I don't understand how anyone can sell their iPhone, knowing about UDID authorization

[Qute]

This goes for the iPad and iPod Touch as well. Why is this security issue not talked about more?

The problem as I see it is clear:
[1] Every iPhone (and iPad, iPod Touch) has a unique ID number called the 'UDID' that does not change even if you restore your device.

[2] Many apps use this UDID to identify your device and provide access to your game scores, playlists, etc.
In some cases personal contact information and authorization to other linked accounts is also provided.
This is so users don't need to register or log on. The app servers already know who you are. Or to be more specific, they know your device.

[3] Clueless user sells iPhone after restoring. Buyer downloads previously used app.
App servers identify the UDID and gives access to previous user's information.

What is frustrating to me is that there is no way of knowing what specific apps do this.
It seems that some apps just use the UDID without informing the user while some apps require you to manually input your UDID.
In any case, with UDID spoofing easily done through jailbreaking, authorization through UDID is obviously a severe security flaw.

Why is this not talked about more? What is being done to identify and prevent these potentially harmful apps?

 

[appleguy123]

Are you sure that they use the UUID? I thought that they just cached some files on the phone to save your info. Which is why if you clean restore(not from backup) the apps that held your info won't anymore.

 

[lorenwade]

This goes for the iPad and iPod Touch as well. Why is this security issue not talked about more?

The problem as I see it is clear:
[1] Every iPhone (and iPad, iPod Touch) has a unique ID number called the 'UDID' that does not change even if you restore your device.

[2] Many apps use this UDID to identify your device and provide access to your game scores, playlists, etc.
In some cases personal contact information and authorization to other linked accounts is also provided.
This is so users don't need to register or log on. The app servers already know who you are. Or to be more specific, they know your device.

[3] Clueless user sells iPhone after restoring. Buyer downloads previously used app.
App servers identify the UDID and gives access to previous user's information.

What is frustrating to me is that there is no way of knowing what specific apps do this.
It seems that some apps just use the UDID without informing the user while some apps require you to manually input your UDID.
In any case, with UDID spoofing easily done through jailbreaking, authorization through UDID is obviously a severe security flaw.

Why is this not talked about more? What is being done to identify and prevent these potentially harmful apps?

I can't pretend to know how this stuff works, but how come I'm able to save my app data when I load a new phone and "restore from backup"?

 

[wvphysics]

User information is stored on apple servers based on the iTunes account you setup on the phone (the user name and password that always polyp everytime you make a purchase), it has nothing to do with the phone's ID number. That is how you can put one purchase onto multiple devices. As far as keeping data when you restore from a backup, well that's why they call it a backup.

 

[Vegastouch]

This goes for the iPad and iPod Touch as well. Why is this security issue not talked about more?

The problem as I see it is clear:
[1] Every iPhone (and iPad, iPod Touch) has a unique ID number called the 'UDID' that does not change even if you restore your device.

[2] Many apps use this UDID to identify your device and provide access to your game scores, playlists, etc.
In some cases personal contact information and authorization to other linked accounts is also provided.
This is so users don't need to register or log on. The app servers already know who you are. Or to be more specific, they know your device.

[3] Clueless user sells iPhone after restoring. Buyer downloads previously used app.
App servers identify the UDID and gives access to previous user's information.

What is frustrating to me is that there is no way of knowing what specific apps do this.
It seems that some apps just use the UDID without informing the user while some apps require you to manually input your UDID.
In any case, with UDID spoofing easily done through jailbreaking, authorization through UDID is obviously a severe security flaw.

Why is this not talked about more? What is being done to identify and prevent these potentially harmful apps?

Because you are wrong. I sold an iPhone on ebay and the person who bought it said it always asked for my password when they went to their iTunes and wanted to download an app. I told them all they had to do was attach the phone to their iTunes and when they did, all was good.

 

[bruinsrme]

Are you sure that they use the UUID? I thought that they just cached some files on the phone to save your info. Which is why if you clean restore(not from backup) the apps that held your info won't anymore.

I had a cracked app but bought the legit one.
There was an issue that caused the legit app to stop working. the developer asked for the UUID to ensure it was in the authorized table.

I can see how the issue can arise

 

[marksman]

Yeah some apps do it.

Storm8 does it with all their games. Your game account is tied to the phone identification number. You can transfer an account to a new phone, now but used to not be able to and most people wouldn't know that anyways.

I am sure others do the same thing. It is a way for apps to basically have user ids without logins, like the OP said.

Anyone who thinks this is not happening, is simply ignorant of the reality, but it is happening, and I can see how it could be a problem.

I think there should be a way for apps to identify them using this information and providing a transfer/removal process.

I suspect that apps themselves will have to manage it. Like I know Storm8 does to some degree. But the reality is someone can buy your device and access your accounts in some apps.

Makes me think that perhaps Apple should not allow apps to do this and require some kind of external login if they are going to get data from outside the app. That way all it has to do is cache the login, and not just use the UDID.

