×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Many Top iPhone Apps Collect Unique Device ID

Soulskill posted more than 3 years ago | from the your-computer-is-broadcasting-a-UDID dept.

Iphone 194

An anonymous reader writes "It looks like iPhone users are not immune to the types of data leaks recently discovered on the Android platform. Researchers looked at the top free applications available from the App Store and discovered that '68% of these applications were transmitting UDIDs to servers under the application vendor's control each time the application is launched.' The iPhone's Unique Device ID, or UDID, cannot be changed, nor can its transmission be disabled by the user. The full paper is available in PDF form."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

194 comments

What's That? (3, Insightful)

MightyMartian (840721) | more than 3 years ago | (#33766404)

What's that? Why, I think it's the sound of the other shoe dropping!

Re:What's That? (2, Insightful)

MBCook (132727) | more than 3 years ago | (#33766442)

Some people may not like this, but it doesn't seem that bad to me. After hearing that some Android apps report a user's physical location up to every 30s... this seems pretty tame.

Re:What's That? (3, Insightful)

ceoyoyo (59147) | more than 3 years ago | (#33766484)

And phone number.

Unless Apple is helpfully giving out your name and address to go along with the UDID (which I very much doubt), it's just a way to see how many people are using your app.

Re:What's That? (1)

drachenstern (160456) | more than 3 years ago | (#33766566)

how many unique devices it has been installed on...

Flipside5 does this with their apps, and when I swapped phones, even though I had done a restore (which transferred over all my other settings for everything else) I lost all my game status with them. Hence, based on UDID.

I didn't mind, but just thought it was interesting that was how they tracked uniques.

Re:What's That? (5, Interesting)

Lumpy (12016) | more than 3 years ago | (#33766674)

No but it enables douchebaggery like LOCKING the app to one device. Which is Against apple's Eula. If I have 2 iphones 1 ipod and 2 ipads on my single apple account I get the app on all those devices for one purchase price. Problem is many app makers are greedy assholes and want to make it only work on ONE device.

Re:What's That? (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33766708)

You speak of greedy, yet you own 2 iPhones, 1 iPod and 2 iPads. Really?

Re:What's That? (0)

Anonymous Coward | more than 3 years ago | (#33766760)

Unless he stole them from the store, I don't see how that makes him greedy.

Let's see your 1040.

Re:What's That? (3, Insightful)

ceoyoyo (59147) | more than 3 years ago | (#33766718)

It enables things like that IF Apple weren't looking over their shoulder. Provided the app got past the approval process in the first place, someone would undoubtedly complain to Apple. Apple would then yank the app from the store and offer everyone refunds. Oh, and as a developer when you give a refund YOU give a refund. Apple doesn't give back their 30%.

So no, nobody's going to do anything that stupid.

Re:What's That? (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33767016)

Wait, Apple actually steal your money when someone asks for a refund? And people are willing to develop for them?

Re:What's That? (3, Informative)

Anonymous Coward | more than 3 years ago | (#33767128)

The summary was specific to the top FREE apps. What do you expect they are going to refund? Why are we discussing locking it to one device? They are already free for all your devices. Its about tracking, pure and simple.

Re:What's That? (2, Informative)

hsmith (818216) | more than 3 years ago | (#33767446)

Well you are certainly full of it. Apple gives back their portion of refunds as well. They hold the option to NOT do that though.

Re:What's That? (1)

ceoyoyo (59147) | more than 3 years ago | (#33767526)

All right, Apple may or may not give back their 30%. Maybe not if they're pissed at you for fooling them, breaking your agreement, screwing their customers and refusing to fix it.

Am I not full of it now? Is your pedantry satisfied?

Re:What's That? (1)

edxwelch (600979) | more than 3 years ago | (#33767488)

> Oh, and as a developer when you give a refund YOU give a refund. Apple doesn't give back their 30%.

I'm an iPhone developer and have never been charged the 30% for refunds - and they do happen occasionly

Re:What's That? (1)

ceoyoyo (59147) | more than 3 years ago | (#33767564)

Have you ever purposely screwed over your customers and Apple and refused to be reasonable about it, as suggested by the OP?

