I don't understand how anyone can sell their iPhone, knowing about UDID authorization

Discussion in 'iPhone' started by Qute, Sep 23, 2010.

  1. Qute macrumors newbie

    Jun 10, 2010
    This goes for the iPad and iPod Touch as well. Why is this security issue not talked about more?

    The problem as I see it is clear:
    [1] Every iPhone (and iPad, iPod Touch) has a unique ID number called the 'UDID' that does not change even if you restore your device.

    [2] Many apps use this UDID to identify your device and provide access to your game scores, playlists, etc.
    In some cases personal contact information and authorization to other linked accounts is also provided.
    This is so users don't need to register or log on. The app servers already know who you are. Or to be more specific, they know your device.

    [3] Clueless user sells iPhone after restoring. Buyer downloads previously used app.
    App servers identify the UDID and gives access to previous user's information.

    What is frustrating to me is that there is no way of knowing what specific apps do this.
    It seems that some apps just use the UDID without informing the user while some apps require you to manually input your UDID.
    In any case, with UDID spoofing easily done through jailbreaking, authorization through UDID is obviously a severe security flaw.

    Why is this not talked about more? What is being done to identify and prevent these potentially harmful apps?
  2. appleguy123 macrumors 604


    Apr 1, 2009
    15 minutes in the future
    Are you sure that they use the UUID? I thought that they just cached some files on the phone to save your info. Which is why if you clean restore(not from backup) the apps that held your info won't anymore.
  3. lorenwade macrumors 68000


    Aug 27, 2008
    I can't pretend to know how this stuff works, but how come I'm able to save my app data when I load a new phone and "restore from backup"?
  4. wvphysics macrumors regular

    Jul 7, 2010
    User information is stored on apple servers based on the iTunes account you setup on the phone (the user name and password that always polyp everytime you make a purchase), it has nothing to do with the phone's ID number. That is how you can put one purchase onto multiple devices. As far as keeping data when you restore from a backup, well that's why they call it a backup.
  5. Vegastouch macrumors 603


    Jul 12, 2008
    Las Vegas, NV
    Because you are wrong. I sold an iPhone on ebay and the person who bought it said it always asked for my password when they went to their iTunes and wanted to download an app. I told them all they had to do was attach the phone to their iTunes and when they did, all was good.
  6. bruinsrme macrumors 603


    Oct 26, 2008
    I had a cracked app but bought the legit one.
    There was an issue that caused the legit app to stop working. the developer asked for the UUID to ensure it was in the authorized table.

    I can see how the issue can arise
  7. marksman macrumors 603


    Jun 4, 2007
    Yeah some apps do it.

    Storm8 does it with all their games. Your game account is tied to the phone identification number. You can transfer an account to a new phone, now but used to not be able to and most people wouldn't know that anyways.

    I am sure others do the same thing. It is a way for apps to basically have user ids without logins, like the OP said.

    Anyone who thinks this is not happening, is simply ignorant of the reality, but it is happening, and I can see how it could be a problem.

    I think there should be a way for apps to identify them using this information and providing a transfer/removal process.

    I suspect that apps themselves will have to manage it. Like I know Storm8 does to some degree. But the reality is someone can buy your device and access your accounts in some apps.

    Makes me think that perhaps Apple should not allow apps to do this and require some kind of external login if they are going to get data from outside the app. That way all it has to do is cache the login, and not just use the UDID.
  8. Philalbe macrumors 6502

    Jun 11, 2010
    Greater Boston Area
    I wonder if that explains something that happened to me? I sold an ipod touch on ebay (after restoring) and ran into trouble with Amazon.com. "One click" orders I never placed were being charged to my account. I thought I was going nuts. All they could tell me is that the purchases were made using the "one click" feature on a mobile device (iPod touch) registered with Amazon. Took a lot of back and forth with Amazon and my bank, but I eventually got the charges and bank fees reversed. My theory is even though I deleted all the apps including Amazon and restored the device before selling, the device itself was still recognized by Amazon. I've sold devices since, but I've sworn off "one click" shopping, especially on mobile devices.
  9. moussekateer macrumors 6502a


