Inside iOS 5: privacy change kills app developers' access to UDID
One of the new features of Apple's upcoming iOS 5 is the removal of a feature many app developers, particularly ad networks, regularly access to track use of their apps by mobile customers.
According to a report by Tech Crunch The upcoming release of iOS 5 will deprecate developers' app access to "uniqueIdentifier," the universally unique serial number embedded in each iPhone and iPad sold.
This UDID works like a networked computer's MAC address, serving as a unique hardware identifier that remains the same regardless of the user or app currently running. A security review last year showed that 68% of top iPhone apps transmit unencrypted UDIDs that can be used to track user behaviors unique to a device, while another 18 percent transmit encrypted data that may include the UDID.
The change should effectively end a controversial privacy issue that relates to how third party developers and ad networks track users, without their knowledge, consent, or in some cases without any ability to block such data collection.
This summer, Apple was sued by a man in New York over iPhone location data tracking issue, with Apple?s inability to provide a method to ?delete or restrict access? to a device?s UDID being one of the main points of the lawsuit.
The UDID
Every mobile device has a unique serial number that identifies it to the mobile network. For iOS devices, this number is accessible by users from iTunes or through the Settings app on the device itself.
Developers can distribute a custom app provisioned for use on specific phones identified by their UDID, and also register this number with Apple to verify the installation of beta versions of iOS.
Third party apps can currently read users' UDID after being installed on the device, allowing the app to record what device is using it without the user needing to login with a uniquely identifying account number. Third party ad networks access this number to track the use of mobile devices, similar to how web browser cookies can store information unique to a given user.
Unlike cookies however, a device's UDID can be read by any app, allowing ad networks to coordinate their data across apps with a globally unique serial number that doesn't change and can't be deleted.
Use cookies, accounts, iCloud, GameCenter instead
By removing app access to this number, Apple will pinch off the ability of third party ad networks to track users' behaviors across the various apps they are installed within. Apple recommends that developers "create a unique identifier specific to your app" instead, a process that would work much more like web cookies.
By forcing each app to maintain its own per-user tracking cooking, iOS 5 will prevent analytics firms from being able to effectively track users unique to a device, or to cross-reference behavioral data collected from multiple apps.
It will also make it impossible for developers to track whether a user has stopped using their app and then started up again, unless the user voluntarily opts to log in with an identifiable account. Thus, simply deleting and reinstalling the app will clear any unique tracking numbers a developer or ad network has on record, allowing users to erase their tracks in the mobile world just as they can by deleting browser cookies.
The change will occur alongside the appearance of iCloud, which will allow apps that the user approves to share a unique key across devices using iCloud's new Documents and Data feature. For example, a developer can use iCloud to customize the appearance or state of their app across the users' devices by sharing key value data in the cloud.
Apple's GameCenter also allows third party apps to associate state within a game with a specific user when that user chooses to login via their Apple ID. This allows a user to move between devices while retaining the same scores and achievements on a user account level.
Developers have noted that the inability to track users by a hardware address could complicate beta testing and make it harder to ban abusive users from a service, unless the developer resorts to using a personal account system. Apple has warned developers that they should not rely on the UDID for device level tracking of their users.
Apple is scheduled to launch iOS 5 to the public this fall. The company just released iOS 5 Beta 6, build 9A5302b, to developers.
According to a report by Tech Crunch The upcoming release of iOS 5 will deprecate developers' app access to "uniqueIdentifier," the universally unique serial number embedded in each iPhone and iPad sold.
This UDID works like a networked computer's MAC address, serving as a unique hardware identifier that remains the same regardless of the user or app currently running. A security review last year showed that 68% of top iPhone apps transmit unencrypted UDIDs that can be used to track user behaviors unique to a device, while another 18 percent transmit encrypted data that may include the UDID.
The change should effectively end a controversial privacy issue that relates to how third party developers and ad networks track users, without their knowledge, consent, or in some cases without any ability to block such data collection.