I'm an iPhone developer too, and Apple does reserve the right to make you pay the whole refund amount.

I doubt we're supposed to post excerpts from the actual contract, but the relevant one is reproduced here:
http://techcrunch.com/2009/03/25/apples-iphone-app-refund-policies-could-bankrupt-developers/ [techcrunch.com]

You can check it in your own distribution contract in iTunes Connect.

Re:What's That? (3, Interesting)

grub (11606) | more than 3 years ago | (#33766798)

I've never come across an app that wont install for free on another iOS device (we have 4). What apps have done this? You should definitely report them to Apple is this is the case.

Re:What's That? (1)

am 2k (217885) | more than 3 years ago | (#33767056)

That wouldn't help the dev very much, given that you can purchase any app only once on a single appstore account.

Against app rules (1)

SuperKendall (25149) | more than 3 years ago | (#33767324)

No but it enables douchebaggery like LOCKING the app to one device.

Specifically not permitted by application developer guidelines. In fact if you support things like in-app purchase, you MUST make sure purchases transfer across user devices.

Re:What's That? (1)

jc42 (318812) | more than 3 years ago | (#33766628)

... some Android apps report a user's physical location up to every 30s ...

If you're running google maps on your iPhone or Android phone, it does this. This has been mentioned lots of places, when they explain how the maps app gets the traffic data. It gets the data from the phones, of course, which are reporting their position and speed back to a google server every so often,. The green/yellow/red/black color coding of roads is just a summary of how the phones on those roads are moving. It would be surprising if the packets didn't include a phone's ID, since that helps make sense of the strings of packets from different phones on the same stretch of highway that are arriving mingled together.

I've often used google's traffic reports on my G1 to tell me which of my (Garmin) GPS gadgets routes I should avoid. Supposedly Garmin has released a cell-phone version of their GPS software, but I haven't yet read reports of how well it works.

The mobile google-maps app with traffic status is sufficiently useful that people will probably consider it an acceptable excuse for google keeping track of where their phone is at all times. ;-)

Re:What's That? (5, Informative)

TheGeneration (228855) | more than 3 years ago | (#33766726)

The UID identifies the iPhone within XCode. It enables things like authentication without passwords for (trivial) applications. For example if I have an app with profiles, and that app is only usable on the iPhone, there is no need for a password or login, I can just use the UID.

Big whoop.

Re:What's That? (2, Insightful)

postbigbang (761081) | more than 3 years ago | (#33766870)

Your big whoop amounts to someone data mining more stuff about you. You give up too easily protecting your information particulars. If you don't sweat them, they'll steal more.... and maybe already have.

Re:What's That? (1)

PipsqueakOnAP133 (761720) | more than 3 years ago | (#33767376)

That's IF they can steal more. So far, they can get your device ID, and access the address book.
I'm more concerned about the address book than I am about the device ID.
Given the APIs, that's probably about all they can take from you.

Re:What's That? (1, Insightful)

postbigbang (761081) | more than 3 years ago | (#33767590)

SO they get a DID, a Mac address, an IP. They follow you around. Maybe they decide to go into various Java cache and sniff around if they can. Java cache locations aren't tough to figure out. There's more than one way to skin a cat, or a bad Java app.

More like the shoe is in your mouth with foot (1)

SuperKendall (25149) | more than 3 years ago | (#33767338)

What's that? Why, I think it's the sound of the other shoe dropping!

Honestly, you are equating the release of a phone number and constant GPS feed, to a UDID that had no identifying information about you and is only used to detect if the same device is returning to a server? Really?

First Post! (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33766416)

Postage Bitches!

And? Care factor zero (1)

aristotle-dude (626586) | more than 3 years ago | (#33766434)

The iPhone's UDID identifies my iPhone, not me so I don't see the problem. Some developers just want to see how many devices apps are installed and in active use on.

Re:And? Care factor zero (2, Interesting)

Dynedain (141758) | more than 3 years ago | (#33766468)

DoubleClick's cookies identify my computer, not me so I don't see the problem. Some developers just want to see how many computers browsers are installed and in active use on.

