Protecting your Online Identity: Why not to use the UDID

A lot has been going on about the UDID crisis, how Apple is deprecating access to the UDIDs, and how even Congress is saying it's a breach of privacy. A UDID alone is not personally identifiable. The issue is that when companies use your UDID to authenticate you, that information does become personal. Using a UDID to verify a user device might make sense at first, but it's not private information, therefore you can't trust it. Anyone has access to the UDID, therefore it's not something that can or should be used for any form of authentication.

Take, for example, the company BlueToad, which recently admitted that they were responsible for releasing over 12 million government UDIDs and the associated personal information.  The big issue is that anyone has access to these UDIDs, which suddenly means that for those 12 million + users, that information now gives anyone access to their personal, private information that they did not give to every single app developer out there. It's now incredibly trivial for anyone to write a simple wrapper into their application that fetches the UDID of your device, and suddenly they know exactly who you are.

Additionally, this means that BlueToad was using the UDID for authentication, which means that if you want to pretend to be Joe Smith, all you have to do is look up his UDID on the list of leaked information, and simulate that in your device (which is easy to do on a jailbroken device). Now suddenly the entire authentication and authorization system around BlueToad's system has come crumbling down just as if they had been leaking passwords, except the UDID can't be reset when it's breached.

But lets take this one step further, what if instead of a simple news reader application we were writing a Banking application? If we had relied on the UDID for authentication, then suddenly anyone who installs an application on your device has access to this UDID, and suddenly can access your bank account.

The UDID is not a personal identifier, and using it as one is not just a breach of privacy, but a major security flaw.

At Newstex, instead of using a UDID or something that everyone has access to, we use a unique Installation identifier, which is generated by us at runtime. This unique Identifier is custom not only to your device and our application, but for the specific installation of that application, on that device. This means that once you uninstall the application, or reset your device, that installation ID is immediately removed, and thus nobody else can access your account. This identifier is also encrypted on the device and not available to other developers.

Comments