You're Not Safe Unless Your UDID Is Secure

mobile securityIs your UDID safe? Do you know what a UDID is?

Unless you’re in the mobile application development industry or you love to learn about the technology behind your iPhone, you probably don’t know what a UDID is. However, protecting your UDID is essential to your privacy. That’s a lesson that many people are learning since a small app developer, BlueToad, had its system hacked and over 12 million users’ UDIDs were compromised with 1 million being published online for the world to see.

A UDID is the unique identifier number that identifies each iOS device. Before March 2012 (when Congress voiced its concerns to Apple over the lack of security around UDIDs), developers used UDIDs to track installations of their apps across Apple’s user base. At that time, Apple warned app developers that they needed to stop using UDIDs and announced that new apps which used UDIDs would not be accepted into the Apple App Store. Unfortunately, BlueToad did not comply fast enough and 12 million people had their UDIDs compromised.

It’s important to point out that a UDID alone is not personally identifiable. Newstex Vice President of Technology Chris Moyer explains, “The issue is that when companies use your UDID to authenticate you, that information does become personal.” To clarify, he describes how this would work for a banking application, “If [the app] relied on the UDID for authentication, then suddenly anyone who installs an application on your device has access to this UDID and can access your bank account. The UDID is not a personal identifier, and using it as one is not just a breach of privacy, but a major security flaw.”

Chris points out that Newstex does not use a UDID for authentication in its mobile applications. He says, “We use a unique installation identifier, which is generated by us at runtime. This unique identifier is custom not only to your device and our application but for the specific installation of that application on that device. This means that once you uninstall the application or reset your device, that installation ID is immediately removed, and thus, nobody else can access your account. This identifier is also encrypted on the device and not available to other developers.”

You can learn how to find your UDID and check if it’s on the list of compromised UDIDs here.

Image: Denis Fuentes

Leave a reply