Re:And? Care factor zero (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33766546)

Then they should set a cookie. We already went over this in the late 90s with the pentium 3 [wikipedia.org]. Universal hardware id = bad. Set a cookie unique to one company = good.

Re:And? Care factor zero (1, Insightful)

by (1706743) (1706744) | more than 3 years ago | (#33766730)

Universal hardware id = bad.

I assume you assign your network card a random MAC address before connecting to the internet?

Re:And? Care factor zero (0)

Anonymous Coward | more than 3 years ago | (#33766774)

Yes. I also run anything I don't trust inside a VM which has a fake MAC address and fake IP address (nat).

I don't think apps on phones should be able to access unique BT addresses, MAC addresses, ESN, universal hardware id, or anything like that without asking the user first.

Cookies are just fine. At least I can wipe them if I want to. I'm not livestock and I shouldn't be branded. The serial number under the battery is good enough for me, and not remotely accessible.

Re:And? Care factor zero (1)

ceoyoyo (59147) | more than 3 years ago | (#33766580)

I'm a lot less worried about DoubleClick having a cookie on my computer than I am about a piece of software that grabs my phone number, physical location, my contact information, my contacts' information, the contents of my drive....

Re:And? Care factor zero (0)

Anonymous Coward | more than 3 years ago | (#33766472)

That could be done just as easily without sending the UDID.

As a developer thinking about such things ... (1)

perpenso (1613749) | more than 3 years ago | (#33766720)

That could be done just as easily without sending the UDID.

Agreed. I would use a hash of the UDID.

However for some circumstances I don't think the developer needs any sort of device ID. For example I have a scientific and hex calculator app [perpenso.com], other modes are about to be released. I would like to get some usage data showing how much use the various modes get. I've considered adding counters that indicate how many operations are performed in each mode and sending these counters to a server periodically. All I want is aggregate data, I don't need any device ID in this case.

Re:As a developer thinking about such things ... (2, Interesting)

raddan (519638) | more than 3 years ago | (#33766776)

I am a university researcher doing iPhone development as a part of our project. We use UDIDs to allow our users to control information exchange between themselves and other iPhone users. We could probably use a hash of UDIDs (really, you'd probably want a hash of a UDID and a salt if you're hashing) or maybe even some other identifier, but I'm not really sure what additional privacy that gains iPhone users. From our perspective, we track them either way. Is the concern that someone else gets our users' UDIDs and combines that information with other UDID information? We were thinking that UDIDs were a step up from username + password, since this allows participation with a minimal amount of information being collected.

Re:As a developer thinking about such things ... (4, Interesting)

perpenso (1613749) | more than 3 years ago | (#33767070)

One of my concerns would be that having the UDID allows for more general impersonation. With a hash specific to a particular app the impersonation is limited to your app.

Another concern would be related to personally identifiable information (PII). When non-PII is associated with PII the non-PII now falls under all the PII regulations. If you use a hash you do not have to worry about what others at the university are collecting. Keep in mind that what constitutes an association between non-PII and PII may be defined by a hostile lawyer. Maybe your team's data being on the same server as another team's.

Re:And? Care factor zero (1)

grub (11606) | more than 3 years ago | (#33766502)

Yeah, just IDs the phone. Not email address, GPS location, contacts or anything.

Not much of a story although I do block call-homes with FirewallIP from the Cydia Store.

Re:And? Care factor zero (0)

Anonymous Coward | more than 3 years ago | (#33766516)

The iPhone's UDID identifies my iPhone, not me so I don't see the problem.

If one of the apps which phones home happens to send GPS data, it's just a small step to figuring out where you spend most of your time (i.e. your house) and then the UDID is tied to your identity.

Re:And? Care factor zero (2, Informative)

grub (11606) | more than 3 years ago | (#33766552)

All iOS apps that ask for location info generate a permissions dialog.
You can set a default per-app in the Location Services option screen.

Re:And? Care factor zero (1)

scdeimos (632778) | more than 3 years ago | (#33766652)

The Location Services permissions only "secure" the GPS receiver on the phone. There's plenty of other methods of locating a device without popping the Location Services prompt, such as by Wi-Fi SSIDs and signal strengths (thanks Google), and Geolocation by IP address. They may not be as accurate as GPS, but in a lot of cases near enough can be good enough.