    May 12, 2009
    I agree with the OP this is a bit of a problem. Social networks such as Tapulous, Openfeint, plus+ etc use your UDID to link your account with the phone. This link is there even if you restore your phone and set up as new. They'll identify you and ask you to log in with the linked username. I'm not comfortable with selling my phone and the buyer seeing all my usernames so I unlink my phone from all these networks before I do pass it on. Sadly it isn't clear how to do this and the option is buried deep in both Tapulous and Openfeint. Even though it isn't a security risk really it should still be made clear what the implications of linking your phone is and provide clearer steps on how to remove this link
  10. Applejuiced macrumors Westmere


    Apr 16, 2008
    At the iPhone hacks section.
    Good info.
    Glad Im not using any of them services:)
  11. Resist macrumors 68030

    Jan 15, 2008
    I agree that if this really is an issue, it need to be discussed more. I am about ready to sell my old iPhone and Touch, but now am having second thoughts.
  12. Sean4123 macrumors 6502

    Sep 4, 2009
    Who cares if people can see your username? Without a password, its worthless. What are you guys getting worked up about?
  13. mrrish macrumors regular


    Feb 14, 2008
    The free ESPN Score Center app does this, for example. If you do a restore of your phone (without backup restore) it will automatically log you in when you reinstall and launch that app--both username and password!
  14. Resist macrumors 68030

    Jan 15, 2008
    But that password may be stored in the phone's memory, if you set your apps to remember the password. This could be hazardous for banking apps.
  15. Kahnyl macrumors 68000

    Feb 2, 2009
    I think Smule uses UDIDs for account data on some games.
  16. Bandolier macrumors 6502a

    Aug 2, 2010
  17. LinMac macrumors 65816

    Oct 28, 2007
    Last.fm uses something like this too. The person that purchased my iPhone was able to access my account.
  18. Ivan P macrumors 68030

    Ivan P

    Jan 17, 2008
    I restored my iPhone and set it up as new, and went to play Flight Control. While it didn't have my high scores or anything when I first opened it (obviously), it still somehow determined my username for the leaderboards without me having to log in.
  19. OneMike macrumors 603


    Oct 19, 2005
    I think that's the most important part of your post. Clueless people.

    If you use an app, say twinkle, who's here, imob online, etc.. Once you get signed in you're in for good. Delete the apps, reinstall it and your account info is right there again. However, these apps usually have an option somewhere in there to either sign out your device and/or delete your account/profile which would remove your personal info.

    Use another app, say chase mobile, at&t, 1password etc.. You sign in and it saves your username and possibly password depending on the app on the device. However, once the app is deleted so is your info.

    Simple test is to take the app in question. Uninstall it. Reinstall it. If your personal info is still there then that's an app you need to dig into the settings to manually logout.

    apps such as flight control pull your info from the itunes/game center account you're signed in to. Don't sign in to your game center / itunes account which you shouldn't be doing if you're selling your phone anyway and you won't have this problem..
  20. shmeaty macrumors member

    Sep 23, 2010
  21. SAD*FACED*CLOWN macrumors 65816


    Apr 5, 2010
    Houston, TX
    I thought the iTunes account was the gate keeper of your info on apps and music...not the phone's id
  22. nwcs macrumors 68000


    Sep 21, 2009
    When I got rid of my last iPhone I did the whole Erase Data option. Blanked everything and it all had to be setup new. I haven't seen any issues from that.
  23. err404 macrumors 68020

    Mar 4, 2007
    It depends on which apps you and the buyer used. It's not a fundamental issue with iOS, rather a poor decision made by the app developer.
    Fortunately fewer apps use this method of identification these days. It seems to be mostly games. Hopefully GameCenter will help minimize this. The application developer should not use the physical hardware as the ONLY requirement for authorization.
    Application developers who do this need to take a class in Security 101. :mad:
  24. g35 macrumors 6502a

    Dec 13, 2007
    I think Wunder Radio does this, too. I restored as new, downloaded the app again, and while it didn't remember my favourite stations, it did remember my recent ones.
  25. VulchR macrumors 68020


    Jun 8, 2009
    Only an idiot would program apps using the UDID for login, but thanks to the OP for posting this issue. Blimey. :eek:

Share This Page