Latest in Apple

Image credit:

Hacker claims third-party iPhone apps can freely transmit UDID, pose serious threat to privacy

Sean Hollister
10.03.10
16 Shares
Share
Tweet
Share
Save

Sponsored Links

When Apple addressed a congressional inquiry on privacy in July, the company claimed that it couldn't actually track a particular iPhone in real time, as its transactions were anonymous and thoroughly randomized. Bucknell University network admin Eric Smith, however, theorizes that third-party application developers and advertisers may not have the same qualms, and could be linking your device to your name (and even your location) whenever they transmit data. Smith, a two-time DefCon wardriving champ, studied 57 top applications in the iTunes App Store to see what they sent out, and discovered that some fired off the iPhone's UDID and personal details in plaintext (where they can ostensibly be intercepted), including those for Amazon, Chase Bank, Target and Sam's Club, though a few were secured with SSL. Though UDIDs are routinely used by apps to store personal data and combat piracy, what Smith fears is that a database could be set up linking these UDIDs to GPS coordinates or GeoIP, giving nefarious individuals or organizations knowledge of where you are.

It's a scary idea, but before you direct hate Apple's way, it's important to note that Cupertino's not necessarily the one to blame. iOS is arguably the best at requiring users to opt-in to apps that perform GPS tracking; transmitting the UDID and account information together publicly is strictly against the rules; and we'd like to think that if users provide their personal information to an application developer in the first place, they'd understand what they're doing. Of course, not all users monitor those things closely, and plaintext transmission of personal details is obviously a big no-no.

Smith's piece opens and closes on the idea that Apple's UDID is like the unique identifier of Intel's Pentium III processor, which generated privacy concerns around the turn of the century, and we wonder if ths story might play out the same way -- following government inquiries, Intel offered a software utility that let individuals manually disable their chip's unique ID, and removed it from future CPUs.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Share
16 Shares
Share
Tweet
Share
Save

Popular on Engadget

iPad Pro leak suggests tablet photography just won’t die

iPad Pro leak suggests tablet photography just won’t die

View
Apple's latest AirPods and wireless charging case are $30 off on Amazon

Apple's latest AirPods and wireless charging case are $30 off on Amazon

View
Google Fi now offers an unlimited plan

Google Fi now offers an unlimited plan

View
Get a glimpse of SpaceX's orbital Starship prototype under construction

Get a glimpse of SpaceX's orbital Starship prototype under construction

View
MoviePass is dying, but its former leader wants to resurrect it

MoviePass is dying, but its former leader wants to resurrect it

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr