Feeds

iPhone apps put user privacy at risk

Unique IDs free for the taking

The Essential Guide to IT Transformation

A large number of applications that run on Apple's iOS collect serial numbers that uniquely identify the hardware device, according to a study that warns the practice could compromise users' privacy.

Apple bills the UDID, or Unique Device Identifier, as a tool for developers to identify iPhones, iPads, and iPod touches when remotely storing application preferences, video game high scores, and similar types of data. Although UDIDs have largely escaped the criticism of privacy advocates, they could in many respects be as troubling as the Processor Serial Number system Intel included with the Pentium 3 in 1999, until the feature was pulled following a firestorm of protest from civil libertarians.

“The iPhone's UDID is eerily similar to the Pentium 3's Processor Serial Number (PSN),” Eric Smith, assistant director of information security and networking at Bucknell University in Pennsylvania, wrote in the report.

“While the Pentium 3 PSN elicited a storm of outrage from privacy rights groups over the inherent risks associated with the sharing of such information with third parties, no such concerns have been raised up to this point regarding the iPhone UDID. AS UDIDs can be readily linked to personally-identifiable information, the 'Big Brother' concerns from the Pentium 3 era should be a concern for today's iPhone users as well.”

The research paper is the latest to highlight the lack of privacy controls offered by many smartphones. The study was released the same week that separate computer scientists found that a large percentage of apps available in Google's competing Android Market reported users' phone numbers, locations, or handset device numbers to remote advertising servers without explicitly telling users this was happening.

Both platforms warn users what personal information an app they want to install can access, but neither state precisely what information is collected or how it is used.

Smith analyzed 57 apps — including those in the iTunes Store's top 25 free and top free news categories — by running them through a packet sniffer that monitored the data they sent to remote servers. Of those, 68 percent transmitted UDIDs to servers under the control of developers or advertisers, while another 18 percent sent encrypted data that could have included the unique serial number. Just 14 percent of the apps were confirmed not to send UDIDs.

What's more, a BBC News app that was analyzed included a tracking cookie that didn't expire for four years, while ABC News set a cookie that persisted for 20 years. “The existence of these long-lived persistent cookies could allow for third parties to link UDIDs from old, discarded phones to individuals' new phones as they upgrade to the newest iPhone model every few years,” Smith warned.

Apple's application guidelines admonish developers that “you must not publicly associate a device's unique identifier with a user account.” But there's nothing stopping them from doing so. Indeed, a CBS News app transmits both the UDID and the iDevice's user-assigned name, which is often the full name of the owner. A “substantial number of applications” — including those from Amazon, Facebook and Twitter — have the ability to link UDIDs to real-world identities, Smith said.

A PDF of Smith's report is here. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.