iPhone app iPad app Android phone app Android tablet app More

iPhone, iPad 'Anonymous' UDIDs Can Be Linked To Personal Information: REPORT

The Huffington Post   First Posted: 05/10/11 07:35 PM ET Updated: 07/10/11 06:12 AM ET

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy
Iphone Udid

More privacy concerns for iPhone users.

Researcher Aldo Cortesi has found a security flaw in iOS apps that makes it possible to connect the device's anonymous, unique device identifier (UDID) with a user's real-life identity.

Unlike cookies, which can be erased from your computer or device, the UDID is permanent and lets Apple, app developers, advertisers and other companies track the apps you use, the frequency you use them and how you use them.

In an investigation last December, The Wall Street Journal found that 56 of 101 popular apps transmitted these UDIDs without users' awareness or consent.

While the UDID by itself doesn't contain personally identifiable information, it may be tied to other personal data stored on your device.

Cortesi notes that Apple explicitly bans developers from linking UDIDs with user accounts, but he claims that it's possible for a third party to intercept and view identifying data transmitted with the UDID from the iPhone.

Using OpenFeint, a social gaming service that connects to popular games like TinyWings and Robot Unicorn Attack, Cortesi was able to connect his own personal data -- specifically his Facebook profile photo and his Facebook user ID number -- directly to his own UDID. Cortesi also claims that if users have given OpenFeint access to location data, the service could also connect the UDID with GPS coordinates.

Though OpenFeint, a company that advertises 75 million users, told Cortesi that this security flaw has been fixed, Wired notes that other apps may have similar flaws that "slipped past Apple’s radar."

This may not come as a surprise to some.

"You’re downloading and running applications that are designed to share your thoughts and photos. [Cortesi] points out some things Apple could have done better to help protect your privacy, but basically, you voluntarily give up some of your privacy in order to use these apps and devices," Security researcher Charlie Miller told Wired.

FOLLOW HUFFPOST TECH

More privacy concerns for iPhone users. Researcher Aldo Cortesi has found a security flaw in iOS apps that makes it possible to connect the device's anonymous, unique device identifier (UDID) with ...
More privacy concerns for iPhone users. Researcher Aldo Cortesi has found a security flaw in iOS apps that makes it possible to connect the device's anonymous, unique device identifier (UDID) with ...
 
 
  • Comments
  • 32
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Recency  | 
Popularity
photo
HUFFPOST SUPER USER
CaptainObvvious
Calling me a liberal is a compliment!
1069 Fans
 
12:06 PM on 05/11/2011
Is this a problem that should be fixed? Yes.

Is it actually a huge problem? No.

All phones, search engines and whatnot track your search habits, usage habits and whatnot... Go make a Google search, they are collecting data right there.

The device data isn't invasive and is anonymous... The problem is that through using certain apps to sign into something like your Facebook your UDID gets associated with that account giving app tracking your first and last name and if your Facebook profile is private NOTHING else.

If you already have a Facebook account you're dealing with a lot more privacy invasion than this phone issue.

Again, it should be fixed but nothing of importance is shared with anyone. You aren't getting CC numbers stolen, your address given out... Nothing.

This is an issue which is why its reported but it is being blown WAAAAAAAAAAY out of proportion by Apple haters that already hate the company, have a post history that shows that and are looking to bash them in any way they can.

The anti Apple tinfoil hat crowd.
Permalink  |
photo
HUFFPOST SUPER USER
blyan
59 Fans
11:29 AM on 05/11/2011
Wow, some of you seriously need to be committed to an institution. The amount of hyper-paranoid uninformed BS some of you are spewing is absolutely unbelievable.
Permalink  |
photo
Pectin
Lie to me...
100 Fans
 
10:52 AM on 05/11/2011
Someone could use your UDID to get information from your facebook page?
One can do that without your UDID.
Permalink  |
KennebunkportIndependent
Back in my day, we had NINE planets.
1042 Fans
08:21 AM on 05/11/2011
I do not, and will never, have an IPhone.  Yet life goes on as normal for me.  I am sure I am missing out, but until I see a compelling reason other than fashion, I will stick with my cheap Nokia pay as you go phone.
Permalink  |
photo
Pectin
Lie to me...
100 Fans
 
10:54 AM on 05/11/2011
Despite rabid vitriol by iPhone fans and haters alike, I'll let you in on a little secret:

It's just a phone. Get one if you want to, don't if you don't, but it really makes no difference, big picture-wise.
Permalink  |
This user has chosen to opt out of the Badges program
photo
Synonymous Anonymous
0 Fans
03:55 AM on 05/11/2011
Nothing will be done about this until a congressman's wife uses the data to get half of his assets in court via divorce [location of his mistress' house with timestamp].
Permalink  |
photo
nfatt1
Liberty, Equality, Fraternity
529 Fans
12:35 AM on 05/11/2011
Can you imagine the uproar if someone were tracking Corporate activities ?
Permalink  |
This user has chosen to opt out of the Badges program
photo
DaneAZ
Trapeze Artist
298 Fans
03:55 AM on 05/11/2011
Yeah! No kidding, right?!?
Permalink  |
photo
dead WASP
Develop an attitude of gratitude.
1646 Fans
 