Re:And? Care factor zero (2, Informative)

alannon (54117) | more than 3 years ago | (#33766766)

Incorrect. Without using Location Services (and asking permission) apps have no access to anything involving the Wi-Fi SSIDs surrounding you.

And as for IP address...
WARNING! Your computer is broadcasting your IP address!
Be serious.

Incidentally, with rare exceptions, the IP address of your phone, as assigned from your carrier, is in a private IP range. If you're connecting to a server, which will then have your public IP address, do you really feel you have any expectation of privacy, as far as the server not attempting to map your IP address to a location?

Re:And? Care factor zero (1)

jo42 (227475) | more than 3 years ago | (#33766904)

Without using Location Services (and asking permission) apps have no access to anything involving the Wi-Fi SSIDs surrounding you.

I guess you haven't seen some of the new APIs in iOS 4.1/4.2, have you?

Re:And? Care factor zero (1)

ceoyoyo (59147) | more than 3 years ago | (#33767688)

I have. If you're referring to what I think you're referring to, you still can't access the network settings to actually scan for SSIDs. You can get the CURRENT one, but that's it. That might identify the device's position. Maybe. Wifi location services generally require several SSIDs for a location.

It's a lot less of an issue than sending GPS coordinates back to the server.

Re:And? Care factor zero (1)

grub (11606) | more than 3 years ago | (#33766772)

I think the Location permissions also block against wifi type geolocation as it also works on the iPod Touch which has no GPS.

Re:And? Care factor zero (2, Funny)

Anonymous Coward | more than 3 years ago | (#33766556)

The iPhone's UDID identifies my iPhone, not me so I don't see the problem.

Just wait... soon we will ALL have Apple's most important creation ever... the "iD".

Re:And? Care factor zero (1)

SilverHatHacker (1381259) | more than 3 years ago | (#33766594)

I seem to remember when the Ubuntu OEM team proposed a package that would report your computer model so they could count installations, many people freaked out. Even though it sent nothing personally identifiable, the concept of your computer "phoning home" was anathema to the gathered masses. Funny how on an Apple product, the common response is "no big deal, it's not personally identifiable" but on anything else its "ZOMG! Teh evulz!"

Re:And? Care factor zero (2, Insightful)

Klync (152475) | more than 3 years ago | (#33766688)

Hmmm... maybe we should ask Mr. Gathered Mass why he keeps changing his mind. Oh, what's that? You're talking about millions of *different* people holding *different* opinions? Wow, who would've thought! I think you've found the real story in all of this: apparently, not everybody feels the exact same way about different, although similar, events. Thanks for sharing this insight - you just blew my mind.

Re:And? Care factor zero (1)

Nyeerrmm (940927) | more than 3 years ago | (#33766962)

I'd say that the two sets are fairly distinct. While there are iPhone using Ubuntu users (myself included), I'm guessing the majority on each platform wouldn't use the other. Ubuntu users are going to in general be more libertarian leaning and privacy minded than iPhone users.

That said, I personally feel the opposite. Ubuntu collecting that data doesn't bother me at all, and I definitely see the value. App developers doing so makes me a little bit uncomfortable, but I see the value in it to them too.

Re:And? Care factor zero (1, Informative)

Anonymous Coward | more than 3 years ago | (#33766600)

From the summary... "We also confirmed that some applications are able to link the UDID to a real-world identity."

Re:And? Care factor zero (0)

Anonymous Coward | more than 3 years ago | (#33766800)

From the summary... "We also confirmed that some applications are able to link the UDID to a real-world identity."

So what?

If you read the paper... (3, Informative)

layertwo (1913436) | more than 3 years ago | (#33766634)

"We also confirmed that some applications are able to link the UDID to a real-world identity."

Re:And? Care factor zero (1)

LostCluster (625375) | more than 3 years ago | (#33766660)

You must be the Cookie Monster.

Most cookies are unique values to identify you to web sites, and therefore also to ad networks. The more info about you that can be associated with that ID, the more they can specifically target you.

