More privacy concerns for iPhone users.
Researcher Aldo Cortesi has found a security flaw in iOS apps that makes it possible to connect the device's anonymous, unique device identifier (UDID) with a user's real-life identity.
Unlike cookies, which can be erased from your computer or device, the UDID is permanent and lets Apple, app developers, advertisers and other companies track the apps you use, the frequency you use them and how you use them.
In an investigation last December, The Wall Street Journal found that 56 of 101 popular apps transmitted these UDIDs without users' awareness or consent.
While the UDID by itself doesn't contain personally identifiable information, it may be tied to other personal data stored on your device.
Cortesi notes that Apple explicitly bans developers from linking UDIDs with user accounts, but he claims that it's possible for a third party to intercept and view identifying data transmitted with the UDID from the iPhone.
Using OpenFeint, a social gaming service that connects to popular games like TinyWings and Robot Unicorn Attack, Cortesi was able to connect his own personal data -- specifically his Facebook profile photo and his Facebook user ID number -- directly to his own UDID. Cortesi also claims that if users have given OpenFeint access to location data, the service could also connect the UDID with GPS coordinates.
Though OpenFeint, a company that advertises 75 million users, told Cortesi that this security flaw has been fixed, Wired notes that other apps may have similar flaws that "slipped past Apple’s radar."
This may not come as a surprise to some.
"You’re downloading and running applications that are designed to share your thoughts and photos. [Cortesi] points out some things Apple could have done better to help protect your privacy, but basically, you voluntarily give up some of your privacy in order to use these apps and devices," Security researcher Charlie Miller told Wired.