09:19 AM on 05/11/2011
They are...corporate espionage is big business.
Permalink  |
photo
HUFFPOST SUPER USER
Carmen Madonna Campos
dude! it's me!!!
2997 Fans
12:04 AM on 05/11/2011
are you a facebook user? you have no privacy. don't worry about iPhone.
~sent via iPhone
Permalink  |
KennebunkportIndependent
Back in my day, we had NINE planets.
1042 Fans
08:22 AM on 05/11/2011
I will never have Facebook.
Permalink  |
HUFFPOST SUPER USER
jflorish
204 Fans
10:34 PM on 05/10/2011
I don't care about this at all, I guess this type of stuff just doesn't matter to me :) Kind of like the location tracking, that doesn't bother me either.
Permalink  |
photo
jsarets
1142 Fans
10:07 PM on 05/10/2011
This issue isn't about the UDID. It's about the other data transmitted over unencrypted network connections along with the UDID. The main problem is the lack encryption by default. This allows a wide variety of network snooping and man-in-the-middle attacks on sensitive data.

There is something to be said about enforcing more transparency and control over the kinds of data that applications are privileged to access, but the UDID and similar hardware identifiers are not among the kinds of data that are typically restricted.

For example, access to network adapter MAC addresses is generally open to all applications running under ordinary user privileges on any notable OS. On most UNIX-like platforms, MAC addresses are readily accessible via the ifconfig utility. or ipconfig on Windows.

There are two independent questions one has to answer: what data am I willing to share with the application vendor, and what data am I willing to share with the world? In the latter case, encryption restricts data access to the intended audience. But in the former case, the application vendor has fairly extensive access to user data unless such access is explicitly restricted.

The moral of the story is that running an untrusted application is a risky proposition. Applications can access a lot of data and send it over the network for storage on servers controlled by the vendor. The platform (e.g. Apple iOS) can provide access control tools, but it's ultimately up to the user to use those tools and determine when the defaults are inappropriate and generally be vigilant about the applications they install.
Permalink  |
photo
HUFFPOST SUPER USER
ResearchtheFacts
Alert, awake & paying attention to the details.
2455 Fans
10:33 PM on 05/10/2011
Interesting perspective but ultimately the onus is on Apple. First, they supper screen all apps and vendors and have even rejected quite a few.  However, as the article states a very high percentage IS allowing for user information to get out.  The lawsuit itself states Apple knows and has known since 2008 but has willing let third party vendors have access to their users sensitive information.

We are in 2011 so as early as 2009 Apple "could have easily" made adjustments but remember advertising "dollars" are tied to this whole practices so they turned a blind eye, pretended or just flat out looked the other way while advertisers and vendors cherry picked at their customer base to target the ones that suited the picker's needs. No this is not about any other product, OS, OEM or entity.  It's all about Apple and the sum total of all their practices as of lately put together put together a good profile of "what" you are dealing with as a company.

Overlooked Foxconn's human rights issues--ongoing, location tracking over a year and keeping the data and allowing third party vendors and advertisers access to real identity information. Equipment malfunctions and flaws--screen bleeds, connectivity issues, crappy rubber fixes and excuses.
Permalink  |
photo
HUFFPOST SUPER USER
ResearchtheFacts
Alert, awake & paying attention to the details.
2455 Fans
10:35 PM on 05/10/2011
edits: super screen and these practices, puts together...
Permalink  |
photo
jsarets
1142 Fans
12:21 AM on 05/11/2011
I don't think that Apple should be responsible (or held responsible) for qualifying the applications which target their platform. In my view, proprietary censored application repositories are antithetical to the essential spirit of computing, and users should not rely (or expect to rely) on central authorities to provide quality assurance for applications beyond the runtime services implemented by the platform.

Ideological arguments aside, there are practical issues with manually screening applications, and automatic screening is best performed at runtime so that the user can make the pertinent decisions. For example, access to a wide range of data items either global to the platform or local to other applications should be encapsulated by platform services which upon first access by each application prompt the user to allow, deny, or launch the access manager.

One cannot expect the platform vendor to foresee the data access interactions between all possible combinations of installed applications. It just won't happen. The platform itself has to implement an appropriate security model which is flexible enough to deal with future applications and transparent enough to empower the user in a simple and straightforward manner.

I'm not a big fan of Apple, and I think that both iOS and Android are still immature platforms with significant flaws which are going to responsible for their fair share of growing pains as the demands on these platforms rapidly increase in scale and sophistication.

But I think it's a bit of a stretch to indict Apple for failing to exercise enough control over independent software vendors. If anything, they are guilty of the opposite offense, and in fact this approach to managing the platform could never work even if Apple's interests were perfectly aligned with those of the typical user (if such an animal exists).