The UDID might be a value that's random, but if ad networks can tie your usernames to the UDID, then they can uniquely identify your phone as you, and tie that to the targeted information.

Laughable (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33766750)

Tasty Koolaid huh? Steve Jobs could turn out to be a ninja-rapist and you'd explain that away too eh?

If Windows Mobile 7 had a similar feature you'd be all over Microsoft ranting about how nasty and evil they were, too...

Re:Laughable (1)

dreamchaser (49529) | more than 3 years ago | (#33766950)

Steve Jobs rapes ninjas???

Seriously though, you must be new here if you expect the Slashdot crowd to bash Apple about anything. That's almost as bad as asking them to admit that Linux has a few flaws.

Disclaimer: I like Linux and run it on several machines as well as in VM's. Just sayin'...

Re:Laughable (1)

MrHanky (141717) | more than 3 years ago | (#33767036)

Bashing Apple has been OK for some time, but there's still a very vocal minority that goes into full denial every time Apple does something objectionable. Like most of the first comments here.

Re:And? Care factor zero (2, Informative)

Jazzbunny (1251002) | more than 3 years ago | (#33766752)

You don't see the problem because you didn't read the pdf:

For example, Amazon’s application communicates the logged-in user’s real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone’s UDID with the name of the phone’s owner. The CBS News application transmits both the UDID and the iPhone device’s user-assigned name, which frequently contains the owner’s real name.

Re:And? Care factor zero (2, Insightful)

MrHanky (141717) | more than 3 years ago | (#33766796)

Sorry, but it has already been established in the discussion about possible privacy invasions in Android software that this can't happen on iOS. Because it simply can't happen.

Re:And? Care factor zero (1)

Jazzbunny (1251002) | more than 3 years ago | (#33767232)

Well how about you redo the experiment and prove to the world that this security expert is wrong, from the pdf you can find how he captured the data:

Packet captures were recorded using tshark, the console-based libpcap capture utility. The resulting files were then analyzed using a suite of open-source tools including Wireshark, ngrep, and the Perl Net::Pcap libraries in order to determine what, if any, personally-identifiable information was being shared with third parties.

Happy hacking.

Faggottry (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33766456)

Is "Unique Device ID" some kind of slang for the curvature of a penis as it enters a man's anus?

Another app? (1)

Delarth799 (1839672) | more than 3 years ago | (#33766464)

Want to see how many of your applications are currently sending your UDID to their vendor's server?
Well there's an app for that!

OMFG! What ever will we do? What of the children? (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33766486)

Won't someone please think of the children! That's what the Donner Party said when their food ran out. Guess what was on the menu the next day? Hmmmm. Unique device ID.

I can see... (0)

Anonymous Coward | more than 3 years ago | (#33766508)

the smile in Richard Stallman`s face...

OH YES (1)

GameboyRMH (1153867) | more than 3 years ago | (#33766802)

Mine too. I just came in here to gloat and feel smug as fuck about how this won't happen on my Maemo device, as pretty much all of my apps are open source, and I can see what's going on anyways with tools like ps, top, netstat and whatever else I can make run on my device. Because I have root access. That makes me the fucking boss.

Decision to choose Maemo over Android: 100% ~Vindicated~ B-)

Now excuse me while I put on my pimp suit and strut around to some 70s-tastic beats.

Error in the abstract? (0)

Anonymous Coward | more than 3 years ago | (#33766570)

They really should have done more proofreading
hint - it is NOT 13 years old

Well, probably NOT a problem (2, Interesting)

zentechno (800941) | more than 3 years ago | (#33766572)

As has been said, it identifies the phone, and not the user (though a majority of the time it'll be the phone's owner). Many apps use the UUID as a unique ID (ahem) to store state, e.g. viewed pages, favorites, etc. Yes, this is also done with a log in, or it could be done transparently via the UUID; not sure there's a best/worse here. I know -- it's the transparency that's the controversy, but I'm a bit pressed to think of anything that's revealed that couldn't also be revealed with (or without) "vendor collusion" (e.g. an App-to-UUID database to see which apps are on the same phone -- oh, wait, Apple knows that).