This summer, Apple was sued by a man in New York over iPhone location data tracking issue, with Apple?s inability to provide a method to ?delete or restrict access? to a device?s UDID being one of the main points of the lawsuit.
The UDID
Every mobile device has a unique serial number that identifies it to the mobile network. For iOS devices, this number is accessible by users from iTunes or through the Settings app on the device itself.
Developers can distribute a custom app provisioned for use on specific phones identified by their UDID, and also register this number with Apple to verify the installation of beta versions of iOS.
Third party apps can currently read users' UDID after being installed on the device, allowing the app to record what device is using it without the user needing to login with a uniquely identifying account number. Third party ad networks access this number to track the use of mobile devices, similar to how web browser cookies can store information unique to a given user.
Unlike cookies however, a device's UDID can be read by any app, allowing ad networks to coordinate their data across apps with a globally unique serial number that doesn't change and can't be deleted.
Use cookies, accounts, iCloud, GameCenter instead
By removing app access to this number, Apple will pinch off the ability of third party ad networks to track users' behaviors across the various apps they are installed within. Apple recommends that developers "create a unique identifier specific to your app" instead, a process that would work much more like web cookies.
By forcing each app to maintain its own per-user tracking cooking, iOS 5 will prevent analytics firms from being able to effectively track users unique to a device, or to cross-reference behavioral data collected from multiple apps.
It will also make it impossible for developers to track whether a user has stopped using their app and then started up again, unless the user voluntarily opts to log in with an identifiable account. Thus, simply deleting and reinstalling the app will clear any unique tracking numbers a developer or ad network has on record, allowing users to erase their tracks in the mobile world just as they can by deleting browser cookies.
The change will occur alongside the appearance of iCloud, which will allow apps that the user approves to share a unique key across devices using iCloud's new Documents and Data feature. For example, a developer can use iCloud to customize the appearance or state of their app across the users' devices by sharing key value data in the cloud.
Apple's GameCenter also allows third party apps to associate state within a game with a specific user when that user chooses to login via their Apple ID. This allows a user to move between devices while retaining the same scores and achievements on a user account level.
Developers have noted that the inability to track users by a hardware address could complicate beta testing and make it harder to ban abusive users from a service, unless the developer resorts to using a personal account system. Apple has warned developers that they should not rely on the UDID for device level tracking of their users.
Apple is scheduled to launch iOS 5 to the public this fall. The company just released iOS 5 Beta 6, build 9A5302b, to developers.
Comments
Now, Apple don't go using it to track us in unsavory ways yourself.
Deprecated ≠ killed. It just means it will be killed in a future update, but developers can continue to use it for the foreseeable future, and are encouraged to find a different solution.
yeh change the title apple insider you look very silly. It's just deprecated meaning it can still be used for OS 5, and might never be killed.
Deprecated ≠ killed. It just means it will be killed in a future update, but developers can continue to use it for the foreseeable future, and are encouraged to find a different solution.
Well it still means they have "killed it" in the sense that apps using it won't be approved from this point forward. Pretty much the same thing.
Naysayers will say what they will, but Apple continues to be one of the best at protecting their users' privacy. I have no doubt they have MASSIVE amounts of personal data at their disposal internally, (and yes, that's bothersome), but they are doing a better job of keeping it private from 3rd parties than any of the other big players. In general, they're also doing a decent job of letting you use as much of their products/features AS POSSIBLE without requiring personal, trackable information.
I have tons of CD-ripped music, and a standalone AirportExpress connected to the stereo. I occasionally connect to the Express from my laptop to play music, but I'd love to be able to play music from the iPodTouch on it. But I'm not going to set up AppleID crap on those devices to do so. This is a fully internal setup, and neither of the devices connects to the internet. Anyone aware of any good (hopefully easy) solutions?
(sorry, I guess this is somewhat off-topic, so if someone wants to move it to a better thread or new topic, that's perfectly fine with me, I don't see a way to move or properly delete a post myself)
Well it still means they have "killed it" in the sense that apps using it won't be approved from this point forward. Pretty much the same thing.
