Security review finds 68% of top iOS apps transmit UDIDs
A newly published report on iPhone security reveals that most popular third-party software available for iOS-based devices transmits an accompanying unencrypted unique device identifier, which could be used to obtain personal information.
A review of the "Most Popular" and "Top Free" categories on the iPhone App Store found that 68 percent of software would transmit UDIDs from devices. In addition, 18 percent of applications encrypted their communications, so it could not be determined what kind of data is being shared.
The findings were published last week by Eric Smith, network administrator with Bucknell University and a two-time DefCon wardriving champion. The security report, publicized by Engadget, claims that UDIDs can be "readily linked to personally-identifiable information."
The review was based on 57 applications available for the iPhone, and determined that personal information was sent out in plain text, posing a potential security concern.
The UDID is a unique identifier assigned to each iOS device, including iPhones, iPads and iPod touches. The number is used to prevent piracy with software available on the App Store.
In his findings, Smith compared the UDID assigned to iOS devices to the controversial Processor Serial Number that Intel attached to its Pentium 3 chips. He noted that the Pentium 3 PSN "elicited a storm of outrage from privacy groups," and questioned why those same concerns have not been expressed with the iPhone.
Among the applications that were found to transmit the iPhone UDID were software from Amazon, Chase Bank, Target, and Sams Club. The CBS News application goes even further, transmitting the UDID along with the user-assigned name for the iPhone, which typically includes the owner's real name.
"Most iPhone application vendors are collecting and remotely storing UDID data, and some of these vendors also have the ability to correlate UDID to a real-world identity," Smith wrote. "For example, Amazon's application communicates the logged-in user's real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone's UDID with the name of the phone's owner."
Of course, to its credit, Apple has been very up front with security on iOS, requiring that users approve when applications access information like GPS or the phone's address book. In addition, the company has also allowed users to opt out of data collection with services like iAds.
The company even called out one mobile analytics firm, after data about the iPad was obtained from devices in testing on Apple's Cupertino, Calif., campus without the company knowing. The incident prompted Apple to revise some of the rules in its iPhone Developer Agreement.
A review of the "Most Popular" and "Top Free" categories on the iPhone App Store found that 68 percent of software would transmit UDIDs from devices. In addition, 18 percent of applications encrypted their communications, so it could not be determined what kind of data is being shared.
The findings were published last week by Eric Smith, network administrator with Bucknell University and a two-time DefCon wardriving champion. The security report, publicized by Engadget, claims that UDIDs can be "readily linked to personally-identifiable information."
The review was based on 57 applications available for the iPhone, and determined that personal information was sent out in plain text, posing a potential security concern.
The UDID is a unique identifier assigned to each iOS device, including iPhones, iPads and iPod touches. The number is used to prevent piracy with software available on the App Store.
In his findings, Smith compared the UDID assigned to iOS devices to the controversial Processor Serial Number that Intel attached to its Pentium 3 chips. He noted that the Pentium 3 PSN "elicited a storm of outrage from privacy groups," and questioned why those same concerns have not been expressed with the iPhone.
Among the applications that were found to transmit the iPhone UDID were software from Amazon, Chase Bank, Target, and Sams Club. The CBS News application goes even further, transmitting the UDID along with the user-assigned name for the iPhone, which typically includes the owner's real name.
"Most iPhone application vendors are collecting and remotely storing UDID data, and some of these vendors also have the ability to correlate UDID to a real-world identity," Smith wrote. "For example, Amazon's application communicates the logged-in user's real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone's UDID with the name of the phone's owner."
Of course, to its credit, Apple has been very up front with security on iOS, requiring that users approve when applications access information like GPS or the phone's address book. In addition, the company has also allowed users to opt out of data collection with services like iAds.
The company even called out one mobile analytics firm, after data about the iPad was obtained from devices in testing on Apple's Cupertino, Calif., campus without the company knowing. The incident prompted Apple to revise some of the rules in its iPhone Developer Agreement.
Comments
What if they picked the top 100 apps, and there were no other apps that phones home? Then their percentage would be cut almost in half. Not as sensation a headline there. Or even if there were other apps in the top 100 that did, but not enough to keep that percentage as high...
So, 68% of the "top apps"... 57 of the top apps... out of how many hundreds of thousands of apps...
What if they picked the top 100 apps, and there were no other apps that phones home? Then their percentage would be cut almost in half. Not as sensation a headline there. Or even if there were other apps in the top 100 that did, but not enough to keep that percentage as high...
I'm one of the biggest supporters of iOS as a software platform, but if 68% of the top apps are broadcasting UDID info, it is reasonably safe to assume that most of the other ones are as well. Maybe not at the same rate, but there isn't any reason to believe that no other apps other than what's in the top 100 are sending out this information.
And there are some valid uses for applications to track a UDID. For example I think PhotoSwap uses it to ban users if they misbehave.
iPhone apps know what UDID last summer.
buahahahahahahahahahahahahahaha
I would assume many of those apps that are tracking your UDID are ad supported. Advertisers would be very interested to track people like that.
And there are some valid uses for applications to track a UDID. For example I think PhotoSwap uses it to ban users if they misbehave.
What's the big deal with the UUID. Why is anyone attached to a number which is unique and can merely identify the device, not anything about you. ?
iPhone apps know what UDID last summer.
iPhone apps know what UDID last summer.
"Security review finds 68% of top iOS apps transmit UDIDs". I wonder what the percentage will be for Android apps..
Security review finds 100% of Android OSes transmits UDIDs to Google which is used to obtain personal information.
There you go..
So, assuming that Apple really does test apps before approving them it seems as if Apple must have known about this, and is okay with 3rd party apps tracking users without the users' knowledge.
Yeah. They do it too. DRM wouldn't work otherwise.
iPhone apps know what UDID last summer.
HAHAHAHAHAHAHA *breathe*