mod 04 (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33766596)

[tuxedo.org], series of explo3ing DYING. ALL MAJOR to say there have

1997? (0)

Anonymous Coward | more than 3 years ago | (#33766680)

The beginning of the abstract:

Every Apple iPhone shipped since its introduction in 1997
contains a unique, software-visible serial number

And people are complaining now? Pfft

Recommended alternatives? (5, Interesting)

swamp boy (151038) | more than 3 years ago | (#33766712)

This article is very timely for me. I'm an iPhone developer who's planning to add a server component for some of my iPhone apps. My initial thinking was to simply make use of the built-in UDID since it's there and doesn't require any effort on the part of the user. I did RTFA and I can see how the use of UDIDs could lead to unethical situations.

On the other hand, what's the alternative? Generally speaking, an iPhone app that has a server component with functionality that's geared to a specific user needs something to identify that user. Sure, I could force the user to enter their email address or make up a user id. Unless a user goes to the trouble of making sure that each service/app they deal with uses a separate and distinct user id or email address, you're back in the same situation (or close to it).

I'm genuinely interested in hearing suggestions on the preferred mechanism that helps to maintain privacy.

UDID does not identify a user (1)

perpenso (1613749) | more than 3 years ago | (#33766748)

The UDID would be a poor choice to identify a user. A person may have multiple devices, say an iPhone and an iPad, or they may replace/upgrade their device to a newer model. I think you will have to use an account name chosen by the user, an email address, etc.

Re:UDID does not identify a user (1)

swamp boy (151038) | more than 3 years ago | (#33766790)

Good point. I hadn't considered the multi-device situation for a single user. Like I said, it's all very preliminary ideas at the moment (having started work on any of the implementation yet).

Re:UDID does not identify a user (2, Interesting)

Jah-Wren Ryel (80510) | more than 3 years ago | (#33766972)

Go with a user-editable field that defaults to the unit's UDID for username and also defaults to a reasonably unguessable password.
That way you have a sane default that user can change if they have a need to.
Make sure to include a brief help description of that field and its purpose so that the user will know that it need not be a bunch of hex digits.

Also, on the server side keep a unique "user id" that never goes to the phone - that way changing the username on the phone side doesn't result in a brand new account on the server side.

Also, watch out for collisions - don't want some poor schmuck changing their username to one that already exists and then being both locked out and unable to change it to something else.

Re:UDID does not identify a user (3, Informative)

TrancePhreak (576593) | more than 3 years ago | (#33767262)

The UDID is pretty long, doesn't really make for a good user name. This is an example UDID: 2b6f0cc904d137be2e1730235f5664094b831186

Re:UDID does not identify a user (1)

Jah-Wren Ryel (80510) | more than 3 years ago | (#33767686)

So? The point is to have something to fill in for a default of a field that 99% of the users won't ever even see.
If it ever needs to be changed, the user gets to pick something much shorter and more meaningful to them.

Re:UDID does not identify a user (1)

dreamchaser (49529) | more than 3 years ago | (#33766976)

Perhaps we need something like OpenID for Apple iOS. Not that I care much as I don't plan on ever owning an iOS device. I'll wait for a capable Linux based tablet, and unless they put a real keyboard on the iPhone I won't be going there either. Still, maybe that's another project you could look into.

Re:UDID does not identify a user (1)

perpenso (1613749) | more than 3 years ago | (#33767108)

... unless they put a real keyboard on the iPhone ...

Bluetooth keyboards work. I think there is at least one case that accommodates both.

Re:UDID does not identify a user (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33767314)

You also run into problems going the other direction: someone sells their old iPhone when they upgrade is suddenly unable to get into an account that was tied into their UDID while the person who bought the phone would have access to the account (assuming they went and bought the same app...so, if you plan/hope on becoming popular, it's worth thinking about) and any personal information that might be associated with that account.

Re:UDID does not identify a user (1)

am 2k (217885) | more than 3 years ago | (#33767072)

Using the Apple ID would help there, but I guess you can't access that from an iOS app.

