[Infowarrior] - iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone UDIDs

Richard Forno rforno at infowarrior.org
Sun Oct 3 13:28:13 CDT 2010


iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)

by Eric on Sep.30, 2010, under Group News, Presentations, Security

http://www.pskl.us/wp/?p=476

Executive Summary

In 1999, Intel released its newest CPU — the Pentium 3.  Each processor included a unique serial number, visible to any software installed on the system.  A product backlash quickly developed as privacy rights groups realized that this serial number could be used to track users’ online behavior.  The industry, along with trade groups and governments, blasted this new feature; many governments went as far as proposing legislation to ban the use of Pentium 3 CPUs.  Following the outcry, Intel quickly removed the serial number feature from their processor line, never to be re-introduced.

Fast forward a decade to the introduction of Apple’s iPhone platform.  Much like the Pentium 3, devices running the Apple iPhone operating system (IOS), including Apple iPhones, iPads, and iPod Touches, feature a software-readable serial number – a “Unique Device Identifier,” or UDID.  In order to determine if the privacy fears surrounding the Pentium 3 have manifested themselves on the iPhone platform, we studied a number of iPhone apps from the “Most Popular” and  “Top Free” categories in Apple’s App Store.  For these applications, we collected and analyzed the data being transmitted between installed applications and remote servers using several open source tools.  We found that 68% of these applications were transmitting UDIDs to servers under the application vendor’s control each time the application is  launched.  Furthermore, 18% of the applications tested encrypted their communications such that it was not clear what type of data was being shared.   A scant 14% of the tested applications appear to be clean.  We also confirmed that some applications are able to link the UDID to a real-world identity.

The iPhone’s UDID is eerily similar to the Pentium 3’s Processor Serial Number (PSN).  While the Pentium 3 PSN elicited a storm of outrage from privacy rights groups over the inherent risks associated with the sharing of such information with third parties, no such concerns have been raised up to this point regarding the iPhone UDID.  As UDIDs can be readily linked to personally-identifiable information, the “Big Brother” concerns from the Pentium 3 era should be a concern for today’s iPhone users as well.

The full report is available here:  iPhone-Applications-Privacy-Issues.pdf.


More information about the Infowarrior mailing list