Your iPhone Apps are Watching You

You've probably never asked the question, "What is an Apple UDID?" This acronym stands for Unique Device IDentifier, and every iOS device has one. The UDID itself is a 40-character string including numbers and letters that is unique to your iPhone hardware. Apple sets standards for how the UDID should be used by application developers to protect user privacy.

apple iphone app privacy security UDID

A new study by Bucknell University security researcher Eric Smith has found that third-party app developers may not be following the rules. Some apps send private data such as name and location data from your iPhone in plain text along with the UDID. Some secure the transmissions with SSL, however this also means that the data being sent to external servers is unknown.

Looking at 57 of the top apps in the Apple App Store, Smith found that 68 percent of the apps sent out the UDID, often when first launched. Apps including Target, Amazon, Sam's Club and Chase Bank all sent UDIDs in plain text. The CBS News app sends the UDID along with the user-defined iPhone name that pops up in iTunes. In another example, Amazon sends the logged in user's name along with the UDID in plain text communications with the iPhone.

Smith also brought attention to tracking cookies dropped by apps such as BBC News and ABC News that don't expire for years. He explains that “The existence of these long-lived persistent cookies could allow for third parties to link UDIDs from old, discarded phones to individuals' new phones as they upgrade to the newest iPhone model every few years."

Writing about iPhone users, Smith states that “It would be feasible — and technically, quite simple — for their browsing patterns, app usage, and physical location collected and sold." Smith likens the UDID to Intel's attempts to give each Pentium III processor a unique ID. The effort was widely criticized by privacy advocates and general users alike. Intel later offered users software to disable the feature and scrapped the program.

Apple provides options to give permission to specific apps when it comes to features such as Push Notifications and Location Services. Users can turn off GPS in third-party apps. The UDID cannot be switched off in the same manner. Some excerpts from Apple's iOS Reference Library:

An alphanumeric string unique to each device based on various hardware details. (read-only)

For user security and privacy, you must not publicly associate a device’s unique identifier with a user account.

Important: Never store user information based solely on the UDID. Always use a combination of UDID and application-specific user ID. A combined ID ensures that if a user passes a device on to another user, the new user will not have access to the original user’s data.