Security review finds 68% of top iOS apps transmit UDIDs

Posted:
in iPhone edited January 2014
A newly published report on iPhone security reveals that most popular third-party software available for iOS-based devices transmits an accompanying unencrypted unique device identifier, which could be used to obtain personal information.



A review of the "Most Popular" and "Top Free" categories on the iPhone App Store found that 68 percent of software would transmit UDIDs from devices. In addition, 18 percent of applications encrypted their communications, so it could not be determined what kind of data is being shared.



The findings were published last week by Eric Smith, network administrator with Bucknell University and a two-time DefCon wardriving champion. The security report, publicized by Engadget, claims that UDIDs can be "readily linked to personally-identifiable information."



The review was based on 57 applications available for the iPhone, and determined that personal information was sent out in plain text, posing a potential security concern.



The UDID is a unique identifier assigned to each iOS device, including iPhones, iPads and iPod touches. The number is used to prevent piracy with software available on the App Store.



In his findings, Smith compared the UDID assigned to iOS devices to the controversial Processor Serial Number that Intel attached to its Pentium 3 chips. He noted that the Pentium 3 PSN "elicited a storm of outrage from privacy groups," and questioned why those same concerns have not been expressed with the iPhone.



Among the applications that were found to transmit the iPhone UDID were software from Amazon, Chase Bank, Target, and Sams Club. The CBS News application goes even further, transmitting the UDID along with the user-assigned name for the iPhone, which typically includes the owner's real name.



"Most iPhone application vendors are collecting and remotely storing UDID data, and some of these vendors also have the ability to correlate UDID to a real-world identity," Smith wrote. "For example, Amazon's application communicates the logged-in user's real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone's UDID with the name of the phone's owner."







Of course, to its credit, Apple has been very up front with security on iOS, requiring that users approve when applications access information like GPS or the phone's address book. In addition, the company has also allowed users to opt out of data collection with services like iAds.



The company even called out one mobile analytics firm, after data about the iPad was obtained from devices in testing on Apple's Cupertino, Calif., campus without the company knowing. The incident prompted Apple to revise some of the rules in its iPhone Developer Agreement.
«1

Comments

  • Reply 1 of 39
    Great, now we're all fuct.
  • Reply 2 of 39
    freddychfreddych Posts: 266member
    iPhone apps know what UDID last summer.
  • Reply 3 of 39
    bullheadbullhead Posts: 493member
    How is this different from people tracking your MAC Address?
  • Reply 4 of 39
    dimmokdimmok Posts: 359member
    Darn Free Fart Apps....I knew you would have the last laugh.
  • Reply 5 of 39
    So much for the Android security bashers on the forum.
  • Reply 6 of 39
    mgl323mgl323 Posts: 247member
    "Security review finds 68% of top iOS apps transmit UDIDs". I wonder what the percentage will be for Android apps..
  • Reply 7 of 39
    zarenzaren Posts: 49member
    So, 68% of the "top apps"... 57 of the top apps... out of how many hundreds of thousands of apps...



    What if they picked the top 100 apps, and there were no other apps that phones home? Then their percentage would be cut almost in half. Not as sensation a headline there. Or even if there were other apps in the top 100 that did, but not enough to keep that percentage as high...
  • Reply 8 of 39
    hittrj01hittrj01 Posts: 753member
    Quote:
    Originally Posted by zaren View Post


    So, 68% of the "top apps"... 57 of the top apps... out of how many hundreds of thousands of apps...



    What if they picked the top 100 apps, and there were no other apps that phones home? Then their percentage would be cut almost in half. Not as sensation a headline there. Or even if there were other apps in the top 100 that did, but not enough to keep that percentage as high...



    I'm one of the biggest supporters of iOS as a software platform, but if 68% of the top apps are broadcasting UDID info, it is reasonably safe to assume that most of the other ones are as well. Maybe not at the same rate, but there isn't any reason to believe that no other apps other than what's in the top 100 are sending out this information.
  • Reply 9 of 39
    I would assume many of those apps that are tracking your UDID are ad supported. Advertisers would be very interested to track people like that.



    And there are some valid uses for applications to track a UDID. For example I think PhotoSwap uses it to ban users if they misbehave.
  • Reply 10 of 39
    Quote:
    Originally Posted by freddych View Post


    iPhone apps know what UDID last summer.



    buahahahahahahahahahahahahahaha
  • Reply 11 of 39
    asdasdasdasd Posts: 5,686member
    Quote:
    Originally Posted by mariofreak85 View Post


    I would assume many of those apps that are tracking your UDID are ad supported. Advertisers would be very interested to track people like that.



    And there are some valid uses for applications to track a UDID. For example I think PhotoSwap uses it to ban users if they misbehave.



    What's the big deal with the UUID. Why is anyone attached to a number which is unique and can merely identify the device, not anything about you. ?
  • Reply 12 of 39
    mgl323mgl323 Posts: 247member
    Quote:
    Originally Posted by freddych View Post


    iPhone apps know what UDID last summer.



  • Reply 13 of 39
    So, assuming that Apple really does test apps before approving them it seems as if Apple must have known about this, and is okay with 3rd party apps tracking users without the users' knowledge.
  • Reply 14 of 39
    asciiascii Posts: 5,936member
    You can't trust companies that make their money through advertising. They will inevitably try and profile you.
  • Reply 15 of 39
    by identifying the device advertisers can learn things about you based on what apps you use and what ads you tap. This gives them the ability to serve more targeted ads.
  • Reply 16 of 39
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by freddych View Post


    iPhone apps know what UDID last summer.



  • Reply 17 of 39
    jpcgjpcg Posts: 114member
    Quote:
    Originally Posted by mgl323 View Post


    "Security review finds 68% of top iOS apps transmit UDIDs". I wonder what the percentage will be for Android apps..



    Security review finds 100% of Android OSes transmits UDIDs to Google which is used to obtain personal information.



    There you go..
  • Reply 18 of 39
    asdasdasdasd Posts: 5,686member
    Quote:
    Originally Posted by Mr Squid View Post


    So, assuming that Apple really does test apps before approving them it seems as if Apple must have known about this, and is okay with 3rd party apps tracking users without the users' knowledge.



    Yeah. They do it too. DRM wouldn't work otherwise.
  • Reply 19 of 39
    Quote:
    Originally Posted by freddych View Post


    iPhone apps know what UDID last summer.



    HAHAHAHAHAHAHA *breathe*
  • Reply 20 of 39
    In other news, people may be able to gain access to your phone number and obtain personal information...
Sign In or Register to comment.