As we reported this weekend, Apple has started ramping up its efforts to deprecate the UDID – the unique identifier that ties a user to a specific device, like an iPhone or iPad. The company originally announced its intentions to phase out the UDID’s use more than six months ago, with the release of iOS 5, but it recently began to reject apps from the App Store which are attempting to access those identifiers.
Today, the makers of a crash-reporting solution for mobile developers, Crashlytics, is launching an open source alternative to the UDID called SecureUDID, which it believes will address the privacy concerns surrounding UDID usage.
To catch you up on the UDID situation, if you’re unaware, Crashlytics co-founder Jeff Seibert explains that Apple likely never guessed at how prevalent – and yes, unrestricted - its usage would become in the future.
“When Apple rolled out the original iPhone, they really had no intention of [UDIDs] becoming a security problem. They used them exactly as they do today – so they could uniquely identify devices. I don’t think developers or Apple anticipated the leaks of the UDIDs associated with other potentially private information would be such a problem.”
Seibert says that the situation escalated due to the heavy use of the UDID – some 68% of applications are now transmitting them, combined with a bit of irresponsibility on the part of some developers.
“They didn’t treat it as something private. They would send it over as clear text. They would store it in their database in clear text. And they would then make it available, whether through their API or on their site, for hackers or people researching to sniff the data.”
He says that the biggest issue with the UDID is that it’s a single value, like a social security number which is tied to your device and that you cannot change.
When Apple announced its intentions to deprecate the UDID, everyone began scrambling for solutions. AppsFire was one of the first companies to launch an alternative – an open source solution called OpenUDID. In fact, Crashlytics’ own Sam Robbins was a contributor to that initiative. But over time, the company grew to believe that the OpenUDID solution was not ideal.
Although users could opt out of data collection with OpenUDID, as they now will be able to withSecureUDID, the former was stuck with the assumption that there’s one unique number per device. That means, says Seibert, that it didn’t really address the issue of leaked data. If one developer leaked your OpenUDID, you would have the same problem as when a developer leaked your Apple UDID. That is, another developer could get the data and be able to tie that data to your device.
So instead, the new solution called SecureUDID will still allow developers to differentiate between devices, which is what they need for analytics purposes, but now that identifier is different from every other developer’s UDID for that same device. Developers can then track users across their own apps, but now there’s no way to match data between different organizations.
This appears to address the privacy concerns associated with the original UDID’s use, as it’s no longer a global identifier tying a device to a single user. And users that don’t want to be tracked at all, can choose to opt-out. (Developers will get a string of zeroes for them, which tells the app to show them the default settings in that case). Interestingly, there will be an iOS app that allows for the opt-out process, but it’s waiting App Store approval. I guess it’s time to see what Apple thinks of the new system.
As for developers, SecureUDID implementation is easy enough – three lines of code is all that’s needed. The solution is being made available as open-source, MIT-licensed code, which Crashlytics hopes will attract support from the developer community, including even those building for Android.
To be clear, SecureUDID isn’t the only alternative method available today. Besides OpenUDID, there are other third-party solutions in development, plus many developers have begun to use MAC addresses. However, with many solutions, and especially MAC addresses, privacy concerns remain.
More details regarding SecureUDID are available here.
Source:http://techcrunch.com/2012/03/27/secureudid-is-an-open-source-solution-to-the-apple-udid-problem/?grcc=6da758bb0419b2276c956c847f295547Z8
Today, the makers of a crash-reporting solution for mobile developers, Crashlytics, is launching an open source alternative to the UDID called SecureUDID, which it believes will address the privacy concerns surrounding UDID usage.
To catch you up on the UDID situation, if you’re unaware, Crashlytics co-founder Jeff Seibert explains that Apple likely never guessed at how prevalent – and yes, unrestricted - its usage would become in the future.
“When Apple rolled out the original iPhone, they really had no intention of [UDIDs] becoming a security problem. They used them exactly as they do today – so they could uniquely identify devices. I don’t think developers or Apple anticipated the leaks of the UDIDs associated with other potentially private information would be such a problem.”
Seibert says that the situation escalated due to the heavy use of the UDID – some 68% of applications are now transmitting them, combined with a bit of irresponsibility on the part of some developers.
“They didn’t treat it as something private. They would send it over as clear text. They would store it in their database in clear text. And they would then make it available, whether through their API or on their site, for hackers or people researching to sniff the data.”
He says that the biggest issue with the UDID is that it’s a single value, like a social security number which is tied to your device and that you cannot change.
When Apple announced its intentions to deprecate the UDID, everyone began scrambling for solutions. AppsFire was one of the first companies to launch an alternative – an open source solution called OpenUDID. In fact, Crashlytics’ own Sam Robbins was a contributor to that initiative. But over time, the company grew to believe that the OpenUDID solution was not ideal.
Although users could opt out of data collection with OpenUDID, as they now will be able to withSecureUDID, the former was stuck with the assumption that there’s one unique number per device. That means, says Seibert, that it didn’t really address the issue of leaked data. If one developer leaked your OpenUDID, you would have the same problem as when a developer leaked your Apple UDID. That is, another developer could get the data and be able to tie that data to your device.
So instead, the new solution called SecureUDID will still allow developers to differentiate between devices, which is what they need for analytics purposes, but now that identifier is different from every other developer’s UDID for that same device. Developers can then track users across their own apps, but now there’s no way to match data between different organizations.
This appears to address the privacy concerns associated with the original UDID’s use, as it’s no longer a global identifier tying a device to a single user. And users that don’t want to be tracked at all, can choose to opt-out. (Developers will get a string of zeroes for them, which tells the app to show them the default settings in that case). Interestingly, there will be an iOS app that allows for the opt-out process, but it’s waiting App Store approval. I guess it’s time to see what Apple thinks of the new system.
As for developers, SecureUDID implementation is easy enough – three lines of code is all that’s needed. The solution is being made available as open-source, MIT-licensed code, which Crashlytics hopes will attract support from the developer community, including even those building for Android.
To be clear, SecureUDID isn’t the only alternative method available today. Besides OpenUDID, there are other third-party solutions in development, plus many developers have begun to use MAC addresses. However, with many solutions, and especially MAC addresses, privacy concerns remain.
More details regarding SecureUDID are available here.
Source:http://techcrunch.com/2012/03/27/secureudid-is-an-open-source-solution-to-the-apple-udid-problem/?grcc=6da758bb0419b2276c956c847f295547Z8
No comments:
Post a Comment