Some two thirds of popular Apple iPhone applications transmit users UDIDs, leading to potential security concerns, a new study has warned.
Eric Smith, Assistant Director of Information Security and Networking at Bucknell University in Lewisburg, Pennsylvania, discovered 68 per cent of the 57 top applications in the Apple iTunes App Store sent out UDID information, back to a remote server, owned either by the application developer or an advertising partner.
Popular iPhone applications tested included those from Amazon, Chase Bank, Target, Sams Club, Best Buy, Barnes & Noble, eBay, PayPal, Bank of America, Wells Fargo, Fidelity and America Express.
UDIDs, or unique device identifiers, are a 40-digit sequence of letters and numbers, and can be used to identify users and transmit sensitive information, unencrypted and to third parties.
Smith warned, popular applications such as those from Amazon, Facebook or Twitter, inherently have the ability to tie a UDID to a real-world identity. "Most iPhone application vendors are collecting and remotely storing UDID data, and some of these vendors also have the ability to correlate UDID to a real-world identity," Smith said.
"For example, Amazon's application communicates the logged-in user's real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone's UDID with the name of the phone's owner."
Smith noted in conclusion: "Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible - and technically, quite simple - for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies."
"Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information."
Apple's mobile platform is not alone in being open to potential abuse. Researchers at Duke University, Pennsylvania State University and Intel Labs discovered only last week that many applications on Google's rival Android platform were sending information, such as users GPS location and phone numbers, without the knowledge or permission of the user.
The full study: 'iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)' is available as a PDF.
Eric Smith, author of the study, is a founding member of PreSet Kill Limit, the security research group which has won the Defcon Wardriving hacking contest several years in a row.
Contact Us
Digg
It's easy and free to get the latest news headlines, reviews and opinions straight to your email inbox. Sign up NOW to make sure you receive the latest Mac news, reviews and tutorials on your favourite topics.
Comments received
Gee4orce said on Tue, 05 Oct 2010
Stop the madness.
There is no inherent security risk in transmitting a UDID - the entire reason for it to exist is to enable unique identification of a specific device. Many, many applications have completely legitimate reasons for transmitting this information, as its the only guaranteed way to identify a particular device.
Adding encryption to an iPhone app means that it has to go through much more stringent approval testing and export compliance legislation, and in fact will not allowed to be made available in certain territories at all.
Oblivion said on Tue, 05 Oct 2010
Passing the UDID by itself is not a crime, as long as the app does not transmit both the UDID and the Account Info at the same time.
From Apple's Official SDK, UIDevice Class:
uniqueIdentifier
An alphanumeric string unique to each device based on various hardware details. (read-only)
...
A device’s unique identifier (sometimes abbreviated as UDID for Unique Device Identifiier)
...
You may use the UDID, in conjunction with an application-specific user ID, for identifying application-specific data on your server. For example, you use could a device-user combination ID to control access to registered products or when storing high scores for a game in a central server.
...
Important: Never store user information based solely on the UDID. Always use a combination of UDID and application-specific user ID. A combined ID ensures that if a user passes a device on to another user, the new user will not have access to the original user’s data.
Disclaimer
Opinions expressed here are those of the writers and do not reflect those of Macworld. Macworld accepts no responsibility legal or otherwise for their accuracy of content.
Click here to read the house rules.
Click here for the latest reader comments