They didn't say that. They just removed the API in iOS 5.
They didn't say that. They just removed the API in iOS 5.
It's my understanding that an app that uses a deprecated API wouldn't be approved though so it's the same thing isn't it? Every app that is updated and every new app will be refused if it uses that API.
Well it still means they have "killed it" in the sense that apps using it won't be approved from this point forward. Pretty much the same thing.
Not exactly, because approved apps that are already using it will be able to continue to do so.
Of course, that was necessary because otherwise it would destroy the functioning of many existing apps, which rely on this feature. Its a good bet that iOS 6 will actually kill access to the UDID, giving developers about a year's time to create their own unique identifier network.
Edit: On hindsight, I think I pretty much said the same thing as you, but in more words…well, brevity is for losers ;-)
Reaction as a user? SWEET!
Now, Apple don't go using it to track us in unsavory ways yourself.
Because they have done it so much in the past?
Because they have done it so much in the past?
They've only done it if you buy tinfoil hat conspiracy theories that reject the evidence.
It's my understanding that an app that uses a deprecated API wouldn't be approved though so it's the same thing isn't it? Every app that is updated and every new app will be refused if it uses that API.
dunno who told you that but it's wrong.
I think all computers should not even have MAC addresses.
You must not know how Networking works.
dunno who told you that but it's wrong.
Whatever. I think I'm right and I'm not going to take your word for it without some kind of proof.
If an app is automatically rejected for using private or unofficial API's (fact) and if Apple clearly indicates that they want you to use only the official API's (fact) and then they personally deprecate the API and tell you that you should be using something else, I'm pretty sure that apps that still use the UDID are going to be rejected from the app store admission process. I mean why wouldn't they? Maybe they will let some apps update for a while without kicking them out because it takes a while to work out an alternative, but new apps would likely be rejected.
Anyway this whole thread is just an example of why people don't like developers. What a colossal waste of time arguing over the exact meaning of the word "killed." It's always going to be somewhat subjective and it's not like "killed" is some official programming term that means something specific anyway.
Every other site is reporting this story is using the word "killed" to describe the situation. Any normal person can see that Apple just "killed" the use of UDID's. If developers want to whine and argue over the exact meaning of the word or wait until Apple actually forces them to change or leave the store, all I can say is that I'm absolutely certain that no one really cares.
Whatever. I think I'm right and I'm not going to take your word for it without some kind of proof.
If an app is automatically rejected for using private or unofficial API's (fact) and if Apple clearly indicates that they want you to use only the official API's (fact) and then they personally deprecate the API and tell you that you should be using something else, I'm pretty sure that apps that still use the UDID are going to be rejected from the app store admission process. I mean why wouldn't they? Maybe they will let some apps update for a while without kicking them out because it takes a while to work out an alternative, but new apps would likely be rejected.
Anyway this whole thread is just an example of why people don't like developers. What a colossal waste of time arguing over the exact meaning of the word "killed." It's always going to be somewhat subjective and it's not like "killed" is some official programming term that means something specific anyway.
Every other site is reporting this story is using the word "killed" to describe the situation. Any normal person can see that Apple just "killed" the use of UDID's. If developers want to whine and argue over the exact meaning of the word or wait until Apple actually forces them to change or leave the store, all I can say is that I'm absolutely certain that no one really cares.
That's the problem. Apple actually didn't "kill" the use of UDID's for iOS 5, they're just deprecated. They will be killed in a future version of iOS, allowing devs time to adapt. This time is important for both users and developers. AppleInsider and every other site, put simply, are taking a story and exaggerating it, which is a form of journalism most people disapprove of.
That's the problem. Apple actually didn't "kill" the use of UDID's for iOS 5, they're just deprecated. They will be killed in a future version of iOS, allowing devs time to adapt.
Unless Apple refuses to accept apps in iOS 5 that use the UDID framework.
Then they're killed and people are completely right in what they're saying.