What's the big deal with the UUID. Why is anyone attached to a number which is unique and can merely identify the device, not anything about you. ?
I agree, it's using a unique identifier to identify you! Big whoop! This isn't any different than creating cookies in a web browser based off information that YOU GAVE them, so that you are automatically recognized by the service.
Just because they've obtained your device UDID, this does not mean they have access to all your data on your phone.
I agree, it's using a unique identifier to identify you! Big whoop! This isn't any different than creating cookies in a web browser based off information that YOU GAVE them, so that you are automatically recognized by the service.
Just because they've obtained your device UDID, this does not mean they have access to all your data on your phone.
Regarding iOS.
"As a conclusion, the study states that all this poses a real threat to iOS users. "Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible - and technically, quite simple - for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," the study argues, "Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information." "
...an accompanying unencrypted unique device identifier, which could be used to obtain personal information.
That's total, complete BS. There may be a concern with transmitting UDID -- it's slightly more identifiable than an IP address, since IP addresses are often masked by NAT.
But there is no way -- no way at all -- to obtain personal information with a UDID.
I hate this drive to make everything a huge, end-of-world, we-should-all-run-in-circles-in-fear issue. It's an interesting finding, it raises issues, and people are right to wonder if it's a good thing. But the throw-away assertion behind the fearmongering is totally, completely baseless.
"As a conclusion, the study states that all this poses a real threat to iOS users. "Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible - and technically, quite simple - for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," the study argues, "Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information." "
The UDid, without any other information tells us nothing about the user, it just uniquely identifies the device. Worry about that and you might as well worry about the IP address also logged in any transaction, and worry about that and you might as well never ever access the Internet again. A device id is not any kind of breach of privacy.
The UDid, without any other information tells us nothing about the user, it just uniquely identifies the device. Worry about that and you might as well worry about the IP address also logged in any transaction, and worry about that and you might as well never ever access the Internet again. A device id is not any kind of breach of privacy.
Yeah, I think this is yet another case of an Apple Insider article that's so poorly written and reported that it's creating a problem where one may not exist. The staff here is notable for their poor communication skills.
I've seen this exact story reported elsewhere (it is actually yesterday's news), and the take on it was almost completely different. What I heard from other sources is that there are a variety of issues. The UUID by itself is harmless, but in some cases it's being transmitted every 30 seconds with the location information attached which is very bad.
This article also makes it sound bad that the information being transmitted is bad, when in fact it's actually better and preferred if this kind of stuff is encrypted since sending unique identifiers along with account info in an unencrypted form is probably the most dangerous of all.
The UDid, without any other information tells us nothing about the user, it just uniquely identifies the device. Worry about that and you might as well worry about the IP address also logged in any transaction, and worry about that and you might as well never ever access the Internet again. A device id is not any kind of breach of privacy.
VINs are unique to a car. So to map that to it's legal owner isn't always an easily done thing. Nor does it tell someone anything about what's in my car, where I drive it, what I use it for, etc... Are UDIDs any more revealing just by their value?
An app that retrieves your UDID (assuming the phone never changed hands) can also obtain personal information about you, IF the following is true:
1. Some other, prior app has previously retrieved your UDID.
2. You GAVE that app personally identifying info (like when you tell Amazon your name) and it too was transmitted.
3. That other app’s servers tied the UDID together with the other info you separately gave it.
4. The makers of the second app and the prior app are in cahoots, OR one of them is insecure allowing the other to snoop on them. Then the app that only knows your UDID can get your name (or whatever) from the maker of the app that collected both.
Otherwise—if all you have is the UDID—you have nothing.
As for snooping... if your private data is transmitted in the clear (like Amazon), that’s a problem. (But I don’t worry terribly about just my name... it’s in lots of unencrypted emails people send me!) The article almost makes it sound like the apps which do encryption are even scarier... when in fact they are probably doing more to protect you than the non-encrypted apps.
Moral of the story: when you submit personal data (like your name) you are submitting personal data. Submit it only to trusted destinations, preferably encrypted, or else you never know what unknown third party might share the data. That’s true with OR without a UDID. So the more personal the data, the more you need to trust the destination. I’d give Amazon my credit card. I’d give lots of places my name and no more. And some places aren’t getting anything from me but an anonymous username!
