Inside iOS 5: privacy change kills app developers' access to UDID

Posted:
in iPhone edited January 2014
One of the new features of Apple's upcoming iOS 5 is the removal of a feature many app developers, particularly ad networks, regularly access to track use of their apps by mobile customers.



According to a report by Tech Crunch The upcoming release of iOS 5 will deprecate developers' app access to "uniqueIdentifier," the universally unique serial number embedded in each iPhone and iPad sold.



This UDID works like a networked computer's MAC address, serving as a unique hardware identifier that remains the same regardless of the user or app currently running. A security review last year showed that 68% of top iPhone apps transmit unencrypted UDIDs that can be used to track user behaviors unique to a device, while another 18 percent transmit encrypted data that may include the UDID.



The change should effectively end a controversial privacy issue that relates to how third party developers and ad networks track users, without their knowledge, consent, or in some cases without any ability to block such data collection.



This summer, Apple was sued by a man in New York over iPhone location data tracking issue, with Apple?s inability to provide a method to ?delete or restrict access? to a device?s UDID being one of the main points of the lawsuit.



The UDID



Every mobile device has a unique serial number that identifies it to the mobile network. For iOS devices, this number is accessible by users from iTunes or through the Settings app on the device itself.



Developers can distribute a custom app provisioned for use on specific phones identified by their UDID, and also register this number with Apple to verify the installation of beta versions of iOS.



Third party apps can currently read users' UDID after being installed on the device, allowing the app to record what device is using it without the user needing to login with a uniquely identifying account number. Third party ad networks access this number to track the use of mobile devices, similar to how web browser cookies can store information unique to a given user.



Unlike cookies however, a device's UDID can be read by any app, allowing ad networks to coordinate their data across apps with a globally unique serial number that doesn't change and can't be deleted.



Use cookies, accounts, iCloud, GameCenter instead



By removing app access to this number, Apple will pinch off the ability of third party ad networks to track users' behaviors across the various apps they are installed within. Apple recommends that developers "create a unique identifier specific to your app" instead, a process that would work much more like web cookies.



By forcing each app to maintain its own per-user tracking cooking, iOS 5 will prevent analytics firms from being able to effectively track users unique to a device, or to cross-reference behavioral data collected from multiple apps.



It will also make it impossible for developers to track whether a user has stopped using their app and then started up again, unless the user voluntarily opts to log in with an identifiable account. Thus, simply deleting and reinstalling the app will clear any unique tracking numbers a developer or ad network has on record, allowing users to erase their tracks in the mobile world just as they can by deleting browser cookies.



The change will occur alongside the appearance of iCloud, which will allow apps that the user approves to share a unique key across devices using iCloud's new Documents and Data feature. For example, a developer can use iCloud to customize the appearance or state of their app across the users' devices by sharing key value data in the cloud.



Apple's GameCenter also allows third party apps to associate state within a game with a specific user when that user chooses to login via their Apple ID. This allows a user to move between devices while retaining the same scores and achievements on a user account level.



Developers have noted that the inability to track users by a hardware address could complicate beta testing and make it harder to ban abusive users from a service, unless the developer resorts to using a personal account system. Apple has warned developers that they should not rely on the UDID for device level tracking of their users.



Apple is scheduled to launch iOS 5 to the public this fall. The company just released iOS 5 Beta 6, build 9A5302b, to developers.

«1

Comments

  • Reply 1 of 36
    cpsrocpsro Posts: 2,823member
    Reaction as a user? SWEET!



