ESPN App retains login info after iPhone wiped clean

Discussion in 'iPhone' started by Gforce809, Nov 5, 2012.

  1. Gforce809, Nov 5, 2012
    Last edited: Nov 5, 2012

    macrumors newbie

    Joined:
    Nov 5, 2012
    #1
    A few days ago my new iPhone 5 arrived, so I handed down my 4S to my fiancé (she originally had a 4). Before the switch I completely erased everything, put in her SIMM card, and restored it from her iCloud backup. Two days later, she downloaded the ESPN Scorecenter App for the first time, from her iTunes account, and upon launching it, to my surprise, it signed in under my username and password, and had all my team alerts and settings ready to go.

    I vaguely remember a year or two ago after turning in my 4 to the Apple Store for replacement under warranty, not long after that my team alerts on the ESPN App just constantly started disappearing until I finally changed the password (my guess is they sold it as a refurbished phone). And again, everything on the phone was completely erased before it left my hands.

    Has anyone else ever experienced that with this app or any other app and know why it might be happening? I am planning to sell the old 4 on eBay this week, and it concerns me that some random person could buy it and install an app that was previously on there and pull up my or my fiancé's accounts.
     
  2. macrumors regular

    Joined:
    Nov 27, 2010
    #2
    When you erase all content and settings on the 4s (all iPhones from 3GS on up) it removes the encryption key that protects data, so there really isn't any way that info is being recovered from the phone itself ( http://support.apple.com/kb/ht2110 ). What is likely happening is ESPN ScoreCenter is using the UDID to auto setup the app for you. It's really a pretty ridiculous way to program an app and is likely one of the reasons apple is telling developers to stop using UDID for authentication.
    I just checked a bit and while certainly not proof that this is the case, Scorecenter is mentioned by someone in this post ( http://forums.macrumors.com/archive/index.php//t-1019820.html ) discussing the use of UDID to auto-plug usernames and passwords. I'm really surprised a developer would do this (okay, not REALLY surprised).
     
  3. thread starter macrumors newbie

    Joined:
    Nov 5, 2012
    #3
    I suspect it is the UDID, and here is further proof. I powered up the iPhone 4 my fiancé has been using since October 2011 until last week, the same one I had used from February 2011 to October 2011, and when I downloaded the ESPN Scorecenter app to that phone and launched it, it logged in as me - same exact thing that happened on the 4S. It had been over 1 year since I had used that phone and the app had been on there, and yet it still logged in as me.

    I am going back and reinstalling every possible app that I ever could have possibly used on that phone to see if any others do this, and if I find any I will post them to this thread. I'm also going to try to notify Apple that this App has a major security flaw, although it is not inherently obvious on how to report something like that.
     
  4. macrumors 6502a

    Joined:
    Feb 18, 2008
    Location:
    Above.
    #4
    Maybe you could just...log out?
    Crazy idea I know, but just might work.
     
  5. macrumors 6502a

    Joined:
    Feb 18, 2008
    Location:
    Above.
    #5
    Maybe you could just...log out?
    Crazy idea I know, but just might work.
     
  6. thread starter macrumors newbie

    Joined:
    Nov 5, 2012
    #6
    Logging out does work, and so does changing the password, but that's not the point. The point is, the App should not be automatically logging me back in after the phone has been wiped clean and is either set up as a new device or restored with another persons backup - both of which have happened. This is why I suspect the ESPN App is linking my current and previous iPhone's UDID with my ESPN account's automatic login credentials.
     
  7. macrumors 6502

    Joined:
    Jun 28, 2010
    #7
    So when you sell your iPhone, you are going to log out of 100's of apps then wipe it? Remember, you don't know which ones store your UDID and which don't. This is definitely a problem, albeit very small.
     
  8. macrumors 68020

    Joined:
    Nov 15, 2011
    #8
    I've always been hesitant to try to sell an iPhone. We'll have a spare one next year (my old 4s) and I think I'll just keep it around rather than sell.
     
  9. macrumors 6502a

    Joined:
    Mar 1, 2008
    Location:
    Rockland/Manhattan/Bay Area
    #9
    the OP said he gave it to his fiance, but I guess I knew what you meant
     
  10. macrumors 68020

    Joined:
    Nov 15, 2011
    #10
    yeah, sorry... got me thinking about what is done with old iPhones... I gave my 4s to my wife but next year she'll either get a new one or I will and the 4s will be "extra". I'd like to sell it but I'll prob. just keep it for a spare.
     

Share This Page