No user privacy on iPhones & iPads

Did you know that data is collected by Apple applications running on iPhones and iPads, and is transmitted to the applications’ owners, without you knowing about this? Craig Michael Lie Njie of KismetWorldWide learned while creating an application for his own company that reports are created every day by applications used on these devices detailing

every action a user takes within an app: every button click, every page viewed, every table cell viewed, and the time a person took between each action, all sent back to the server without any notification or customer access to that information.

or any level of customer permission, either.

Information gathering is accomplished via accessing the UDID of any mobile Apple device. Think of the UDID as a permanent cookie resident in each iPhone and iPad which is visible to any software developer and, “can’t be turned off”.

It’s incredibly simple to access the UDID and transmit back to the server, but incredibly privacy invasive (and) easily linkable across different applications…

Theoretically, in order to track what you do back to you, applications must know more about your device than merely its UDID. But this can be easily obtained just by asking your device (in the background, without your knowledge) to verify just a little bit of information.

Eric Smith of PSKL speaks about the striking similarity to a 1999 privacy issue relating to Pentium 3 computers. The iPhone’s UDID is eerily similar to the Pentium 3’s Processor Serial Number (PSN) … While the Pentium 3 PSN elicited a storm of outrage from privacy rights groups over the inherent risks associated with the sharing of such information with third parties, no such concerns have been raised up to this point regarding the iPhone UDID.  As UDIDs can be readily linked to personally-identifiable information, the “Big Brother” concerns from the Pentium 3 era should be a concern for today’s iPhone users as well.

One Reply to “No user privacy on iPhones & iPads”

  1. Thanks for spreading the word! One thing I missed in the email you linked:
    “Once a network has linked a UDID to personally identifiable information (PII), they can then link that UDID to all of the apps that use that network. Once a customer uses the same app on two devices, the network can link all information between all apps across both devices. For example, say two apps both use the same advertising network. If app_A asks for an email address on a device (e.g. iPhone), and then provides that to the ad network along with the UDID, the ad network now has a link between the UDID and the email address and can use or sell that information to all the other apps in their network. If app_B collects geo-location data, and delivers that to the ad network along with the UDID, now the ad network can link the email address (from app_A) with the geo-location data (from app_B) and build out their database of PII for each UDID. Once a customer uses app_A on a different device (e.g. their iPad), the ad network can immediately link the two UDIDs together and now knows the geo-location data and email address for the user on the iPad, even if they never open app_B.”

    Here’s everything I wrote as a single blog post:


Leave a Reply

%d bloggers like this: