First Android, now iPhone apps have sprung a data leak
US— iPhone apps have been discovered sharing unique device identifiers (UDIDs) with remote servers, sometimes with an iPhone user’s name attached in breach of Apple’s developer rules.
An evaluation of 57 of the most popular free apps found 67% were transmitting UDIDs between applications and remote servers owned either by application developers or their advertising partners, while “a substantial number” were found to collect both UDID and “some form of user login data which ties to a stored user account”.
Study author Eric Smith, assistant director of information security and networking at Bucknell University, Pennsylvania, tracked an exchange between Amazon.com’s iPhone app and the company’s servers, in which the UDID was transmitted and a reply made which contained his real name.
Apple warns app developers they “must not publicly associate a device’s unique identifier with a user account”. The most recent version of the company’s developer rules states that user and device data can be collected “to provide a service or function that is directly relevant to the use of the application, or to serve advertising” but not without obtaining prior user consent.
But according to Smith, “there is no ability to block visibility of the iPhone’s UDID to any installed applications, nor is there a mechanism to prevent the transmission of the UDID to third parties”.
He adds: “iPhone users are helpless to prevent their phones from leaking this information”. Download Smith’s paper here.
Last week, a study of 30 popular Google Android apps also uncovered instances where potentially sensitive device information and location data was being leaked by applications without user permission.