any standard or easy way to map the UDID to any particular user anyway, so it's hard to see what all the fuss is about. Regardless, the app should let the user know the UDID is being logged, and allow them the option to turn the logging off.
  • by chrysalis (50680) on Saturday October 02, 2010 @10:47AM (#33770082) Homepage

    UDIDs are commonly used in order to estimate how many users an application has, especially on applications that don't require people to register an account.

    Tons of web sites and ad servers are also sending cookies for this very purpose. It's not bullet proof, but it's better than nothing.

    UDIDs can be also useful in order to block users (spammers, people sending illegal content, etc) on social networks, as it's more difficult to buy a new device that it is to create a new account.

Is a person who blows up banks an econoclast?

Working...