Some two thirds of popular Apple iPhone applications transmit users' UDIDs, leading to potential security concerns, a new study has warned.
Eric Smith, Assistant Director of Information Security and Networking at Bucknell University in Lewisburg, Pennsylvania, discovered 68 percent of the 57 top applications in the Apple iTunes App Store sent out UDID information, back to a remote server, owned either by the application developer or an advertising partner.
Popular iPhone applications tested included those from Amazon, Chase Bank, Target, Sams Club, Best Buy, Barnes & Noble, eBay, PayPal, Bank of America, Wells Fargo, Fidelity and America Express.
UDIDs, or unique device identifiers, are a 40-digit sequence of letters and numbers, and can be used to identify users and transmit sensitive information, unencrypted and to third parties.
Smith warned, popular applications such as those from Amazon, Facebook or Twitter, inherently have the ability to tie a UDID to a real-world identity. "Most iPhone application vendors are collecting and remotely storing UDID data, and some of these vendors also have the ability to correlate UDID to a real-world identity," Smith said.
"For example, Amazon's application communicates the logged-in user's real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone's UDID with the name of the phone's owner."
Smith noted in conclusion: "Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible - and technically, quite simple - for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies."
"Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information."
Apple's mobile platform is not alone in being open to potential abuse. Researchers at Duke University, Pennsylvania State University and Intel Labs discovered only last week that many applications on Google's rival Android platform were sending information, such as users GPS location and phone numbers, without the knowledge or permission of the user.
The full study: 'iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)' is available as a PDF.
Eric Smith, author of the study, is a founding member of PreSet Kill Limit, the security research group which has won the Defcon Wardriving hacking contest several years in a row.