Skip to main content

Researcher: iPad, iPhone IDs can give away identities

  • Researcher says iPhone, iPad ID numbers can give away the user's identity
  • Some apps on the devices can link unique identification numbers to Facebook pages
  • Apple tells programmers not to associate device IDs with any account info

(Wired) -- The unique string of numbers and letters assigned to your iPhone can potentially expose your real-life identity.

Security researcher Aldo Cortesi last week published his discovery of a flaw in the unique device identifier (UDID) stored on each iPhone, iPad and iPod Touch.

While this device identifier is well-known, it's not supposed to be connected to a person's actual identity. But Cortesi discovered that some apps can link the identifier to the phone owner's Facebook profile, which effectively puts a face behind that string of numbers and letters.

"It's like a permanent, unalterable tracking cookie that can't be changed and that the user is not aware of," Cortesi told "The UDID idea has got such deep flaws because it literally identifies the device."

Apple and iOS app programmers use the 40-character string of letters and numbers as a method to identify each device uniquely, and presumably anonymously. The UDID is permanently tagged to the device, and it can't be erased or changed.

By itself, the UDID doesn't expose personal data, but to the extent that it's tied to other information about the phone's user, it can function like a permanent, ineradicable "evercookie." In theory, that could allow advertisers or other parties to track a wide variety of your activities through your smartphone. Whether that constitutes a privacy invasion, an annoyance or a convenience depends on your perspective. Early concerns over Web cookies, for example, have faded as the business community has standardized privacy protocols, including allowing users to easily identify sites that use them, and to opt out if they so choose.

This identifier is at the center of criticism amid growing concerns about smartphone privacy. The Wall Street Journal last year conducted independent tests and found that out of 101 apps, 56 transmitted the device's UDID to other companies without user awareness or consent.

In reaction to WSJ's investigation, some customers in Aprilfiled a lawsuit against Apple and a handful of app makers, alleging that they invaded user privacy by accessing customer information without permission and sharing it with third-party advertisers. They argued that the UDID could be virtually stapled to other information, such as age and location, to personally identify a customer, and that advertisers can create profiles to track each customer for marketing purposes.

"They're permanent Social Security numbers in your phone that are freely transmitted and can't change," said Justin Brookman, director of the Center for Democracy and Technology's consumer privacy project.

Cortesi said that Apple's UDID methodology is problematic because of the way it is designed. To track how apps transmit UDIDs, Cortesi created a tool called Mitmproxy.

In April, he found that OpenFeint, a gaming network integrated inside some apps to link players together, was transmitting UDID attached to personally identifiable information in some instances. When customers used their Facebook accounts to log in to OpenFeint, the game was transmitting UDID attached to the customer's Facebook ID, picture and occasionally GPS coordinates, he said.

OpenFeint claims to have 75 million registered gamers. Popular games that integrate OpenFeint include TinyWings, Pocket God, Robot Unicorn Attack and Fruit Ninja.

OpenFeint fixed the flaw after Cortesi notified the company. However, Cortesi explained that the issue is not isolated to the gaming network.

Apple explicitly tells iOS programmers that they "must not publicly associate a device's unique identifier with a user account" to ensure privacy. However, the fact that a network as big as OpenFeint managed to link UDIDs to Facebook accounts means that there are probably other apps linking UDIDs to personal data that have slipped past Apple's radar.

"By designing an API to expose UDIDs and encouraging developers to use it, Apple has ensured that there are literally thousands of databases linking UDIDs to sensitive user information on the net," Cortesi said.

Other than concerns about trading customer data with advertisers, an additional possibility is that app makers can peek at what a specific person is doing inside their apps, using analytics tools such as Flurry, Cortesi said.

Apple did not return a request for comment.

Charlie Miller, a security researcher who specializes in hacking smartphones, told that the security issue raised by Cortesi is not a huge concern, but it does highlight some issues with the UDID. He said that a more secure design would be to have each app randomly generate a unique identifier for each device, so that a programmer can only track information relevant to his or her app.

However, Miller added that the erosion of privacy is inevitable in the always-connected age, and we have to sacrifice some privacy in exchange for app-powered services.

"The bottom line is traditional privacy has gone out the window with smartphones," Miller said. "You're carrying around always-on GPS-enabled, internet-enabled devices. You're downloading and running applications that are designed to share your thoughts and photos. [Cortesi] points out some things Apple could have done better to help protect your privacy, but basically, you voluntarily give up some of your privacy in order to use these apps and devices."

Subscribe to WIRED magazine for less than $1 an issue and get a FREE GIFT! Click here!

Copyright 2011


Most popular Tech stories right now