Exploits & Vulnerabilities
UDID Primer: Breaking down Apple’s leaky situation
When news broke last week that one million Apple UDIDs had been stolen by hacktivists, users panicked: What is a UDID? How did personally identifiable info get leaked along with the UDIDs? How can I protect my personally identifiable information?
When news broke last week that one million Apple UDIDs had been stolen by hacktivists, users panicked: What is a UDID? How did personally identifiable info get leaked along with the UDIDs? How can I protect my personally identifiable information?
What is a UDID?
On its own, the UDID is just a glorified unique serial number for all iPhones, iPads and iPod Touches, consisting of a long string of numbers and letters. As such, it’s virtually useless to a hacker and no privacy or security threat to a user. It has, until recently, been freely available to developers – collected without permission from the user – and lets the developer and their partner ad networks track the installed app base and monitor usage, with a view to targeting ads or enhancing the user experience.
How is personally identifiable information linked to UDIDs?
In collecting UDIDs, many Apple developers end up storing the anonymous UDID alphanumeric code in databases with the device owner’s personally identifiably information the developer also obtained through the app. That’s how app developer BlueToad ended up with a large database of UDIDs and information such as user names, personal mailing addresses and phone numbers that was ultimately stolen and falsely positioned by hackers as an “FBI leak.” When combined with this additional personal information, UDIDs could provide cyber criminals with a trove of details to use for defrauding or scamming individuals, or to help provide clues to cracking other, more valuable, user accounts.
How can I protect myself from this type of risk?
The bad news is that there is no way to tell who has accessed your UDID and also no way of preventing it from falling into the wrong hands. In the complex Apple ecosystem of iOS developers, publishers, ad networks and other third parties, your UDID has probably been shared with more outside entities than you would be comfortable with, especially if you’re an app addict. On its own, this is no great issue – the real problem is the number of databases compiled by developers that tie this unique device identifier with your personal information. You can try and limit the amount of info you are releasing to developers by being alert, reading the small print before installing apps and double checking which permissions each app requests. However, in many cases the information is already out there and, if a determined hacker knows where to look, it can end up in the wrong hands.
The good news is that Apple’s strict App Store approval team has begun to reject new apps that request UDIDs and, with the iOS 6 operating system introduced yesterday, a new set of APIs will replace UDIDs, as a first step towards Apple banning the numbers altogether in the very near future.
For those affected and those concerned with UDID use, the main issue is that UDIDs still exist for the time being, as do the vast databases of information held by third party developers. At this point, the only way to change your code and start again is by buying a new phone, and by being more selective about what information you share with your apps.