Meanwhile, UDID is a great convenience for things like multiplayer games, where you can just hop on and play without having to create a login. (Though some games do use one.)
Quote:
Originally Posted by dasein
VINs are unique to a car. So to map that to it's legal owner isn't always an easily done thing. Nor does it tell someone anything about what's in my car, where I drive it, what I use it for, etc... Are UDIDs any more revealing just by their value?
No. They are pre-assigned to the hardware before you even bought the phone. It’s how iTunes can tell your iPhone from your family member’s iPhone, to sync the proper items with each one.
Can you elaborate, and maybe hint on how we can tell which is which?
In English:
As in the article, the UDID is the unique identifier for your iOS device. Think of it as being similar to a VIN for a car.
A UUID is a Universally Unique Identifier, a randomly-generated code with an extremely low likelihood of being duplicated.
Google and Wiki for these.
Anyway, when transmitted over a network, the garble of a well-made UUID isn't going to tell an evesdropper anything. But a UDID could potentially have value.
Which brings up another issue: any software released since about 1980 should assume a hostile network, and should encrypt everything it transmits.
As in the article, the UDID is the unique identifier for your iOS device. Think of it as being similar to a VIN for a car.
A UUID is a Universally Unique Identifier, a randomly-generated code with an extremely low likelihood of being duplicated.
Google and Wiki for these.
Anyway, when transmitted over a network, the garble of a well-made UUID isn't going to tell an evesdropper anything. But a UDID could potentially have value.
Which brings up another issue: any software released since about 1980 should assume a hostile network, and should encrypt everything it transmits.
For all intents and purposes, the UDID IS you when you're talking about a mobile device. Suppose someone is smart enough to aggregate all the little bits of data which have an accompanying UDID. They might not necessarily know your name but they would know pretty much everything else about your habits. This information could be used to deliver content to your UDID, er You.
Apparently unique ID is a revelation to many. Well, here's shocker: every Apple device capable of running software has one easily accessible. And apps both desktop and mobile may access it and do whatever they will. If it is a security threat go switch to other platform. But even penguin-land is not safe: it is easy to concote a unique I'D from mother board or HDD serial number. So, the ultimate decision for people who afraid of their rigs to be tracked is to avoid using computers and smartphones.
For the sane people there is one thing to understand: UDID is not your personal data. It is a passport for your hardware. Transmitting UDID does nothing to impair your security. What you should care about is what data besides UDID is transmitted. Location information is protected, but everything user enters is not. So when you type your real name somewhere keep in mind that it is going to be sent over the network, obviously. Security threat? Don't enter your name then.
Edit: contrary to the previous orator I think it is much safer to do banking etc. from smartphone with strong sanboxing (I.e. non jailbroken iPhone). The reason is simple: there is no virus transmitting screenshots, there's no keylogger peeking at your password - the latter is the number one of bank info stealer.
Don't do BANKING, Data Forms, Purchases from ANY SMARTPHONE
Don't use computers (MAC), or the internet (COOKIES), or any landline phone (PHONEBOOK), and don't use the US Postal service especially when paying bills as everything name, address, account numbers (charge card, bank account) are all in the envelope and requires little to zero technology to obtain your information...
"As a conclusion, the study states that all this poses a real threat to iOS users. "Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible - and technically, quite simple - for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," the study argues, "Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information." "
Sorry, but the article isn't quite accurate. App developers do not have access to any data outside of its sandbox without explicit permission from the user, therefor, obtaining a device's UDID does not give anyone else access to that data either.
An UDID is nothing more than an identification number, much like a serial number. It is not an address like a TCP/IP address, where you can attempt to connect to and gain access to the device to send or receive data. It poses no more of threat to you than giving your email address, which can also be used to track habits, if that information was being handed off to another party.
If you're paranoid over this, you must be completely and utterly afraid to touch anything made by Google. Don't think for a moment that your MAC address isn't being used to build a profile about you and your habits. And Google is EVERYWHERE. Imagine if someone had access to their databases. Eric Schmidt has stated they have enough information about their users that they could potentially predict the users next move.
Comments
What's the big deal with the UUID. Why is anyone attached to a number which is unique and can merely identify the device, not anything about you. ?
