or Connect
AppleInsider › Forums › Mobile › iPhone › Security review finds 68% of top iOS apps transmit UDIDs
New Posts  All Forums:Forum Nav:

Security review finds 68% of top iOS apps transmit UDIDs

post #1 of 37
Thread Starter 
A newly published report on iPhone security reveals that most popular third-party software available for iOS-based devices transmits an accompanying unencrypted unique device identifier, which could be used to obtain personal information.

A review of the "Most Popular" and "Top Free" categories on the iPhone App Store found that 68 percent of software would transmit UDIDs from devices. In addition, 18 percent of applications encrypted their communications, so it could not be determined what kind of data is being shared.

The findings were published last week by Eric Smith, network administrator with Bucknell University and a two-time DefCon wardriving champion. The security report, publicized by Engadget, claims that UDIDs can be "readily linked to personally-identifiable information."

The review was based on 57 applications available for the iPhone, and determined that personal information was sent out in plain text, posing a potential security concern.

The UDID is a unique identifier assigned to each iOS device, including iPhones, iPads and iPod touches. The number is used to prevent piracy with software available on the App Store.

In his findings, Smith compared the UDID assigned to iOS devices to the controversial Processor Serial Number that Intel attached to its Pentium 3 chips. He noted that the Pentium 3 PSN "elicited a storm of outrage from privacy groups," and questioned why those same concerns have not been expressed with the iPhone.

Among the applications that were found to transmit the iPhone UDID were software from Amazon, Chase Bank, Target, and Sams Club. The CBS News application goes even further, transmitting the UDID along with the user-assigned name for the iPhone, which typically includes the owner's real name.

"Most iPhone application vendors are collecting and remotely storing UDID data, and some of these vendors also have the ability to correlate UDID to a real-world identity," Smith wrote. "For example, Amazon's application communicates the logged-in user's real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone's UDID with the name of the phone's owner."



Of course, to its credit, Apple has been very up front with security on iOS, requiring that users approve when applications access information like GPS or the phone's address book. In addition, the company has also allowed users to opt out of data collection with services like iAds.

The company even called out one mobile analytics firm, after data about the iPad was obtained from devices in testing on Apple's Cupertino, Calif., campus without the company knowing. The incident prompted Apple to revise some of the rules in its iPhone Developer Agreement.
post #2 of 37
Great, now we're all fuct.
iPad News, App Reviews, and More: iPadNewsUpdates.com
Reply
iPad News, App Reviews, and More: iPadNewsUpdates.com
Reply
post #3 of 37
iPhone apps know what UDID last summer.

iPad2 16 GB
iPhone 5 32 GB

Reply

iPad2 16 GB
iPhone 5 32 GB

Reply
post #4 of 37
How is this different from people tracking your MAC Address?
post #5 of 37
Darn Free Fart Apps....I knew you would have the last laugh.
post #6 of 37
"Security review finds 68% of top iOS apps transmit UDIDs". I wonder what the percentage will be for Android apps..
post #7 of 37
So, 68% of the "top apps"... 57 of the top apps... out of how many hundreds of thousands of apps...

What if they picked the top 100 apps, and there were no other apps that phones home? Then their percentage would be cut almost in half. Not as sensation a headline there. Or even if there were other apps in the top 100 that did, but not enough to keep that percentage as high...
post #8 of 37
Quote:
Originally Posted by zaren View Post

So, 68% of the "top apps"... 57 of the top apps... out of how many hundreds of thousands of apps...

What if they picked the top 100 apps, and there were no other apps that phones home? Then their percentage would be cut almost in half. Not as sensation a headline there. Or even if there were other apps in the top 100 that did, but not enough to keep that percentage as high...

I'm one of the biggest supporters of iOS as a software platform, but if 68% of the top apps are broadcasting UDID info, it is reasonably safe to assume that most of the other ones are as well. Maybe not at the same rate, but there isn't any reason to believe that no other apps other than what's in the top 100 are sending out this information.
post #9 of 37
I would assume many of those apps that are tracking your UDID are ad supported. Advertisers would be very interested to track people like that.

And there are some valid uses for applications to track a UDID. For example I think PhotoSwap uses it to ban users if they misbehave.
post #10 of 37
Quote:
Originally Posted by freddych View Post

iPhone apps know what UDID last summer.

buahahahahahahahahahahahahahaha
post #11 of 37
Quote:
Originally Posted by mariofreak85 View Post

I would assume many of those apps that are tracking your UDID are ad supported. Advertisers would be very interested to track people like that.

