Essentials of Apple’s UDID

Posted: August 22, 2011 | Author: | Filed under: Apple News, iOS, iPhone | Tags: , , , | Comments Off

According to reports, Apple has announced to developers that they may no longer access iOS devices’ unique identifiers, or UDIDs, from their apps. While this is a pretty dry announcement buried in deeply technical release notes, it has far-reaching implications.

The acronym UDID stands for Unique Device Identifier. It is a 40-character sequence used to identify a particular iOS device. It can be thought of as a serial number, social security number, or permanent cookie.

App developers often save it along with other data from their apps. Analytics companies send it with app usage data. Ad-networks collect it to identify behavior and track conversions across apps.

Unlike other IDs, companies don’t have to ask permission to use a UDID and there are no laws restricting how it’s used or shared. UDIDs are used widely in iOS development and the decision to restrict them impacts app development, distribution and consumer usage.

Registration

Some mobile apps streamline login by treating the UDID as a kind of user token. These developers will need to add a registration step and link to either iCloud, Facebook, GameCenter or their own identity service. Other developers, like Pandora, use the UDID to log users in automatically, even after they’ve reinstalled the app or wiped their device. Shazam employed a similar technique to provide long time users with a free subscription. But it’s worth pointing out that a UDID, alone, doesn’t identify any one user.

Services that rely on just a UDID are making a bet that devices are never shared, sold, replaced, lost, hacked, or stolen.  JailBroken devices can easily forge a UDID putting personal data and trust at risk. Bad move.

Ad Services and UDIDs

Without a doubt, the announcement will hurt ad networks the most. Advertisers leverage UDIDs to collect data about a single user from dozens of unrelated apps. For example, an ad network might deduce your sex from a shopping app, age from a game, profession from a utility, and geographic location from a fitness tracker. Because your phone’s UDID is unique, companies are able to stitch together a detailed persona of who you are, what ads you’ve seen, and the sorts of products you might buy. All of this is made possible by linking your identify to a UDID. There are analytics and demographic research companies that actively buy and sell this data for very large sums of money. Frequently, users don’t know this is possible and even app developers may be unaware of how ad networks aggregate and monetize such data.

The UDID is currently the only way to track an advertising conversion from an ad in one app to the installation of another app. Ad networks that promise “pay-for-performance” depend on UDIDs to track these metrics. Without a UDID, advertisers have no way to correlate clicks with installs.

Deployment

Apple allows developers and small companies to deploy their apps to registered, or “provisioned,” devices. The provisioning process is complex and technical, requiring that developers submit a UDID for each device approved to run their app. Several tools have emerged to facilitate the process (our own AppBlade deployment hub shares this stage with testing services like TestFlight and HockeyKit).

Since Apple’s own security for provisioning relies on UDIDs, it is unlikely that this restriction will initially impact deployment services. Apple’s recommended procedure to perform OTA (Over the Air) installs for both Ad-hoc and enterprise MDM (Mobile Device Management) systems requires the use of UDIDs to lock down certificates to a particular device.

At this time UDIDs remain available for OTA installs.  Deployment via enterprise MDM will likely continue to provide UDIDs because an MDM server has deeper access to the internals of the device, including the ability to enumerate hardware settings and even list all installed applications.

Workarounds

Some developers have suggested using alternative system information that also uniquely identifies a device, such as the MAC address of the WiFi chip. We don’t expect this will last long.

Other cross-app ID workarounds include techniques like device fingerprinting and persisting data in address book entries or calendar events.  The Facebook contact syncing feature arguably does this, already.

Still, the prevailing attitude around Apple violations is “we’ll know it when we see it.” Workarounds that break the spirit of a rule are likely to be rejected just the same.

Android

A similar privacy issue exists for Android where an application can access a unique device identifier. This is often called the IMEI for GSM devices or the MEID on CDMA phones.

Summary

The unavailability of UDIDs should not impact most developers in the long term and will create a stronger sandbox for customers concerned about privacy.

Conversion tracking in advertising may face some issues, but there will be very few other lasting consequences.  Developers looking for an alternative to identify users will move to system frameworks like iCloud and GameCenter or third-party identity services such as Facebook and Twitter.

Comments are closed.