On the third of September, a hacker claiming affiliation with AntiSec made a post on pastebin.com describing an intricate attack against an FBI agent’s laptop. The hacker claims to have dumped a database containing over twelve million unique device identifiers (UDIDs) of Apple iOS devices, along with personal information which could tie a user’s real-world identity to his or her device’s electronic serial number. The hackers made just over one million of these UDIDs public, and analysis elsewhere has suggested that the data is that of actual Apple devices. I wrote extensively about the use and abuse of the UDID in a paper which was released just under two years ago.
During the finger pointing phase which followed the leak, the FBI and Apple both denied that they were the sources of the data. It was later discovered that the leak came from an application developer called Blue Toad, who uses UDID data extensively in their development work.
Thrust into the spotlight, Apple took this opportunity to remind the user community that they have been actively working to address UDID privacy concerns on the iOS platform. Not only has Apple deprecated the use of the UDID since the release of iOS5 early in 2011, they have recently started to reject App store submissions for applications which query the iOS UDID.
As it turns out, Apple is taking a “Do as I say, not as I do” approach with UDID security. Apple continues to collect device’s UDIDs every time an advertisement banner is displayed in any application which uses Apple’s very own iAd banner advertisement system.
It’s quite easy to find an application which uses the iAd network. For this demonstration (data collected 9.17.12) we’ll take a look at Qrafter, a QR code scanning application.
Notice the iAd watermark in the lower right corner of the banner ad.
The iAd banners are retrieved using SSL, which makes traffic analysis somewhat more difficult. By using an appropriate MITM tool, such as Ettercap, Charles or MITM Proxy, it is possible to examine the plain-text contents of the otherwise encrypted conversation.
The iAd banner retrieved by the Qrafter application comes from a server named iadsdk.apple.com. When the application requests the banner ad graphics, it also transmits the iOS device’s UDID to the remote host at apple.com.
Zooming in on the highlighted section reveals the UDID of the iPhone used in this demonstration.
Using the UDID Tool app, we can confirm that this is the UDID of our iOS device:
Apple’s move to keep UDID-aware applications out of the App store was billed as a system put in place to enhance the privacy of its loyal user base . Considering the behavior of iAd, however, this policy change smells much more like an attempt by Apple to squeeze the competing advertisement networks out of its exclusive online marketplace.
Seeing as how they burned the unique device ID into the phone’s firmware in the first place, Apple clearly already knows the UDIDs of every devices it manufactures. By logging this data during a banner ad fetch, however, Apple is building a database of which applications you use and where and when you use them. By restricting the use of UDIDs by third parties, they’re giving the iAd system a clear “trackability” boost over their rivals.