iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)
In 1999, Intel released its newest CPU — the Pentium 3. Each processor included a unique serial number, visible to any software installed on the system. A product backlash quickly developed as privacy rights groups realized that this serial number could be used to track usersâ€™ online behavior. The industry, along with trade groups and governments, blasted this new feature; many governments went as far as proposing legislation to ban the use of Pentium 3 CPUs. Following the outcry, Intel quickly removed the serial number feature from their processor line, never to be re-introduced.
Fast forward a decade to the introduction of Appleâ€™s iPhone platform. Much like the Pentium 3, devices running the Apple iPhone operating system (IOS), including Apple iPhones, iPads, and iPod Touches, feature a software-readable serial number â€“ a â€œUnique Device Identifier,â€ or UDID. In order to determine if the privacy fears surrounding the Pentium 3 have manifested themselves on the iPhone platform, we studied a number of iPhone apps from the â€œMost Popularâ€ and â€œTop Freeâ€ categories in Appleâ€™s App Store. For these applications, we collected and analyzed the data being transmitted between installed applications and remote servers using several open source tools. We found that 68% of these applications were transmitting UDIDs to servers under the application vendorâ€™s control each time the application is launched. Furthermore, 18% of the applications tested encrypted their communications such that it was not clear what type of data was being shared. A scant 14% of the tested applications appear to be clean. We also confirmed that some applications are able to link the UDID to a real-world identity.
The iPhoneâ€™s UDID is eerily similar to the Pentium 3â€™s Processor Serial Number (PSN). While the Pentium 3 PSN elicited a storm of outrage from privacy rights groups over the inherent risks associated with the sharing of such information with third parties, no such concerns have been raised up to this point regarding the iPhone UDID. As UDIDs can be readily linked to personally-identifiable information, the â€œBig Brotherâ€ concerns from the Pentium 3 era should be a concern for todayâ€™s iPhone users as well.
The full report is available here: iPhone-Applications-Privacy-Issues.pdf.
Update: iPhone Privacy: What about the SSL Apps? (10/5/2010)