    Now, Apple don't go using it to track us in unsavory ways yourself.
  • Reply 2 of 36
    apple ][apple ][ Posts: 9,233member
    Good. Developers and ad companies should not be able to track my behavior using the UDID when I'm using iOS devices.
  • Reply 3 of 36
    Deprecated ≠ killed. It just means it will be killed in a future update, but developers can continue to use it for the foreseeable future, and are encouraged to find a different solution.
  • Reply 4 of 36
    Quote:
    Originally Posted by mbarriault View Post


    Deprecated ≠ killed. It just means it will be killed in a future update, but developers can continue to use it for the foreseeable future, and are encouraged to find a different solution.



    yeh change the title apple insider you look very silly. It's just deprecated meaning it can still be used for OS 5, and might never be killed.
  • Reply 5 of 36
    Quote:
    Originally Posted by mbarriault View Post


    Deprecated ≠ killed. It just means it will be killed in a future update, but developers can continue to use it for the foreseeable future, and are encouraged to find a different solution.



    Well it still means they have "killed it" in the sense that apps using it won't be approved from this point forward. Pretty much the same thing.
  • Reply 6 of 36
    blah64blah64 Posts: 986member
    Great job Apple!



    Naysayers will say what they will, but Apple continues to be one of the best at protecting their users' privacy. I have no doubt they have MASSIVE amounts of personal data at their disposal internally, (and yes, that's bothersome), but they are doing a better job of keeping it private from 3rd parties than any of the other big players. In general, they're also doing a decent job of letting you use as much of their products/features AS POSSIBLE without requiring personal, trackable information.
  • Reply 7 of 36
    blah64blah64 Posts: 986member
    That last part reminds me, what is the deal with requiring an AppleID just to use an iPodTouch to control your AirportExpress-controlled music system?



    I have tons of CD-ripped music, and a standalone AirportExpress connected to the stereo. I occasionally connect to the Express from my laptop to play music, but I'd love to be able to play music from the iPodTouch on it. But I'm not going to set up AppleID crap on those devices to do so. This is a fully internal setup, and neither of the devices connects to the internet. Anyone aware of any good (hopefully easy) solutions?



    (sorry, I guess this is somewhat off-topic, so if someone wants to move it to a better thread or new topic, that's perfectly fine with me, I don't see a way to move or properly delete a post myself)
  • Reply 8 of 36
    asdasdasdasd Posts: 5,648member
    Quote:
    Originally Posted by Prof. Peabody View Post


    Well it still means they have "killed it" in the sense that apps using it won't be approved from this point forward. Pretty much the same thing.



    They didn't say that. They just removed the API in iOS 5.
  • Reply 9 of 36
    Quote:
    Originally Posted by asdasd View Post


    They didn't say that. They just removed the API in iOS 5.



    It's my understanding that an app that uses a deprecated API wouldn't be approved though so it's the same thing isn't it? Every app that is updated and every new app will be refused if it uses that API.
  • Reply 10 of 36
    "pinch-off"? Great word choice, Daniel.
  • Reply 11 of 36
    Quote:
    Originally Posted by Prof. Peabody View Post


    Well it still means they have "killed it" in the sense that apps using it won't be approved from this point forward. Pretty much the same thing.



    Not exactly, because approved apps that are already using it will be able to continue to do so.



    Of course, that was necessary because otherwise it would destroy the functioning of many existing apps, which rely on this feature. Its a good bet that iOS 6 will actually kill access to the UDID, giving developers about a year's time to create their own unique identifier network.



    Edit: On hindsight, I think I pretty much said the same thing as you, but in more words…well, brevity is for losers ;-)
  • Reply 12 of 36
    chris_cachris_ca Posts: 2,543member
    Quote:
    Originally Posted by Cpsro View Post


    Reaction as a user? SWEET!



    Now, Apple don't go using it to track us in unsavory ways yourself.



    Because they have done it so much in the past?

  • Reply 13 of 36
    Quote:
    Originally Posted by Chris_CA View Post


    Because they have done it so much in the past?





