pskl.us

iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)

by on Sep.30, 2010, under Group News, Presentations, Security

Executive Summary

In 1999, Intel released its newest CPU — the Pentium 3.  Each processor included a unique serial number, visible to any software installed on the system.  A product backlash quickly developed as privacy rights groups realized that this serial number could be used to track users’ online behavior.  The industry, along with trade groups and governments, blasted this new feature; many governments went as far as proposing legislation to ban the use of Pentium 3 CPUs.  Following the outcry, Intel quickly removed the serial number feature from their processor line, never to be re-introduced.

Fast forward a decade to the introduction of Apple’s iPhone platform.  Much like the Pentium 3, devices running the Apple iPhone operating system (IOS), including Apple iPhones, iPads, and iPod Touches, feature a software-readable serial number – a “Unique Device Identifier,” or UDID.  In order to determine if the privacy fears surrounding the Pentium 3 have manifested themselves on the iPhone platform, we studied a number of iPhone apps from the “Most Popular” and “Top Free” categories in Apple’s App Store.  For these applications, we collected and analyzed the data being transmitted between installed applications and remote servers using several open source tools.  We found that 68% of these applications were transmitting UDIDs to servers under the application vendor’s control each time the application is launched.  Furthermore, 18% of the applications tested encrypted their communications such that it was not clear what type of data was being shared.   A scant 14% of the tested applications appear to be clean.  We also confirmed that some applications are able to link the UDID to a real-world identity.

The iPhone’s UDID is eerily similar to the Pentium 3’s Processor Serial Number (PSN).  While the Pentium 3 PSN elicited a storm of outrage from privacy rights groups over the inherent risks associated with the sharing of such information with third parties, no such concerns have been raised up to this point regarding the iPhone UDID.  As UDIDs can be readily linked to personally-identifiable information, the “Big Brother” concerns from the Pentium 3 era should be a concern for today’s iPhone users as well.

The full report is available here:  iPhone-Applications-Privacy-Issues.pdf.

Update:  iPhone Privacy:  What about the SSL Apps? (10/5/2010)


:, , , , , , ,

18 Comments for this entry

  • mrbene
    October 1st, 2010 on 7:54 pm

    On page 10 you indicate that by planting a long duration cookie on the specific device, along with a UDID, the company could track the same human over the multiple cellular devices.

    Given that the cookie is set only on the device, is this meant to handle the specific case where the app and it’s settings are migrated to the new phone? Are the “3rd parties” referenced the direct app creators, or some other, actual 3rd parties?

    Either way, that section is a very weak section of an otherwise decent paper.

    Reply
    • Eric
      October 1st, 2010 on 9:35 pm

      mrbene,

      When you restore an iPhone backup from an old device to a new device, the applications are transferred intact. This functionality is included with iTunes and is the suggested method for transferring your settings to a new iPhone. Along with the applications themselves, other data such as high scores, user settings, and cookies are tranferred to the new device as well. In the cases cited in the paper, an application vendor could use their long-lived (20 year) app cookie to map your old UDID to a new one.

      Applications also set third party cookies. Take a look at figure eight in the full paper. The ABC News application sets two cookies; one for domain “go.com” and another for domain “scorecardresearch.com”. The mere presence of cookies for multiple domains means that at least of one them is a “third party” cookie.

      Reply
  • Nick
    October 2nd, 2010 on 12:29 am

    Page 1 typo: The iPhone was introduced in 1997? :P

    Also, what can we do about this?

    Reply
    • Eric
      October 2nd, 2010 on 9:50 am

      The only hope, excluding a jailbreak hack of course, is for Apple to add a “Block my UDID” feature to the iPhone IOS.

      Thanks for catching the typo.

      Reply
      • Nick
        October 2nd, 2010 on 6:49 pm

        Do we know if Apple is aware of this issue?

      • Lie @ Kismet World Wide Consulting
        October 3rd, 2010 on 10:44 pm

        Nick: Of _course_ Apple knows about this, they put it in specifically for this purpose.

