Original URL: http://www.theregister.co.uk/2010/10/04/iphone_privacy_report/

iPhone apps put user privacy at risk

Unique IDs free for the taking

By Dan Goodin

Posted in Security, 4th October 2010 21:54 GMT

A large number of applications that run on Apple's iOS collect serial numbers that uniquely identify the hardware device, according to a study that warns the practice could compromise users' privacy.

Apple bills the UDID, or Unique Device Identifier, as a tool for developers to identify iPhones, iPads, and iPod touches when remotely storing application preferences, video game high scores, and similar types of data. Although UDIDs have largely escaped the criticism of privacy advocates, they could in many respects be as troubling as the Processor Serial Number system Intel included with the Pentium 3 in 1999, until the feature was pulled following a firestorm of protest from civil libertarians.

“The iPhone's UDID is eerily similar to the Pentium 3's Processor Serial Number (PSN),” Eric Smith, assistant director of information security and networking at Bucknell University in Pennsylvania, wrote in the report.

“While the Pentium 3 PSN elicited a storm of outrage from privacy rights groups over the inherent risks associated with the sharing of such information with third parties, no such concerns have been raised up to this point regarding the iPhone UDID. AS UDIDs can be readily linked to personally-identifiable information, the 'Big Brother' concerns from the Pentium 3 era should be a concern for today's iPhone users as well.”

The research paper is the latest to highlight the lack of privacy controls offered by many smartphones. The study was released the same week that separate computer scientists found that a large percentage of apps available in Google's competing Android Market reported users' phone numbers, locations, or handset device numbers to remote advertising servers without explicitly telling users this was happening.

Both platforms warn users what personal information an app they want to install can access, but neither state precisely what information is collected or how it is used.

Smith analyzed 57 apps — including those in the iTunes Store's top 25 free and top free news categories — by running them through a packet sniffer that monitored the data they sent to remote servers. Of those, 68 percent transmitted UDIDs to servers under the control of developers or advertisers, while another 18 percent sent encrypted data that could have included the unique serial number. Just 14 percent of the apps were confirmed not to send UDIDs.

What's more, a BBC News app that was analyzed included a tracking cookie that didn't expire for four years, while ABC News set a cookie that persisted for 20 years. “The existence of these long-lived persistent cookies could allow for third parties to link UDIDs from old, discarded phones to individuals' new phones as they upgrade to the newest iPhone model every few years,” Smith warned.

Apple's application guidelines admonish developers that “you must not publicly associate a device's unique identifier with a user account.” But there's nothing stopping them from doing so. Indeed, a CBS News app transmits both the UDID and the iDevice's user-assigned name, which is often the full name of the owner. A “substantial number of applications” — including those from Amazon, Facebook and Twitter — have the ability to link UDIDs to real-world identities, Smith said.

A PDF of Smith's report is here. ®