Feeds

iPhone apps put user privacy at risk

Unique IDs free for the taking

SANS - Survey on application security programs

A large number of applications that run on Apple's iOS collect serial numbers that uniquely identify the hardware device, according to a study that warns the practice could compromise users' privacy.

Apple bills the UDID, or Unique Device Identifier, as a tool for developers to identify iPhones, iPads, and iPod touches when remotely storing application preferences, video game high scores, and similar types of data. Although UDIDs have largely escaped the criticism of privacy advocates, they could in many respects be as troubling as the Processor Serial Number system Intel included with the Pentium 3 in 1999, until the feature was pulled following a firestorm of protest from civil libertarians.

“The iPhone's UDID is eerily similar to the Pentium 3's Processor Serial Number (PSN),” Eric Smith, assistant director of information security and networking at Bucknell University in Pennsylvania, wrote in the report.

“While the Pentium 3 PSN elicited a storm of outrage from privacy rights groups over the inherent risks associated with the sharing of such information with third parties, no such concerns have been raised up to this point regarding the iPhone UDID. AS UDIDs can be readily linked to personally-identifiable information, the 'Big Brother' concerns from the Pentium 3 era should be a concern for today's iPhone users as well.”

The research paper is the latest to highlight the lack of privacy controls offered by many smartphones. The study was released the same week that separate computer scientists found that a large percentage of apps available in Google's competing Android Market reported users' phone numbers, locations, or handset device numbers to remote advertising servers without explicitly telling users this was happening.

Both platforms warn users what personal information an app they want to install can access, but neither state precisely what information is collected or how it is used.

Smith analyzed 57 apps — including those in the iTunes Store's top 25 free and top free news categories — by running them through a packet sniffer that monitored the data they sent to remote servers. Of those, 68 percent transmitted UDIDs to servers under the control of developers or advertisers, while another 18 percent sent encrypted data that could have included the unique serial number. Just 14 percent of the apps were confirmed not to send UDIDs.

What's more, a BBC News app that was analyzed included a tracking cookie that didn't expire for four years, while ABC News set a cookie that persisted for 20 years. “The existence of these long-lived persistent cookies could allow for third parties to link UDIDs from old, discarded phones to individuals' new phones as they upgrade to the newest iPhone model every few years,” Smith warned.

Apple's application guidelines admonish developers that “you must not publicly associate a device's unique identifier with a user account.” But there's nothing stopping them from doing so. Indeed, a CBS News app transmits both the UDID and the iDevice's user-assigned name, which is often the full name of the owner. A “substantial number of applications” — including those from Amazon, Facebook and Twitter — have the ability to link UDIDs to real-world identities, Smith said.

A PDF of Smith's report is here. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.