        In addition, Apple requires that any device you test an app on *before* releasing to the App Store be registered, via UDID, with Apple, so that Apple knows who is running which pre-release software before it even hits the App Store. The rationale is that they want to limit your testing to 100 total devices, forcing you to release your apps to the public via the App Store instead of direct to the public. There are several Pros and Cons to this approach…

  • progr
    October 2nd, 2010 on 9:40 am

    You are ignorant. This is an excerpt of the UIDevice class documentation regarding the uniqueIdentifier method:

    A unique device identifier is a hash value composed from various hardware identifiers such as the device’s serial number. It is guaranteed to be unique for every device but cannot _publicly_ be tied to a user account. You can use it, for example, to _store_ high scores for a game in a central server or to _control access_ to registered products. The unique device identifier is sometimes referred to by its abbreviation UDID.

    So next time concentrate in something else and don’t waste your time trying to get some popularity comparing the iOS with Android.

    p.s. the black background is so ’90.

    Reply
    • Eric
      October 2nd, 2010 on 9:44 am

      progr,

      Had you actually read the paper, you would have noticed that we reference the UIDevice class and cite the Apple documentation that you quoted. See page six.

      The paper doesn’t mention Android at all. (Again, had you actually read it …)

      Oh, and I loved the 90s :)

      Reply
  • Tim F.
    October 2nd, 2010 on 10:02 pm

    The problem Eric is: “the paper” just says the UDID functions as its supposed to and then talks more about the Pentium 3 and privacy modes in browsers without actually observing any true misuse of the UDID.

    Reply
  • Ted
    October 3rd, 2010 on 10:36 am

    Why did you not test any of Google’s own apps in the app store?

    Reply
  • Ben Franklin
    October 3rd, 2010 on 1:02 pm

    It’s a cell phone. It has to have a unique identifying number or it won’t work! Duh. How do you think calls are routed to and from the device? This is pure alarmist/hit-trolling b.s.

    Reply
    • Lie @ Kismet World Wide Consulting
      October 3rd, 2010 on 10:41 pm

      Ben,
      There’s a _major_ difference between needing a unique ID to route calls (similar to an IP address to route packets), and providing a hardware-specific, unchangeable, hidden mechanism to uniquely identify a device.

      It’s like forcing everyone who uses a browser to accept a single cookie, accessible by all sites, that you can never change or delete, and that can be accessed by any site without your permission or knowledge.

      This is not a troll — this is a major security threat.

      Reply
      • Tjp
        October 4th, 2010 on 9:50 pm

        The UDID is no more of a threat than the many other unique IDs that can be recovered from all manner of devices, and even on the iPhone itself. There is a bluetooth serial number, which is a unique number related to the device, the WiFi mac address which is a unique number identifying the device. And so on. and on. and on.

        The most favored use from my perspective is to know the pirate versus purchased approximate ratio. It lets me know what apps to update because they will sell better. I have had one app, that even with a generous 5 iOS devices on a legitimate purchase still has a 20,000 to one pirate versus purchase play rate. So it has not seen nearly the development effort as my other Apps. And it is a 99 cent app. And the conversion from pirate to purchase is 3 copies. Wow. 3. But I need to know where to spend my own personal development time so I collect the information as part of the legitimate requests to my app-servers.

        So watch out for all those WiFi devices, they TRANSMIT their unique ID to everyone in range!!!

        Really this is a non-issue.

        Tjp

  • Lie @ Kismet World Wide Consulting
    October 3rd, 2010 on 10:38 pm

    Great paper! In response, I’ve posted a detailed discussion of our decisions regarding UDIDs made during the development of our iPhone app, WasteNot, and some key takeaways after thinking about this for almost 2 years and watching the results of choosing *not* to use the UDID:

    http://kismetworldwide.com/blog/2010/10/privacy-and-iphoneipadipod-touch-unique-device-identifiers-udids/

    Reply
  • mec
    October 5th, 2010 on 11:02 am

    No wonder the Chinese Government loves it when diplomats visit with their iPhone!

    Reply
  • joe malley
    October 6th, 2010 on 10:02 pm

    eric:

    Impressive research and paper.

    joe malley
    malleylaw@gmail.com

    Reply
  • wad
    August 23rd, 2011 on 8:29 am

    I have a query of how to keep my mobile apps secured. For that i got the answer from this post. Tanx for the post.

    Reply

31 Trackbacks / Pingbacks for this entry

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Links

Some interesting stuff...

Archives

All entries, chronologically...