 

[Philalbe]

I wonder if that explains something that happened to me? I sold an ipod touch on ebay (after restoring) and ran into trouble with Amazon.com. "One click" orders I never placed were being charged to my account. I thought I was going nuts. All they could tell me is that the purchases were made using the "one click" feature on a mobile device (iPod touch) registered with Amazon. Took a lot of back and forth with Amazon and my bank, but I eventually got the charges and bank fees reversed. My theory is even though I deleted all the apps including Amazon and restored the device before selling, the device itself was still recognized by Amazon. I've sold devices since, but I've sworn off "one click" shopping, especially on mobile devices.

 

[moussekateer]

I agree with the OP this is a bit of a problem. Social networks such as Tapulous, Openfeint, plus+ etc use your UDID to link your account with the phone. This link is there even if you restore your phone and set up as new. They'll identify you and ask you to log in with the linked username. I'm not comfortable with selling my phone and the buyer seeing all my usernames so I unlink my phone from all these networks before I do pass it on. Sadly it isn't clear how to do this and the option is buried deep in both Tapulous and Openfeint. Even though it isn't a security risk really it should still be made clear what the implications of linking your phone is and provide clearer steps on how to remove this link

 

[Applejuiced]

I agree with the OP this is a bit of a problem. Social networks such as Tapulous, Openfeint, plus+ etc use your UDID to link your account with the phone. This link is there even if you restore your phone and set up as new. They'll identify you and ask you to log in with the linked username. I'm not comfortable with selling my phone and the buyer seeing all my usernames so I unlink my phone from all these networks before I do pass it on. Sadly it isn't clear how to do this and the option is buried deep in both Tapulous and Openfeint. Even though it isn't a security risk really it should still be made clear what the implications of linking your phone is and provide clearer steps on how to remove this link

Good info.
Glad Im not using any of them services

 

[Resist]

I agree that if this really is an issue, it need to be discussed more. I am about ready to sell my old iPhone and Touch, but now am having second thoughts.

 

[Sean4123]

Who cares if people can see your username? Without a password, its worthless. What are you guys getting worked up about?

 

[mrrish]

The free ESPN Score Center app does this, for example. If you do a restore of your phone (without backup restore) it will automatically log you in when you reinstall and launch that app--both username and password!

 

[Resist]

Who cares if people can see your username? Without a password, its worthless. What are you guys getting worked up about?

But that password may be stored in the phone's memory, if you set your apps to remember the password. This could be hazardous for banking apps.

 

[Kahnyl]

I think Smule uses UDIDs for account data on some games.

 

[Bandolier]

OpenFeint uses it. I'm 100% sure about this.

 

[8767092]

Last.fm uses something like this too. The person that purchased my iPhone was able to access my account.

 

[Ivan P]

Are you sure that they use the UUID? I thought that they just cached some files on the phone to save your info. Which is why if you clean restore(not from backup) the apps that held your info won't anymore.

I restored my iPhone and set it up as new, and went to play Flight Control. While it didn't have my high scores or anything when I first opened it (obviously), it still somehow determined my username for the leaderboards without me having to log in.

 

[OneMike]

[3] Clueless user sells iPhone after restoring. Buyer downloads previously used app.
App servers identify the UDID and gives access to previous user's information.

I think that's the most important part of your post. Clueless people.

If you use an app, say twinkle, who's here, imob online, etc.. Once you get signed in you're in for good. Delete the apps, reinstall it and your account info is right there again. However, these apps usually have an option somewhere in there to either sign out your device and/or delete your account/profile which would remove your personal info.

Use another app, say chase mobile, at&t, 1password etc.. You sign in and it saves your username and possibly password depending on the app on the device. However, once the app is deleted so is your info.

Simple test is to take the app in question. Uninstall it. Reinstall it. If your personal info is still there then that's an app you need to dig into the settings to manually logout.

apps such as flight control pull your info from the itunes/game center account you're signed in to. Don't sign in to your game center / itunes account which you shouldn't be doing if you're selling your phone anyway and you won't have this problem..

 

[shmeaty]

Pandora Radio absolutely does.

 

[SAD*FACED*CLOWN]

I thought the iTunes account was the gate keeper of your info on apps and music...not the phone's id

 

[nwcs]

When I got rid of my last iPhone I did the whole Erase Data option. Blanked everything and it all had to be setup new. I haven't seen any issues from that.

 

[err404]

When I got rid of my last iPhone I did the whole Erase Data option. Blanked everything and it all had to be setup new. I haven't seen any issues from that.

It depends on which apps you and the buyer used. It's not a fundamental issue with iOS, rather a poor decision made by the app developer.
Fortunately fewer apps use this method of identification these days. It seems to be mostly games. Hopefully GameCenter will help minimize this. The application developer should not use the physical hardware as the ONLY requirement for authorization.
Application developers who do this need to take a class in Security 101.

 

[g35]

I think Wunder Radio does this, too. I restored as new, downloaded the app again, and while it didn't remember my favourite stations, it did remember my recent ones.

 

[VulchR]

Only an idiot would program apps using the UDID for login, but thanks to the OP for posting this issue. Blimey.