Re:Recommended alternatives? (5, Interesting)

alannon (54117) | more than 3 years ago | (#33766792)

Additionally, Apple's documentation on the API that provides the UDID specifically indicates that Apple considers it appropriate to use as a method of identifying a user/device.

Of course, that doesn't change the privacy implications, but it indicates that the UDID is provided by Apple to developers for precisely that purpose.

Re:Recommended alternatives? (1)

hsmith (818216) | more than 3 years ago | (#33767328)

You could provision your own GUID and store it in the Keychain. Keychain is restored to the devices upon a restore operation (even device to device).

I see nothing wrong with collecting UDID's, we do so to identify devices with APNS.

Just FUDD.

Re:Recommended alternatives? (1)

Wormholio (729552) | more than 3 years ago | (#33767708)

If you take a hash (eg SHA1 is better than MD5) of the UDID you get a unique string that is not the UDID. Of course if other apps do the same then these could be compared to identify users -- not necessarily by name, but connecting a user on one server with a user on another.

So concatenate the App Id, which is unique to the app, with the UDID, which is unique to the device, and then take the hash, which is then unique to both and not invertible. Do this once, on the device (not on your server, or the UDID has to be transmitted), and use that as a unique identifier of the user/device.

Is there a difference? (4, Insightful)

blair1q (305137) | more than 3 years ago | (#33766770)

iPhone and Android. Two peas in different pods.

The Internet is not secure.

Your phone company is not your mommy.

Software is more complex than humans can comprehend, and there will be holes in its behavior relative to your expectation, especially but not exclusively when you were not the one who wrote the requirements for it, but especially again when the people writing it want to leave avenues for future revenue growth.

Retarded (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33766856)

So a random identifier is somehow comparable to my GPS location?! Gimme a break

Push (1)

mr100percent (57156) | more than 3 years ago | (#33766878)

How is this different than registering the Apple device with the app for Push notifications? The article is pretty thin on details and the PDF is kinda slashdotted. Granted, push access requires the user to agree to it via a popup on first launch.

it's all good (3, Informative)

somewhere in AU (628338) | more than 3 years ago | (#33767000)

Unique device ID doesn't violate privacy whatsoever since there is no link to your name, address, etc..

It DOES however provide a great way of ensuring "trial" or "lite" apps handled by a server and doing what you intended in say limiting results or whatever.. it also is good for internal logs since you can refine your app by looking at how the app is used, both overall as well as individual patterns.

You don't need GPS, personal or any other information at all to provide LOTS of benefits and an IMPROVED app once you have a access to a unique ID that doesn't involve registering username or whatever as annoying websites do.

I think a credible business would disclose in an open way what server transactions are involved on a per-app basis and with our new server suite being rolled out I know we will provide a web page per app detailing this so it's all open and above board and the benefits given.

Re:it's all good (0, Insightful)

Anonymous Coward | more than 3 years ago | (#33767434)

You're a fag.

Like so many others have pointed out, some of the apps do send the user's name -- along with the UID -- in plaintext.

No one wants extra goverment involvement (1)

Stan92057 (737634) | more than 3 years ago | (#33767276)

No one wants extra government involvement but this industry has shown and proven time and time again they will not police itself nor make policy's that protect privacy. Our Government must step in. And to those who disagree,whats your idea?? knowing theses company's can not be trusted

Blown out of proportion (1)

mr_zorg (259994) | more than 3 years ago | (#33767346)

Bah, this is blown out of proportion a little bit. The UDID, by itself, tells a developer nothing about YOU. Its use is documented and encouraged by Apple for tracking user devices (which TFA admits). Now sure, if I were to also grab your address book I can tie that to your UDID, but it's my grabbing your address book that's the problem, not the UDID. I suppose if Apple wanted to make this more secure they could make the API automatically hash the UDID with your Application ID (also unique) and return that instead. You would still be able to use it for the same purposes as UDID was intended for, but NOT between apps.

Pandora (5, Informative)

Culture20 (968837) | more than 3 years ago | (#33767562)

Yeah, I noticed that with Pandora after my friend sold me his old phone (he had it wiped first). I downloaded Pandora and started screwing around with his stations because I thought they were just default stations Pandora gave me. They were basing access on the UDID.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...