And there are some valid uses for applications to track a UDID. For example I think PhotoSwap uses it to ban users if they misbehave.

What's the big deal with the UUID. Why is anyone attached to a number which is unique and can merely identify the device, not anything about you. ?
I wanted dsadsa bit it was taken.
Reply
I wanted dsadsa bit it was taken.
Reply
post #12 of 37
Quote:
Originally Posted by freddych View Post

iPhone apps know what UDID last summer.

post #13 of 37
So, assuming that Apple really does test apps before approving them it seems as if Apple must have known about this, and is okay with 3rd party apps tracking users without the users' knowledge.
post #14 of 37
You can't trust companies that make their money through advertising. They will inevitably try and profile you.
post #15 of 37
by identifying the device advertisers can learn things about you based on what apps you use and what ads you tap. This gives them the ability to serve more targeted ads.
post #16 of 37
Quote:
Originally Posted by freddych View Post

iPhone apps know what UDID last summer.

Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #17 of 37
Quote:
Originally Posted by mgl323 View Post

"Security review finds 68% of top iOS apps transmit UDIDs". I wonder what the percentage will be for Android apps..

Security review finds 100% of Android OSes transmits UDIDs to Google which is used to obtain personal information.

There you go..
post #18 of 37
Quote:
Originally Posted by Mr Squid View Post

So, assuming that Apple really does test apps before approving them it seems as if Apple must have known about this, and is okay with 3rd party apps tracking users without the users' knowledge.

Yeah. They do it too. DRM wouldn't work otherwise.
I wanted dsadsa bit it was taken.
Reply
I wanted dsadsa bit it was taken.
Reply
post #19 of 37
Quote:
Originally Posted by freddych View Post

iPhone apps know what UDID last summer.

HAHAHAHAHAHAHA *breathe*
Summer '09 Macbook 6 GB RAM, SSD; iPhone 3GS, aTV v.2

Jesus told her, I am the resurrection and the life. Anyone who believes in me will live, even after dying. Anyone who lives in me and [trusts]...
Reply
Summer '09 Macbook 6 GB RAM, SSD; iPhone 3GS, aTV v.2

Jesus told her, I am the resurrection and the life. Anyone who believes in me will live, even after dying. Anyone who lives in me and [trusts]...
Reply
post #20 of 37
In other news, people may be able to gain access to your phone number and obtain personal information...
post #21 of 37
Quote:
Originally Posted by asdasd View Post

What's the big deal with the UUID. Why is anyone attached to a number which is unique and can merely identify the device, not anything about you. ?

I agree, it's using a unique identifier to identify you! Big whoop! This isn't any different than creating cookies in a web browser based off information that YOU GAVE them, so that you are automatically recognized by the service.

Just because they've obtained your device UDID, this does not mean they have access to all your data on your phone.
Disclaimer: The things I say are merely my own personal opinion and may or may not be based on facts. At certain points in any discussion, sarcasm may ensue.
Reply
Disclaimer: The things I say are merely my own personal opinion and may or may not be based on facts. At certain points in any discussion, sarcasm may ensue.
Reply
post #22 of 37
Quote:
...an accompanying unencrypted unique device identifier, which could be used to obtain personal information.

That's total, complete BS. There may be a concern with transmitting UDID -- it's slightly more identifiable than an IP address, since IP addresses are often masked by NAT.

But there is no way -- no way at all -- to obtain personal information with a UDID.

I hate this drive to make everything a huge, end-of-world, we-should-all-run-in-circles-in-fear issue. It's an interesting finding, it raises issues, and people are right to wonder if it's a good thing. But the throw-away assertion behind the fearmongering is totally, completely baseless.
post #23 of 37
Quote:
Originally Posted by extremeskater View Post

Regarding iOS.

"As a conclusion, the study states that all this poses a real threat to iOS users. "Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible - and technically, quite simple - for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," the study argues, "Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information." "

The entire article

http://www.osnews.com/story/23865

The UDid, without any other information tells us nothing about the user, it just uniquely identifies the device. Worry about that and you might as well worry about the IP address also logged in any transaction, and worry about that and you might as well never ever access the Internet again. A device id is not any kind of breach of privacy.
I wanted dsadsa bit it was taken.
Reply
I wanted dsadsa bit it was taken.
Reply
post #24 of 37
Quote:
Originally Posted by asdasd View Post

The UDid, without any other information tells us nothing about the user, it just uniquely identifies the device. Worry about that and you might as well worry about the IP address also logged in any transaction, and worry about that and you might as well never ever access the Internet again. A device id is not any kind of breach of privacy.

