Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.

 

 

Pick an apple! 
 
Just Show Me the Pictures!

Do you ever find that you don't have time to read those long email missives from Aunt Carol, but really do want to see the photos that she has lovingly attached? In Apple Mail, click the Quick Look button located in the message header. You'll get an easily browsed view of just the attached photos, and you can even add them to iPhoto, if you like!

 
 

The Mystery of the Disappearing UDID

Send Article to a Friend

Every release of iOS comes with a healthy share of new features, updates, tweaks, and the inevitable accusation that Apple is up to no good.

Case in point, TechCrunch broke the news last week that the latest beta of iOS 5 begins to phase out developer functionality that can be used to track individual devices.

The rest of the Mac punditry machine quickly piled on, accusing Apple of trying to shut competitors out of the iPhone market and claiming that developers will no longer be able to provide users with services like scoreboards, personalized accounts, and goodness knows what else.

There seems to be general agreement, therefore, that this change (which Apple, true to form, made in the latest beta with little fanfare) is a Big Deal. There’s also a lot of confusion, however, on exactly what a UDID is, what it does, and why it is being discontinued.

UDID, What Art Thou? -- The term “UDID” is an acronym that stands for “Unique Device IDentifier.” It’s a unique 160-bit number that is calculated by iOS based on several hardware characteristics of a device; as its name implies, each iPhone, iPad, and iPod touch has its own UDID.

Apple uses UDIDs for a number of different purposes, including sending push notifications, managing ad-hoc provisioning (which is used by registered developers and enterprise users to distribute apps outside of the App Store), and so on.

Until now, the UDID has also been available to developers, who have traditionally used it whenever it has been necessary to track individual devices — for example, to provide scoreboards, or offer additional personalized services.

There is nothing wrong with this: the UDID is not a secret and cannot be used to steal any information from the user. In fact, Apple even provides a helpful support article that explains how you can find a whole alphabet soup of identifiers associated with your device.

Unfortunately, the fact that the UDID is available to every app without the user’s consent has led to an unexpected consequence: third parties, like ad networks, have been able to use it to track usage across multiple apps, thus breaking a primary tenet of iOS, that apps run in complete isolation from one another, in part to protect the user’s privacy.

Given how steadfastly Apple has defended this feature of its mobile operating system in the past, and the fact that the company has already been sued for “allowing” apps to provide information to advertisers, the fact that UDIDs are going the way of the dodo shouldn’t come as a big surprise.

What Is Apple Doing? -- In hindsight, in fact, Apple’s response to this problem has clearly been in the works for a long time. Over the past few years, the company has rolled out several services that aim at providing developers with alternatives to the types of features most likely to depend on UDIDs, like scoreboards and network gaming (Game Center), ads (iAds), and so on.

Apple is now preparing for the final strike: removing access to UDIDs to thwart those parties that have happily worked around iOS’s privacy model.

Because of the potential impact on so many developers, however, Apple is going about making this change in a deliberate manner. Contrary to several reports that have found their way on to the Web, Apple hasn’t “killed” developer access to UDIDs. Rather, they have simply “deprecated” the functionality, advising developers that it’s likely that it will be removed from a future version of the operating system. To put things in perspective, Mac OS X 10.7 still includes functionality that has been deprecated since 10.2 (although my feeling is that Apple will move much more quickly in this case).

In the immediate future, therefore, nothing has changed. UDIDs are still available to developers, and apps that depend on them will continue to function without problems.

What Happens when UDIDs Disappear? -- Think of this initial move as a call to action. Apple is telling developers that it will, sooner or later, make developer access to UDIDs go away.

Those who have needed access to UDIDs for reasons that Apple sees as legitimate are likely in for some work converting their apps to the appropriate technology provided by iOS, but should otherwise have no problem providing their users with uninterrupted service and no loss of data. As a bonus, the user experience connected with these services will be uniform, resulting in fewer headaches for both users and developers.

Interestingly, even those companies that make “inappropriate” use of UDIDs are unlikely to find themselves completely in the lurch. Since there are several well-established ways of identifying any device connected to the Internet, these developers should be able to continue offering their services without having to depend on an Apple-provided identifier.

Why the change, then? I think it likely stems from two desires on Apple’s part. The first is that UDIDs are highly specific: barring a mistake in Apple’s manufacturing process, these identifiers are guaranteed to be unique — unlike the information that can be gathered through the other methods that I mentioned above. Apple is likely worried about both the perceptual and legal liability of tacitly enabling apps that track users without user-granted permission.

This also leads to Apple’s second desire: Apple wants to tout iOS as the most secure and privacy-conscious mobile operating system on the market, bar none. If developer access to UDIDs enables app usage to be tracked without user knowledge, it’s that much more difficult for Apple to make that claim.

Finally, there is a third possibility: that Apple is, in fact, trying to block third parties from encroaching on the businesses that it intends to create around technologies like Game Center and iAds. It’s not inconceivable, but given that neither iAds nor Game Center seems to be a big money maker for the company, this seems like a rather weak argument.

 

READERS LIKE YOU! Support TidBITS by becoming a member today!
Check out the perks at <http://tidbits.com/member_benefits.html>
Special thanks to Alex S. Leung, Gilles Brissette, Thomas Heatly, and
David Small for their generous support!
 

Comments about The Mystery of the Disappearing UDID
(Comments are closed.)

Bryan Walls  2011-08-22 20:15
All current iPhones have encryption built in that's based on a unique device certificate. Couldn't a developer encrypt the word "secret" using the device's private key, and use the result? It's not guaranteed unique, but the chance of a collision would be very low.

Apple could provide an API that does something similar. You basically need some token that is unique for each application+device, but where having a token doesn't tell you what other apps' tokens would be.
David Weintraub  2011-08-23 01:35
Depends upon the encryption... That would work if the encryption was a simple substitution, but not if it was a more complex cypher such as PGP.
It seems that Apple could force developers out into the open by given access through another function that requires user granted privileges. They could also vet apps on their usage. The penalty could be something steep, like disbarment from the Apple store
David Weintraub  2011-08-23 01:33
Developers could always identify a user via login, and that's probably a better method anyway. I get a new iPhone, login, and you find me.

Advertisers liked the UUID because it was a way they knew that User "A" in Application B" is the same person as user "C" in application "D". Even better, they could track you even in software where you didn't log in.
Firitia  2011-08-23 06:22
What about serial numbers?