    They've only done it if you buy tinfoil hat conspiracy theories that reject the evidence.
  • Reply 14 of 36
    Quote:
    Originally Posted by Prof. Peabody View Post


    It's my understanding that an app that uses a deprecated API wouldn't be approved though so it's the same thing isn't it? Every app that is updated and every new app will be refused if it uses that API.



    dunno who told you that but it's wrong.
  • Reply 15 of 36
    The more privacy people have the better. Now why don't they create a feature in Safari that prevents all web beacons? I think all computers should not even have MAC addresses. There needs to be total privacy on the internet for users. As the US government and other governments constantly spy on us, we need more privacy not less. Even ISPs have been shown to track the habits of their customers.
  • Reply 16 of 36
    boogabooga Posts: 1,081member
    This is a nice move on Apple's part, and helps differentiate iOS from Android. Google is moving in exactly the opposite direction, with requiring real names and tying that to everything you do on the device. And because Google is essentially an advertising company whose customers are advertisers and whose product is you, it will help differentiate iOS and make people realize that "Don't Be Evil" is more marketing than reality.
  • Reply 17 of 36
    Quote:
    Originally Posted by Smallwheels View Post


    I think all computers should not even have MAC addresses.



    You must not know how Networking works.
  • Reply 18 of 36
    Quote:
    Originally Posted by indiekiduk View Post


    dunno who told you that but it's wrong.



    Whatever. I think I'm right and I'm not going to take your word for it without some kind of proof.



    If an app is automatically rejected for using private or unofficial API's (fact) and if Apple clearly indicates that they want you to use only the official API's (fact) and then they personally deprecate the API and tell you that you should be using something else, I'm pretty sure that apps that still use the UDID are going to be rejected from the app store admission process. I mean why wouldn't they? Maybe they will let some apps update for a while without kicking them out because it takes a while to work out an alternative, but new apps would likely be rejected.



    Anyway this whole thread is just an example of why people don't like developers. What a colossal waste of time arguing over the exact meaning of the word "killed." It's always going to be somewhat subjective and it's not like "killed" is some official programming term that means something specific anyway.



    Every other site is reporting this story is using the word "killed" to describe the situation. Any normal person can see that Apple just "killed" the use of UDID's. If developers want to whine and argue over the exact meaning of the word or wait until Apple actually forces them to change or leave the store, all I can say is that I'm absolutely certain that no one really cares.
  • Reply 19 of 36
    Quote:
    Originally Posted by Prof. Peabody View Post


    Whatever. I think I'm right and I'm not going to take your word for it without some kind of proof.



    If an app is automatically rejected for using private or unofficial API's (fact) and if Apple clearly indicates that they want you to use only the official API's (fact) and then they personally deprecate the API and tell you that you should be using something else, I'm pretty sure that apps that still use the UDID are going to be rejected from the app store admission process. I mean why wouldn't they? Maybe they will let some apps update for a while without kicking them out because it takes a while to work out an alternative, but new apps would likely be rejected.



    Anyway this whole thread is just an example of why people don't like developers. What a colossal waste of time arguing over the exact meaning of the word "killed." It's always going to be somewhat subjective and it's not like "killed" is some official programming term that means something specific anyway.



    Every other site is reporting this story is using the word "killed" to describe the situation. Any normal person can see that Apple just "killed" the use of UDID's. If developers want to whine and argue over the exact meaning of the word or wait until Apple actually forces them to change or leave the store, all I can say is that I'm absolutely certain that no one really cares.



    That's the problem. Apple actually didn't "kill" the use of UDID's for iOS 5, they're just deprecated. They will be killed in a future version of iOS, allowing devs time to adapt. This time is important for both users and developers. AppleInsider and every other site, put simply, are taking a story and exaggerating it, which is a form of journalism most people disapprove of.
  • Reply 20 of 36
    Quote:
    Originally Posted by mbarriault View Post


    That's the problem. Apple actually didn't "kill" the use of UDID's for iOS 5, they're just deprecated. They will be killed in a future version of iOS, allowing devs time to adapt.



    Unless Apple refuses to accept apps in iOS 5 that use the UDID framework.



    Then they're killed and people are completely right in what they're saying.
Sign In or Register to comment.