We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Privacy fears as most iPhone apps transmit UDIDs

Poses serious threat to privacy warns network admin

Some two thirds of popular Apple iPhone applications transmit users' UDIDs, leading to potential security concerns, a new study has warned.

Eric Smith, Assistant Director of Information Security and Networking at Bucknell University in Lewisburg, Pennsylvania, discovered 68 percent of the 57 top applications in the Apple iTunes App Store sent out UDID information, back to a remote server, owned either by the application developer or an advertising partner.

Popular iPhone applications tested included those from Amazon, Chase Bank, Target, Sams Club, Best Buy, Barnes & Noble, eBay, PayPal, Bank of America, Wells Fargo, Fidelity and America Express.

UDIDs, or unique device identifiers, are a 40-digit sequence of letters and numbers, and can be used to identify users and transmit sensitive information, unencrypted and to third parties.

Smith warned, popular applications such as those from Amazon, Facebook or Twitter, inherently have the ability to tie a UDID to a real-world identity. "Most iPhone application vendors are collecting and remotely storing UDID data, and some of these vendors also have the ability to correlate UDID to a real-world identity," Smith said.

"For example, Amazon's application communicates the logged-in user's real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone's UDID with the name of the phone's owner."

Apple iPhone 4

Smith noted in conclusion: "Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible - and technically, quite simple - for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies."

"Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information."

Apple's mobile platform is not alone in being open to potential abuse. Researchers at Duke University, Pennsylvania State University and Intel Labs discovered only last week that many applications on Google's rival Android platform were sending information, such as users GPS location and phone numbers, without the knowledge or permission of the user.

The full study: 'iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)' is available as a PDF.

Eric Smith, author of the study, is a founding member of PreSet Kill Limit, the security research group which has won the Defcon Wardriving hacking contest several years in a row.


IDG UK Sites

Sony Xperia Z3 Compact review: A better deal than the Z3 and most smartphones

IDG UK Sites

Why people aren't upgrading to iOS 8: new features are for power users, not the average Joe

IDG UK Sites

Framestore recreates ancient China for Mr Bean's martial arts misadventure

IDG UK Sites

iPad Air 2 review: Insanely fast and alarmingly thin. Speed tests, camera tests and more