Remember the media frenzy that took place soon after the iPad was launched when a group of hackers lifted user emails and device ID numbers (UDIDs) off an unprotected AT&T server? Well, it seems that more than 60 percent of all iPhone apps are compromising the very same information, no hacking required.
The study was conducted by Eric Smith, the assistant director of information security and networking at Bucknell University. He looked at 57 different iPhone applications and found that a whopping 38 of those were sending the device’s UDID off to their own or a third party server every time the app was launched…and the UDID is just the start of the information that is being shared without your knowledge.
The UDID is a unique ID number assigned to each phone, essentially a hardware serial number that cannot be changed or altered. Once you have access to this number it makes it easy to track a device virtually, monitoring your browsing and shopping habits. As more and more applications transmit location and other details, individual devices can also be physically tracked using the UDID. Even if you refuse to allow the app to transmit your location, you can still be tracked by UDID based on the WiFi hotspots you access.
Some apps, such as an app by Amazon, actually connects the real name of the user with the UDID and transmits both in unencrypted plain text! Others, like the CBS News app, connects the UDID to the user-defined name of the phone that often includes the user’s name, especially if the phone is used for business.
Once these apps mark you, even the passage of time won’t protect you. For example, the ABC News iPhone app sends your UDID to a remote server and then places an app cookie on your phone that doesn’t expire for 20 years. To further protect the cookie it isn’t even placed in the Safari folder on the iPhone along with other cookies, but in the ABC News app directory. Therefore, even if you know about the cookie and want to delete it…well, good luck finding it.
The mobile world is becoming a less and less secure place, and it seems that many companies and vendors like that just fine. Do you know what your phone is saying about you behind your back?[iPhone Applications & Privacy Issues (PDF)]