I don't understand how anyone can sell their iPhone, knowing about UDID authorization

[Qute]

Thanks for the replies!
I'm sure there are more capable people looking into this, but I personally find it hard to believe that this is a method that is still being used after the issue was raised over a year ago with Tapulous.
http://www.ipodtouchfans.com/forums/showthread.php?t=214415
Also, as can be seen from the replies so far, these are widely used apps.

I wish app reviewers would include any privacy issues when reviewing apps.
It appears that many apps do not ask for your permission to use your UDID, and many services do not give a way to opt-out or delete your personal information after the fact.

 

[google]

I wonder if that explains something that happened to me? I sold an ipod touch on ebay (after restoring) and ran into trouble with Amazon.com. "One click" orders I never placed were being charged to my account. I thought I was going nuts. All they could tell me is that the purchases were made using the "one click" feature on a mobile device (iPod touch) registered with Amazon. Took a lot of back and forth with Amazon and my bank, but I eventually got the charges and bank fees reversed. My theory is even though I deleted all the apps including Amazon and restored the device before selling, the device itself was still recognized by Amazon. I've sold devices since, but I've sworn off "one click" shopping, especially on mobile devices.

If the above was true wouldnt you have recieved the goods and confirmations about purchases in your email? I am assuming you would log on to Amazon at some point after the sales and notice orders.

 

[Gizmotoy]

Only an idiot would program apps using the UDID for login, but thanks to the OP for posting this issue. Blimey.

Apple specifically asks developers not to use the UDID for user authentication purposes, but that doesn't stop some of them from doing it anyway. To my knowledge, Apple isn't rejecting apps that do so either.

 

[Qute]

Apple specifically asks developers not to use the UDID for user authentication purposes, but that doesn't stop some of them from doing it anyway. To my knowledge, Apple isn't rejecting apps that do so either.

Did not know this. Sounds perfectly reasonable.

 

[bobr1952]

I wonder if that explains something that happened to me? I sold an ipod touch on ebay (after restoring) and ran into trouble with Amazon.com. "One click" orders I never placed were being charged to my account. I thought I was going nuts. All they could tell me is that the purchases were made using the "one click" feature on a mobile device (iPod touch) registered with Amazon. Took a lot of back and forth with Amazon and my bank, but I eventually got the charges and bank fees reversed. My theory is even though I deleted all the apps including Amazon and restored the device before selling, the device itself was still recognized by Amazon. I've sold devices since, but I've sworn off "one click" shopping, especially on mobile devices.

That is interesting. I guess it does have to do with a device being registered to purchase downloadable content from Amazon. I registered my TV yesterday--and I just looked on the Kindle page and see that my iPhone is registered--and there is an option to de-register it. I guess that is something to keep in mind for digital content.

 

[Small White Car]

Who cares if people can see your username? Without a password, its worthless. What are you guys getting worked up about?

I gave my old iPhone to my mother-in-law. It turns out the app 'Hey Where Are You' uses this method.

Even though her phone was wiped and HWAY was installed from scratch, there was issues with the server sending her updates from my friends until I un-friended them and re-added them with the new phone.

So in my case it was my mother-in-law, but for someone else people may send a GPS map link to "that guy who bought the phone on Craigslist."

Kind of a problem...yeah?

 

[mrtune]

Zynga games use the udid as well. Really stupid IMO. Do they expect us to never upgrade?

I've always found it super inconvenient to have to fill out a support ticket with them to have my game info transferred over to a new phone when I upgrade.

I never considered the security and privacy aspect of it. This is worrisome.

 

[jav6454]

This goes for the iPad and iPod Touch as well. Why is this security issue not talked about more?

The problem as I see it is clear:
[1] Every iPhone (and iPad, iPod Touch) has a unique ID number called the 'UDID' that does not change even if you restore your device.

[2] Many apps use this UDID to identify your device and provide access to your game scores, playlists, etc.
In some cases personal contact information and authorization to other linked accounts is also provided.
This is so users don't need to register or log on. The app servers already know who you are. Or to be more specific, they know your device.

[3] Clueless user sells iPhone after restoring. Buyer downloads previously used app.
App servers identify the UDID and gives access to previous user's information.

What is frustrating to me is that there is no way of knowing what specific apps do this.
It seems that some apps just use the UDID without informing the user while some apps require you to manually input your UDID.
In any case, with UDID spoofing easily done through jailbreaking, authorization through UDID is obviously a severe security flaw.

Why is this not talked about more? What is being done to identify and prevent these potentially harmful apps?

Clearly, you have no idea how that works, huh?

 

[mrtune]

Clearly, you have no idea how that works, huh?

He makes a valid point. I can download some apps on my gf's phone (which used to me mine) and it'll auto load all my previous information for that app because it recognizes the udid. And we really don't have any idea or an easy way to identify apps that do this.

 

[Qute]

Apple specifically asks developers not to use the UDID for user authentication purposes, but that doesn't stop some of them from doing it anyway. To my knowledge, Apple isn't rejecting apps that do so either.

Relevant link in Apple's iOS developer documentation:

'Important: Never store user information based solely on the UDID. Always use a combination of UDID and application-specific user ID. A combined ID ensures that if a user passes a device on to another user, the new user will not have access to the original user’s data.'​

Apple should enforce this. Or as Engadget mentioned yesterday, enable users to manually disable the UDID.

 

[err404]

Apple should enforce this. Or as Engadget mentioned yesterday, enable users to manually disable the UDID.

The Engadget story was ridiculous FUD and didn't speak to any real issue. Disabling UUID would do little to nothing in protecting user privacy. Yes there is a real issue with the way UUID is implemented by some apps as the only means of authentication, but this doesn't open any significant new means of tracking users.
To track a user, the app needs to first to be manually installed by the user and launched. At that point the app just makes it's own identifier regardless of UUID. Sure a UUID based identifier will survive an uninstall/reinstall, but how many users uninstall and reinstall an app as a means to reset security?
Frankly, the issue is with the App not being secure, not the OS. Apple should better enforce this, but in fairness, testing back-end security is a very difficult thing to do.