What Is A UDID And Why Is Apple Killing Apps That Track Them? [Feature]


This unique string of alphanumeric text attached to every iPhone and iPad is the source of a lot of privacy concerns.
This unique string of alphanumeric text attached to every iPhone and iPad is the source of a lot of privacy concerns.

Many of us feel a deep personal connection with our iPhones, and small wonder: the average person’s smartphone knows more about them than their spouse or significant other. Our iPhones hold our contacts, photos, videos, music, banking data, texts, emails, voicemails, web logins, apps and more. We use our phones to pay our bills, send texts to our girlfriends, check-in to our favorite club, play games with friends, and much more besides.

That makes our iOS devices a juicy target for tracking, and what most people aren’t aware of is that, historically, Apple has made it very easy to anyone to tell what you do with your iPhone. It’s called a Unique Device Identifier or UDID. Every iOS device has one, and using it, third-parties have been able to put together vast databases tracking almost everything you do with your iPhone, iPod touch or iPad.

The good news for privacy advocates is that the days of UDID are numbered. Following the recent stink the U.S. Congress raised over how iOS apps handle a user’s personal information without permission, Apple has given an ultimatum to third-party App Store developers: either stop tracking UDIDs or get kicked out of the App Store. Now ad networks and developers are scrambling to agree on a way to track your device in the future.

But are these replacements any good, or do they pose even bigger privacy concerns than UDIDs did?

If You’re Not Paying For The Product, You Are The Product!

The first thing to understand is that not all tracking — or even most — is insidious. A lot of the best things we take for granted about our iPhones and iPads, like free apps, are paid for by tracking.

There’s a saying in the privacy community: “If you’re not paying for the product, you are the product!” It’s truer on the App Store than anywhere. If you’re not paying for an app, you are usually selling yourself (with or without your knowledge) to an ad network, which will use your UDID to track and target you.

In the same way Facebook makes money by serving targeted ads to you based on what you like, mobile apps sell your finger taps so that ad networks can serve you targeted ads that compliment your tastes. The idea itself is not a matter of breaching your privacy, because you agree to use this stuff. Money has to be made somehow.

Online and mobile advertising has gotten exponentially more relevant for the end user over the last decade. Companies can learn what you like and tailor ads to your preferences. That’s usually a good thing for most people.

The problem is that UDID has the potential to be misused.

Your UDID As A Social Security Number

Up until now, advertisers and developers using iOS as a platform have had it great. Using UDID, they could follow your activity across multiple apps and put together a pattern of behavior which they could then sell to third-parties or use to show you more targeted in-app ads that you’d be more likely to tap on. And the reason that UDIDs make it easy to do this is because it’s a value that is uniquely associated with just one device that cannot be erased, duplicated or obscured.

So here’s the chain. The developer behind an app sells your UDID to an advertising network, which stores it on its servers. The more devs sell your UDID to that same ad network, the more that ad network knows about you, and the better it can serve you ads on that specific device. These ad networks can then sell their databases to other ad companies, who can put together a pretty complete picture using their combined UDID databases of what you use that iPhone for.

In other words, UDID is like a social security number. We give our social security number to companies all the time. In isolation, a company having your social security number is not necessarily a bad thing. But the problem with a social security number is that if it is leaked out into the world for whatever reason, people we don’t mean to have it can use it to dig up your medical records, credit card number, home street address and more.



Why Is Everyone Worried About UDIDs Now?

Apple has been allowing devs and ad networks to track UDIDs for years. Why the sudden backlash now?

For iOS app privacy concerns, the straw that broke the camel’s back was Path, a social networking app for the iPhone that was uploading a user’s iPhone address book and storing it on its private servers without permission. Nothing nefarious was being done with the data — and, in fact, uploading address book contents to third-party servers is a common occurrence — but the news hit at the perfect time to raise a stink about mobile app privacy in general.

The controversy surrounding Path had nothing at all to do with UDIDs, but it was so well publicized that people started wanting to know how much our apps know about us and what they do with that information. We all want our information, like an address book, to be protected. Although we constantly share everything we do online, there’s still a desire to have at least a semi-private life in a digital world.

Following severe criticism of Apple’s iOS privacy measures from the media, members of the U.S. Congress sent letters to Apple and App Store developers asking how apps collect and manage their users’ personal information. Apple eventually responded, saying that it was working on a new way for everyone to opt into sharing personal data with apps in the future.

That response got to the core of the issue. The problem isn’t that we’re being tracked and sharing our information with the apps we use, it’s that there’s no universal way in iOS to let us decide what and how much to share. The industry has been moving so rapidly that we are just now starting to feel the backlash of privacy concerns that should have been addressed back in 2007.

Even before Path, Apple saw the writing on the wall. They realized that users weren’t going to remain ignorant of how iOS apps treat their data for very long.

Last August, developers were notified  by Apple that the UDID was going to be deprecated and that they should start moving their apps to support the  “Core Foundation Universally Unique Identifier” (CFUUID) as a more secure replacement for the UDID.

Why CFUUID Doesn’t Replace UDID

There’s only one problem: the CFUUID function isn’t a unique identifier in the same way as the UDID. In fact, it can be shared across multiple devices just by backing up, say, your iPhone and restoring that backup to your iPad. That means it’s possible to have multiple devices with the same CDUUID. And that’s a big problem for developers and ad networks.

While ad tracking is probably the most well-known thing it’s used for, UDIDs are also used by developers for a bunch of things, from analyzing crash reports and isolating bugs to little functions and app conveniences that most users take for granted.

For example, here’s a feature that had to be dropped from the popular Twitter client Tweetbot after Apple started coming down on developers still using UDIDs, as described by makers Tapbots:

We used them [UDIDs] only for our push notification services in order to be able to match up a given device to its push notification settings. This allowed us to restore push notifications settings after Tweetbot was deleted and re-installed. With this new change in place this is no longer possible, if you delete and re-install Tweetbot you’ll have to setup your push notification settings again. Your device’s UDID never went anywhere besides our push notification services and has never been shared with anyone.

There’s loads of apps that use UDIDs in this way — for features, conveniences or tracking bugs –even if they never share your data with outside networks.

Moreover, CFUUIDs can’t be used to replicate all of the functionality of UDIDs, and with Apple remaining mum as to why they were deprecating UDIDs in the first place, most devs decided to drag their feet and see what shook out when it came to getting rid of UDID calls in their apps… right up until the point where Cupertino started to play it tough, flat out rejecting and pulling apps that so much as referenced the unique identifier.

Now everyone’s scrambling for a viable third-party UDID alternative. There’s a lot of money at stake for advertisers and developers when the very backbone of iOS device tracking is done away with. As the industry scrambles to find a replacement, new third-party solutions have started popping up with hopes of being the next UDID… but they all have their strengths and weaknesses. Are any a viable UDID replacement?

Next Page: The contenders for the crown…


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.