I agree, it's using a unique identifier to identify you! Big whoop! This isn't any different than creating cookies in a web browser based off information that YOU GAVE them, so that you are automatically recognized by the service.
Just because they've obtained your device UDID, this does not mean they have access to all your data on your phone.
I agree, it's using a unique identifier to identify you! Big whoop! This isn't any different than creating cookies in a web browser based off information that YOU GAVE them, so that you are automatically recognized by the service.
Just because they've obtained your device UDID, this does not mean they have access to all your data on your phone.
Regarding iOS.
"As a conclusion, the study states that all this poses a real threat to iOS users. "Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible - and technically, quite simple - for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," the study argues, "Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information." "
The entire article
http://www.osnews.com/story/23865
...an accompanying unencrypted unique device identifier, which could be used to obtain personal information.
That's total, complete BS. There may be a concern with transmitting UDID -- it's slightly more identifiable than an IP address, since IP addresses are often masked by NAT.
But there is no way -- no way at all -- to obtain personal information with a UDID.
I hate this drive to make everything a huge, end-of-world, we-should-all-run-in-circles-in-fear issue. It's an interesting finding, it raises issues, and people are right to wonder if it's a good thing. But the throw-away assertion behind the fearmongering is totally, completely baseless.
Regarding iOS.
"As a conclusion, the study states that all this poses a real threat to iOS users. "Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible - and technically, quite simple - for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," the study argues, "Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information." "
The entire article
http://www.osnews.com/story/23865
The UDid, without any other information tells us nothing about the user, it just uniquely identifies the device. Worry about that and you might as well worry about the IP address also logged in any transaction, and worry about that and you might as well never ever access the Internet again. A device id is not any kind of breach of privacy.
The UDid, without any other information tells us nothing about the user, it just uniquely identifies the device. Worry about that and you might as well worry about the IP address also logged in any transaction, and worry about that and you might as well never ever access the Internet again. A device id is not any kind of breach of privacy.
Yeah, I think this is yet another case of an Apple Insider article that's so poorly written and reported that it's creating a problem where one may not exist. The staff here is notable for their poor communication skills.
I've seen this exact story reported elsewhere (it is actually yesterday's news), and the take on it was almost completely different. What I heard from other sources is that there are a variety of issues. The UUID by itself is harmless, but in some cases it's being transmitted every 30 seconds with the location information attached which is very bad.
This article also makes it sound bad that the information being transmitted is bad, when in fact it's actually better and preferred if this kind of stuff is encrypted since sending unique identifiers along with account info in an unencrypted form is probably the most dangerous of all.
The UDid, without any other information tells us nothing about the user, it just uniquely identifies the device. Worry about that and you might as well worry about the IP address also logged in any transaction, and worry about that and you might as well never ever access the Internet again. A device id is not any kind of breach of privacy.
Honestly I don't worry about any of it.
Which is why good apps use UUIDs, not UDIDs, and encrypt everything they transmit.
Can you elaborate, and maybe hint on how we can tell which is which?
An app that retrieves your UDID (assuming the phone never changed hands) can also obtain personal information about you, IF the following is true:
1. Some other, prior app has previously retrieved your UDID.
2. You GAVE that app personally identifying info (like when you tell Amazon your name) and it too was transmitted.
3. That other app’s servers tied the UDID together with the other info you separately gave it.
4. The makers of the second app and the prior app are in cahoots, OR one of them is insecure allowing the other to snoop on them. Then the app that only knows your UDID can get your name (or whatever) from the maker of the app that collected both.
Otherwise—if all you have is the UDID—you have nothing.
As for snooping... if your private data is transmitted in the clear (like Amazon), that’s a problem. (But I don’t worry terribly about just my name... it’s in lots of unencrypted emails people send me!) The article almost makes it sound like the apps which do encryption are even scarier... when in fact they are probably doing more to protect you than the non-encrypted apps.
Moral of the story: when you submit personal data (like your name) you are submitting personal data. Submit it only to trusted destinations, preferably encrypted, or else you never know what unknown third party might share the data. That’s true with OR without a UDID. So the more personal the data, the more you need to trust the destination. I’d give Amazon my credit card. I’d give lots of places my name and no more. And some places aren’t getting anything from me but an anonymous username!
Meanwhile, UDID is a great convenience for things like multiplayer games, where you can just hop on and play without having to create a login. (Though some games do use one.)
VINs are unique to a car. So to map that to it's legal owner isn't always an easily done thing. Nor does it tell someone anything about what's in my car, where I drive it, what I use it for, etc... Are UDIDs any more revealing just by their value?
No. They are pre-assigned to the hardware before you even bought the phone. It’s how iTunes can tell your iPhone from your family member’s iPhone, to sync the proper items with each one.
"Security review finds 68% of top iOS apps transmit UDIDs". I wonder what the percentage will be for Android apps..
at almost 70%, does it matter at that point?
Can you elaborate, and maybe hint on how we can tell which is which?
In English:
As in the article, the UDID is the unique identifier for your iOS device. Think of it as being similar to a VIN for a car.
A UUID is a Universally Unique Identifier, a randomly-generated code with an extremely low likelihood of being duplicated.
Google and Wiki for these.
Anyway, when transmitted over a network, the garble of a well-made UUID isn't going to tell an evesdropper anything. But a UDID could potentially have value.
Which brings up another issue: any software released since about 1980 should assume a hostile network, and should encrypt everything it transmits.
In English:
As in the article, the UDID is the unique identifier for your iOS device. Think of it as being similar to a VIN for a car.
A UUID is a Universally Unique Identifier, a randomly-generated code with an extremely low likelihood of being duplicated.
Google and Wiki for these.
Anyway, when transmitted over a network, the garble of a well-made UUID isn't going to tell an evesdropper anything. But a UDID could potentially have value.
Which brings up another issue: any software released since about 1980 should assume a hostile network, and should encrypt everything it transmits.
For all intents and purposes, the UDID IS you when you're talking about a mobile device. Suppose someone is smart enough to aggregate all the little bits of data which have an accompanying UDID. They might not necessarily know your name but they would know pretty much everything else about your habits. This information could be used to deliver content to your UDID, er You.
Oh god who cares, I'm not going to do anything sinister with it.
Except stalk you.
Don't do BANKING, Data Forms, Purchases from ANY SMARTPHONE
For the sane people there is one thing to understand: UDID is not your personal data. It is a passport for your hardware. Transmitting UDID does nothing to impair your security. What you should care about is what data besides UDID is transmitted. Location information is protected, but everything user enters is not. So when you type your real name somewhere keep in mind that it is going to be sent over the network, obviously. Security threat? Don't enter your name then.
Edit: contrary to the previous orator I think it is much safer to do banking etc. from smartphone with strong sanboxing (I.e. non jailbroken iPhone). The reason is simple: there is no virus transmitting screenshots, there's no keylogger peeking at your password - the latter is the number one of bank info stealer.
CARDINAL RULES:
Don't do BANKING, Data Forms, Purchases from ANY SMARTPHONE
Don't use computers (MAC), or the internet (COOKIES), or any landline phone (PHONEBOOK), and don't use the US Postal service especially when paying bills as everything name, address, account numbers (charge card, bank account) are all in the envelope and requires little to zero technology to obtain your information...
Me thinks some are becoming a little paranoid.
Regarding iOS.
"As a conclusion, the study states that all this poses a real threat to iOS users. "Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible - and technically, quite simple - for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," the study argues, "Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information." "
The entire article
http://www.osnews.com/story/23865
Sorry, but the article isn't quite accurate. App developers do not have access to any data outside of its sandbox without explicit permission from the user, therefor, obtaining a device's UDID does not give anyone else access to that data either.
An UDID is nothing more than an identification number, much like a serial number. It is not an address like a TCP/IP address, where you can attempt to connect to and gain access to the device to send or receive data. It poses no more of threat to you than giving your email address, which can also be used to track habits, if that information was being handed off to another party.
If you're paranoid over this, you must be completely and utterly afraid to touch anything made by Google. Don't think for a moment that your MAC address isn't being used to build a profile about you and your habits. And Google is EVERYWHERE. Imagine if someone had access to their databases. Eric Schmidt has stated they have enough information about their users that they could potentially predict the users next move.