What Apple "knows and has known" is somewhat irrelevant to this situation. They shouldn't have to know if an application is misbehaving, and they should be deputized as the undisputed authority on what constitutes unacceptable behavior. It's what the users know that is most important, and that is where Apple is guilty in my book. They aren't giving their users the opportunity to make informed decisions based on how their applications are behaving on their devices.
Permalink  |
photo
HUFFPOST SUPER USER
ResearchtheFacts
Alert, awake & paying attention to the details.
2455 Fans
08:30 PM on 05/10/2011
Finally this story hits this site its been all over the internet since yesterday. These Apple issues just keep coming up and can not be continuously swept under the rug. How does ipad, ipod and iphone users have any peace of mind that every time they use their devices its not open access to all?

With other device makers and OS there are things you can do to alter the situation, but by the nature of the way Apple is set up it opens their product users to these kind of invasions. Other manufacturers you don't have to register your product to gain access to features. Maybe added features but not basic ones.
Permalink  |
bongstradamus
50 Fans
08:43 PM on 05/10/2011
Dude, PSN's have been in place for over 15 years! EVERY computer is serialized. Thank Intel for that and AMD for following up with it.

3rd party programmers do not get the end user information, just the UDID. Apple holds the customer database that matches UDIDs to actual names.

Essentially any electronic device can be traced back to the point of purchase and the user who owns it. This is by design for all manufacturers and not some Apple-only plot to spy on you.
Permalink  |
photo
HUFFPOST SUPER USER
ResearchtheFacts
Alert, awake & paying attention to the details.
2455 Fans
08:50 PM on 05/10/2011
How do you people keep defending this crap?  Unbelievable, what does Apple have to do to you because this would be more than enough for me, to feel really used and taken advantage of?

They are not talking about computers but ipads, ipods and iphones and you are reselling that crap on ebay and other auction sites. This is akin to digital victimization, well know because if you are selling used equipment you are doing it to yourself.

You fanboys are ridiculous. Jobs is probably laughing hysterically he has tons of you out there defending this crap.
Permalink  |
HUFFPOST SUPER USER
Draekia
Open-minded thinker and traveller
49 Fans
02:08 AM on 05/11/2011
Don't say that! You will totally ruin my tin foil hat business with talk like that!
Permalink  |
photo
CrookWatch
56 Fans
07:35 PM on 05/10/2011
This is just the tip of the iceberg. Corporations can put together a composite of your Internet activities and precisely determine who you are and what you do while browsing. Your information no matter how benign it may seem is of great value to the right person. Identity theft is nothing compared to how devastating your information could be when used by unethical corporations. Not to mention the fact you are facilitating corporations with motive to steal from you. You cant even opt-out. These corporations have no problem selling your information even to foreign corporations or any other crooks. Your employer can fire you for some innocent comment you might put on Facebook. Get a clue people!
Permalink  |
photo
HUFFPOST SUPER USER
ResearchtheFacts
Alert, awake & paying attention to the details.
2455 Fans
08:34 PM on 05/10/2011
What's even more frightening is having sold your old Apple device on ebay to "joe I don't know who the heck he is, blow" he could have already known about this since this is not just discovered news. Now somebody you know nothing about has your old device with all your info.
Permalink  |
photo
HUFFPOST SUPER USER
CaptainObvvious
Calling me a liberal is a compliment!
1069 Fans
 
12:01 PM on 05/11/2011
What info can Joe get now about you?

Your name? He can't browse the phone and get your SSN or tracking information. Some apps linked the UDID to Facebook and got a NAME and nothing else.

What data am I putting at risk selling my phone?
Permalink  |
photo
HUFFPOST SUPER USER
blyan
59 Fans
07:02 PM on 05/10/2011
Uhhh... shouldn't this article really read: "Third party software that is unaffiliated with Apple has security flaw?"

This has nothing to do with the iPhone, it's OpenFeint that's the problem. OpenFeint isn't even active on iOS unless you download, install, set up, and approve data access for a game that supports it.

What a ridiculously misleading article.
Permalink  |
photo
CrookWatch
56 Fans
07:41 PM on 05/10/2011
This has everything to do with Apple. They are the ones with the final say of what gets put in the iTunes app store. They dissect every app and they know if it is collecting information or not. Apple even designed the i Ad platform to do exactly that. If an app doesn't meet their requirements then its not approved for the app store.
Permalink  |
photo
HUFFPOST SUPER USER
blyan
59 Fans
11:27 AM on 05/11/2011
I understand that, but how could they possibly have known about some tiny bug in a line of code like this? It's not like they read through millions of lines of code per day...
Permalink  |
photo
HUFFPOST SUPER USER
theveggiedude
my body is a temple, not a living graveyard
661 Fans
 
01:11 PM on 05/11/2011
You obviously haven't read the TOS.
Permalink  |