How Secure Is Our iDevice Data? Not Very Much - Report

Much has been made in recent days of Apple’s so called “consolidate.db” file and its ability to track our every move using an iDevice. However, while Apple is set to eliminate those concerns by way of an iOS 4.3.3 update, this doesn’t end the matter in terms of privacy. In fact, Aldo Cortesi believes iDevice owners should be more concerned about something that isn’t going away with the update. Namely, the UDID. Cortesi, who hosts a blog at http://corte.si, is a network security specialist and software developer based in Dunedin, New Zealand. Therefore, his analysis is backed up with experience and knowhow. Short for Unique Device Identifier, the UDID comes standard with every iDevice sold. Like a social security number, the UDID cannot be changed or removed. According to Cortesi, because of its uniqueness, this number is exposed to app developers through an API, without requiring permission from the iDevice owner. Naturally, this exposes each of us to privacy breaches. On the surface, the UDID isn’t really a problem, since UDID’s aren’t tied to user information. In fact, Apple makes it clear to app developers that they cannot publicly link a UDID to a user account. However, Cortesi has proven that this is very easy to do. First, it is important to post this paragraph from Cortesi’s report, since it will give you an idea of how a UDID is used in practice:

Few Apple users realise just how widely their UDIDs are used. Research shows that 68% of apps silently send UDIDs to servers on the Internet. This is often accompanied by information on how, when and where the device is used. The most common destination for traffic containing a user's UDID is Apple itself, followed by the Flurry mobile analytics network and OpenFeint, a mobile social gaming company. These companies are uber-aggregators of UDID-linked user information, because so many apps use their APIs. Trailing behind the big three are thousands of individual developer sites, ad servers and smaller analytics firms. Users have no way to stop their device from offering up their UDID, telling who their data is being sent to, or even telling that it's happening at all.

To see how easy it is to tie a UDID to personal information, Cortesi published a tool called mitmproxy. With it, one can intercept and monitor SSL-encrypted HTTP traffic. He states:

Using mitmproxy to view the encrypted traffic sent by my own iOS devices, I was able to observe protocols and data flows that have clearly received very little external review. A slew of interesting security results followed (keep an eye on this blog), but by far the most alarming was the fact that it was possible to use OpenFeint to completely de-anonymize a large proportion of UDIDs.

After making his conclusion, Cortesi contacted OpenFeint to express his concerns. Although OpenFeint stated it had “tightened their API in response to (the report)," it didn’t go far enough. In the end, OpenFeint responded by stating:

"We will continue to pay attention to the issues you raised and will continue to adjust our practices as necessary."

Currently, OpenFeint’s API still allows you to associate a UDID with private user information. This issue isn’t exclusive to OpenFeint. In fact, Cortesi believes Apple actually encourages it. He states:

I want to stress that the problem here is not primarily with OpenFeint. By designing an API to expose UDIDs and encouraging developers to use it, Apple has ensured that there are literally thousands of databases linking UDIDs to sensitive user information on the net. A leak from any one of these - or worse a large-scale de-anonymization like the OpenFeint one - inevitably has serious consequences for user privacy.

Cortesi's article is a must-read for anyone concerned with privacy. Unfortunately, for the time being, it doesn't look like anything is being done about the possibility of tying an iDevice's UDID to private information. What do you think? Leave your comments below.

Related articles