Pandora Radio Security Concern

Discussion in 'iOS Apps' started by mct74, Jul 7, 2009.

  1. mct74 macrumors member

    Aug 15, 2008
    So I bought a new iPhone 3Gs last week and sold my old 3G to a buddy. Before giving my old phone to him, I went through the Factory Restore and the "Erase All Content and Settings", which took about 2 hours. Phone was basically in like-new form when I handed it over (no apps or settings were on it).

    Anyways, my buddy started downloading apps and programming them with his login credentials where appropriate (ie. Facebook, Tweetdeck, etc. - all of which I also had installed on the phone prior to me blowing it away). No issues until he downloaded Pandora... When he opened the app for the first time, it populated with my old stations. He thought that was odd since he had never heard of some of the groups that were in there. He dug a little deeper and found my e-mail address in the app's settings. He quickly realized what had happened...

    The app somehow connected to the Pandora server and must have done some type of handshake based on the unique ID of the iPhone itself to sync, rather than prompting for a username and password like all the other apps he had installed.

    Granted, not really a huge security risk here since all he was able to do was delete my stations and add others, overwriting my saved settings in a simple online radio app, but the thought of this happening to a more data-sensitive app made me cringe.

    2 Questions:

    1 - Has anyone else noticed this? (Even on just a factory restore of your phone - have you noticed that Pandora connects right up without having to put in your credentials upon re-installation?)

    2 - Has anyone noticed this activity with any other apps? (he tested quite a few apps like Facebook, DirecTV, Amazon, Ebay, etc. and all of them behaved like you would expect - they prompted for a username and password)

    Just curious...
  2. Rayfire macrumors 68030


    Aug 25, 2008
  3. emt1 macrumors 65816

    Jan 30, 2008
    Pandora saves radio stations and settings using the phone's UDID. I like it that way, because when/if I wipe and reinstall, everything is saved without having to login.
  4. GfPQqmcRKUvP macrumors 68040


    Sep 29, 2005
    And then if more apps follow Pandora's example then you have a security issue.
  5. mct74 thread starter macrumors member

    Aug 15, 2008
    Yep - I intend to. Just wanted to gather as much information first and see if anyone else has seen this or if it was isolated to my situation. Sounds like this is happening to others from the above poster... Convenient? Yes. Security Nightmare? Absolutely. Let's hope other apps don't follow this careless methodology. At least they should give the user an option to associate the account with the UDID, or whatever it is called. That way the user can choose whether to have the convenience, but when it is time to sell the phone, they can disassociate the device from the account.
  6. OneMike macrumors 603


    Oct 19, 2005
    I dislike apps that operate this way. To name a few

    imob - tied to UDID. no personal but if you change phones you can't get account back. At least not as far as I've seen including contacting support who don't respond. No big deal.

    twinkle - tied to UDID. Stores your twitter account password as well as your tapulous account. there is a signout device option but it's a couple screens deep.

    zynga poker - UDID also and you can link facebook too it.

    I really hate apps like that. it's nice for simplicity of reinstalling but when changing devices it's a pain. at least twinkle lets you change devices but I think the signout feature should be more visible

Share This Page