A new iPhone security report published reveals that a review of the “Most Popular” and “Top Free” categories on the iPhone App Store found that 68 percent of software would transmit UDIDs from devices.
UDIDs, or unencrypted unique device identifiers, that are being transmitted by the iPhone app could be used to obtain personal information.
The security report, published last week by Eric Smith, a network administrator with Bucknell University and a two-time DefCon wardriving champion, claims that UDIDs can be “readily linked to personally-identifiable information.”
Implications of UDID Transmission
The findings included applications that were found to transmit the iPhone UDID, such as software from Amazon, Chase Bank, Target, and Sam’s Club. The CBS News application goes even further, transmitting the UDID along with the user-assigned name for the iPhone, which typically includes the owner’s real name.
For example, Amazon’s application communicates the logged-in user’s real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone’s UDID with the name of the phone’s owner.
This practice raises significant privacy concerns. When UDIDs are transmitted without encryption, they can be intercepted by malicious actors who can then link the UDID to other personal information. This could potentially lead to identity theft, targeted advertising, or other privacy invasions. The fact that major applications from reputable companies are involved underscores the widespread nature of this issue.
Apple’s Security Measures
Apple is up front about its iOS security and requires users to approve when applications access information like GPS or the phone’s address book. However, the transmission of UDIDs falls into a gray area that users may not be fully aware of. While Apple has made strides in improving security with features like App Tracking Transparency, which requires apps to get user permission before tracking their data across apps or websites owned by other companies, the issue of UDID transmission highlights the need for even more stringent measures.
In response to these concerns, Apple has taken steps to phase out the use of UDIDs. Starting with iOS 5, Apple introduced the Identifier for Advertisers (IDFA) and Identifier for Vendors (IDFV) as alternatives to UDIDs. These identifiers are designed to provide similar functionality while offering better privacy protections. For instance, users can reset their IDFA, and it can be limited to prevent tracking across different apps.
Despite these improvements, the legacy of UDID usage still poses risks, especially for users of older devices or apps that have not been updated to comply with newer standards. It is crucial for users to stay informed about the permissions they grant to apps and to regularly update their devices and applications to benefit from the latest security enhancements.
Moreover, developers also have a role to play in safeguarding user privacy. By adhering to best practices for data security and transparency, developers can help build trust with their users and contribute to a safer digital ecosystem. This includes using secure methods for transmitting data, providing clear privacy policies, and minimizing the collection of personal information to what is strictly necessary for the app’s functionality.
In conclusion, while Apple has made significant progress in enhancing iOS security, the issue of UDID transmission serves as a reminder of the ongoing challenges in protecting user privacy. Both users and developers must remain vigilant and proactive in addressing these concerns to ensure a secure and trustworthy mobile experience.
Via Apple Insider
Latest Geeky Gadgets Deals
Disclosure: Some of our articles include affiliate links. If you buy something through one of these links, Geeky Gadgets may earn an affiliate commission. Learn about our Disclosure Policy.