Yeah, I think this is yet another case of an Apple Insider article that's so poorly written and reported that it's creating a problem where one may not exist. The staff here is notable for their poor communication skills.

I've seen this exact story reported elsewhere (it is actually yesterday's news), and the take on it was almost completely different. What I heard from other sources is that there are a variety of issues. The UUID by itself is harmless, but in some cases it's being transmitted every 30 seconds with the location information attached which is very bad.

This article also makes it sound bad that the information being transmitted is bad, when in fact it's actually better and preferred if this kind of stuff is encrypted since sending unique identifiers along with account info in an unencrypted form is probably the most dangerous of all.
post #25 of 37
Which is why good apps use UUIDs, not UDIDs, and encrypt everything they transmit.
post #26 of 37
Quote:
Originally Posted by sippincider View Post

Which is why good apps use UUIDs, not UDIDs, and encrypt everything they transmit.

Can you elaborate, and maybe hint on how we can tell which is which?
post #27 of 37
VINs are unique to a car. So to map that to it's legal owner isn't always an easily done thing. Nor does it tell someone anything about what's in my car, where I drive it, what I use it for, etc... Are UDIDs any more revealing just by their value?
post #28 of 37
I believe this is more accurate:

An app that retrieves your UDID (assuming the phone never changed hands) can also obtain personal information about you, IF the following is true:

1. Some other, prior app has previously retrieved your UDID.

2. You GAVE that app personally identifying info (like when you tell Amazon your name) and it too was transmitted.

3. That other app’s servers tied the UDID together with the other info you separately gave it.

4. The makers of the second app and the prior app are in cahoots, OR one of them is insecure allowing the other to snoop on them. Then the app that only knows your UDID can get your name (or whatever) from the maker of the app that collected both.

Otherwise—if all you have is the UDID—you have nothing.

As for snooping... if your private data is transmitted in the clear (like Amazon), that’s a problem. (But I don’t worry terribly about just my name... it’s in lots of unencrypted emails people send me!) The article almost makes it sound like the apps which do encryption are even scarier... when in fact they are probably doing more to protect you than the non-encrypted apps.

Moral of the story: when you submit personal data (like your name) you are submitting personal data. Submit it only to trusted destinations, preferably encrypted, or else you never know what unknown third party might share the data. That’s true with OR without a UDID. So the more personal the data, the more you need to trust the destination. I’d give Amazon my credit card. I’d give lots of places my name and no more. And some places aren’t getting anything from me but an anonymous username!

Meanwhile, UDID is a great convenience for things like multiplayer games, where you can just hop on and play without having to create a login. (Though some games do use one.)

Quote:
Originally Posted by dasein View Post

VINs are unique to a car. So to map that to it's legal owner isn't always an easily done thing. Nor does it tell someone anything about what's in my car, where I drive it, what I use it for, etc... Are UDIDs any more revealing just by their value?

No. They are pre-assigned to the hardware before you even bought the phone. It’s how iTunes can tell your iPhone from your family member’s iPhone, to sync the proper items with each one.
post #29 of 37
Quote:
Originally Posted by mgl323 View Post

"Security review finds 68% of top iOS apps transmit UDIDs". I wonder what the percentage will be for Android apps..

at almost 70%, does it matter at that point?
What I got... 15" i7 w/8 gigs ram,iPad2 64gig wifi, 2.0 mac mini, 2.0 17" imac, appleTv, Still running my old G4 466 upgraded to 1.2GHz maxed ram as a pro tools machine, and 2 iphones.
Reply
What I got... 15" i7 w/8 gigs ram,iPad2 64gig wifi, 2.0 mac mini, 2.0 17" imac, appleTv, Still running my old G4 466 upgraded to 1.2GHz maxed ram as a pro tools machine, and 2 iphones.
Reply
post #30 of 37
Quote:
Originally Posted by myapplelove View Post

Can you elaborate, and maybe hint on how we can tell which is which?

In English:

As in the article, the UDID is the unique identifier for your iOS device. Think of it as being similar to a VIN for a car.

A UUID is a Universally Unique Identifier, a randomly-generated code with an extremely low likelihood of being duplicated.

Google and Wiki for these.

Anyway, when transmitted over a network, the garble of a well-made UUID isn't going to tell an evesdropper anything. But a UDID could potentially have value.

Which brings up another issue: any software released since about 1980 should assume a hostile network, and should encrypt everything it transmits.
post #31 of 37
Quote:
Originally Posted by sippincider View Post

In English:

As in the article, the UDID is the unique identifier for your iOS device. Think of it as being similar to a VIN for a car.

A UUID is a Universally Unique Identifier, a randomly-generated code with an extremely low likelihood of being duplicated.

Google and Wiki for these.

Anyway, when transmitted over a network, the garble of a well-made UUID isn't going to tell an evesdropper anything. But a UDID could potentially have value.

Which brings up another issue: any software released since about 1980 should assume a hostile network, and should encrypt everything it transmits.

For all intents and purposes, the UDID IS you when you're talking about a mobile device. Suppose someone is smart enough to aggregate all the little bits of data which have an accompanying UDID. They might not necessarily know your name but they would know pretty much everything else about your habits. This information could be used to deliver content to your UDID, er You.
post #32 of 37
I'm making an app right now which stores the UDID. All your info are belong to me.

Oh god who cares, I'm not going to do anything sinister with it.

Except stalk you.
post #33 of 37
CARDINAL RULES:
Don't do BANKING, Data Forms, Purchases from ANY SMARTPHONE
post #34 of 37
But that's the reason you bought a smart phone to begin with, so you could do all that.
post #35 of 37
Apparently unique ID is a revelation to many. Well, here's shocker: every Apple device capable of running software has one easily accessible. And apps both desktop and mobile may access it and do whatever they will. If it is a security threat go switch to other platform. But even penguin-land is not safe: it is easy to concote a unique I'D from mother board or HDD serial number. So, the ultimate decision for people who afraid of their rigs to be tracked is to avoid using computers and smartphones.

For the sane people there is one thing to understand: UDID is not your personal data. It is a passport for your hardware. Transmitting UDID does nothing to impair your security. What you should care about is what data besides UDID is transmitted. Location information is protected, but everything user enters is not. So when you type your real name somewhere keep in mind that it is going to be sent over the network, obviously. Security threat? Don't enter your name then.

Edit: contrary to the previous orator I think it is much safer to do banking etc. from smartphone with strong sanboxing (I.e. non jailbroken iPhone). The reason is simple: there is no virus transmitting screenshots, there's no keylogger peeking at your password - the latter is the number one of bank info stealer.
post #36 of 37
Quote:
Originally Posted by BUSHMAN4 View Post

CARDINAL RULES:
Don't do BANKING, Data Forms, Purchases from ANY SMARTPHONE

Don't use computers (MAC), or the internet (COOKIES), or any landline phone (PHONEBOOK), and don't use the US Postal service especially when paying bills as everything name, address, account numbers (charge card, bank account) are all in the envelope and requires little to zero technology to obtain your information...

Me thinks some are becoming a little paranoid.
Artificial intelligence is no match for natural stupidity.

"A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools."
Reply
Artificial intelligence is no match for natural stupidity.

"A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools."
Reply
post #37 of 37
Quote:
Originally Posted by extremeskater View Post

Regarding iOS.

"As a conclusion, the study states that all this poses a real threat to iOS users. "Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible - and technically, quite simple - for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," the study argues, "Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information." "

The entire article

http://www.osnews.com/story/23865

Sorry, but the article isn't quite accurate. App developers do not have access to any data outside of its sandbox without explicit permission from the user, therefor, obtaining a device's UDID does not give anyone else access to that data either.

An UDID is nothing more than an identification number, much like a serial number. It is not an address like a TCP/IP address, where you can attempt to connect to and gain access to the device to send or receive data. It poses no more of threat to you than giving your email address, which can also be used to track habits, if that information was being handed off to another party.

If you're paranoid over this, you must be completely and utterly afraid to touch anything made by Google. Don't think for a moment that your MAC address isn't being used to build a profile about you and your habits. And Google is EVERYWHERE. Imagine if someone had access to their databases. Eric Schmidt has stated they have enough information about their users that they could potentially predict the users next move.
Disclaimer: The things I say are merely my own personal opinion and may or may not be based on facts. At certain points in any discussion, sarcasm may ensue.
Reply
Disclaimer: The things I say are merely my own personal opinion and may or may not be based on facts. At certain points in any discussion, sarcasm may ensue.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Security review finds 68% of top iOS apps transmit UDIDs