Developers Are Linking UDIDs With Millions of Facebook Accounts… And Apple Doesn’t Care



Although Apple’s own Game Center once threatened to topple it from its perch as iOS’s most popular gaming social network, OpenFeint is still going strong, largely thanks to an open, cross-platform approach that allows iOS and Android devices to play with one another on equal social footing.

But that’s not to say that OpenFeint hasn’t had its missteps. Last month, a security researcher discovered that OpenFeint commonly linked iOS devices’ unique device identifiers (or UDIDs) to the phone owner’s Facebook profile. The result? A list of names for 75 million registered OpenFeint users, linked to their iOS devices and Facebook accounts.

OpenFeint has since closed the security hole in their system, but as security researcher Aldo Cortesi tells Wired, if a network as big as OpenFeint managed to link UDIDs with specific user accounts across games as popular as TinyWings, Pocket God, Robot Unicorn Attack and Fruit Ninja, there are probably a lot more apps out there flying under the App Store Approval Team’s radar. And those app developers could, even now, be selling your information to advertisers.

“By designing an API to expose UDIDs and encouraging developers to use it, Apple has ensured that there are literally thousands of databases linking UDIDs to sensitive user information on the net,” Cortesi said. Worse, Apple doesn’t even seem to be policing its own rule that iOS developers “must not publicly associate a device’s unique identifier with a user account.” While that’s not a huge security vulnerability, it does mean that unscrupulous app developers can potentially figure out what you’re doing with your iPhone outside of their app.

Should we worry? Security researcher Charlie Miller provides a dash of perspective.

“The bottom line is traditional privacy has gone out the window with smartphones,” Miller said. “You’re carrying around always-on GPS-enabled, internet-enabled devices. You’re downloading and running applications that are designed to share your thoughts and photos. [Cortesi] points out some things Apple could have done better to help protect your privacy, but basically, you voluntarily give up some of your privacy in order to use these apps and devices.”

What do you think? Does the definition of a reasonable expectation of privacy change entirely once you buy an iPhone? Let us know in the comments.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.