Unguarded iPhone UDIDs Could be a Privacy Concern

Every iOS device is assigned a unique UDID, or “Unique Device Identifier”, which acts like a serial number or license plate to identify each unit. Applications from the App Store are carefully screened, but according to Eric Smith, Assistant Director of Information Security and Networking for Bucknell University, not all adhere to the security guidelines that Apple has put in place.

The intended role of the UDID as a unique token to remotely store local application preferences is a convenient tool for programmers, but the potential for the abuse of privacy is remarkably high. Apple addresses this concern in their application development guide:
“For user security and privacy, you must not publicly associate a device’s unique identifier with a user account.”
While Apple promotes the use of the “unique identifier” API as a development tool, there is nothing in place which prevents these same application developers from using UDIDs as a tracking agent — nor are there any restrictions in place to prevent companies from sharing this data with one other.

Smith’s study showed that 68% percent of the applications tested transmit the UDID back to a remote server, and only 18% encrypt the data. Many apps – even those from large companies like Amazon – send the UDID along with personal info via plain text, meaning that anyone who intercepts the it can easily view it.

Shady 3rd party apps could use your UDID, along with your current IP, to track your location in real-time. (Though this borders on paranoia, and shouldn’t be an active concern for users.) The main problem is when companies send (or sell) this data to other advertising agencies. Most of the well-known and trusted companies use the data for legitimate reasons, but that doesn’t mean all of them follow the same standards.

To combat this privacy issue, Apple should mandate that developers use SSL to encrypt the data being sent, to provide at least a basic level of protection. At the moment, there is no way to opt-out of sharing your UDID with applications, and no way to know for sure if the information is being used carefully. This problem is not as serious as, say, transmitting bank information or credit card numbers, but the point is that private information should be kept just that – private.


Post a response / What do you think?