

De-anonymizing Apple UDIDs with OpenFeint - morganpyne
http://corte.si/posts/security/openfeint-udid-deanonymization/index.html

======
extension
I would imagine there are plenty of ways to get a unique ID for a phone, by
fingerprinting the system or saving a cookie, so Apple providing an ID in the
API is not really an issue. These are the issues:

1\. OpenFeint needs to lock down their DB

2\. Phones are great for spying on people

------
bitanarch
tl;dr version: it shouldn't be possible to pull out somebody's account
information based solely on the UDID.

It's simply wrong to authenticate people based solely on UDID anyways - what
if the same user have one iPhone 3GS, one iPhone 4, and an iPad 2? In that
case you'd need another authentication mechanism to make sure the three
devices belong to the same user. The UDID is good only for telling the devices
apart. So if you gave me Jane's iPad's UDID, I shouldn't really do anything
unless I've made sure you're Jane in the first place.

~~~
MichaelApproved
Or what if I sold my device to someone else. Does that mean they can login as
me with my old phone and udid?

~~~
sathyabhat
Yes, that's what happened to me. I sold my iPhone 3G to my friend ( obviously,
I had wiped it before handing it over to him).

Now, I had Fruit Ninja installed, and I had signed up for openFient.. and
approved the facebook connect.

Imagine my surprise when a day later - my friend installed Fruit Ninja - so
not only did it log me in, it also published to my facebook wall as me. Ended
up revoking permissions - something which I should have done, but forgot to do
so.

------
mike-cardwell
It wouldn't surprise me if something similar were happening on Android. To
minimise issues like this, I use DroidWall on my rooted G1 to prevent apps
connecting to servers on the net if I don't think they have a good reason to.

~~~
asymptotic
FTA, keep in mind that issue is not whether there are unique identifiers of
any sort on phones. Any of the IMEI, SIM, or UUID (or equivalent) on a phone
can uniquely identify you. This is a fact of life.

However, the real issue is whether your phone can share such information
_without your explicit permission_. This is _not possible on the Android_.

[http://stackoverflow.com/questions/2322234/how-to-find-
seria...](http://stackoverflow.com/questions/2322234/how-to-find-serial-
number-of-android-device)

You need to have android.permission.READ_PHONE_STATE permissions in order to
get the unique identifier, hence users, before installing an application, will
be able to determine whether their particular application is capable of doing
so.

~~~
MichaelGG
FFS, that's what "Read phone state" means? I've been installing apps that
request that as I thought it meant it let them not interrupt my calls, or
closer nicer when a call comes in, or something along those lines. It seemed a
bit odd, but I had no idea it exposed yet another unique ID.

Android needs a system-wide setting that simply returns a null ID (or
app+hardware specific ID, so it's useless for tracking) to all apps,
regardless of specific app permissions.

~~~
biafra
In the Android Market it says:

\----- SNIP -------

Phone calls

read phone state and identity

Allows the application to access the phone features of the device. An
application with this permission can determine the phone number and serial
number of this phone, whether a call is active, the number that call is
connected to and the like.

\----- SNIP -------

But those should be two separate permissions. One for checking if the user is
on a call and a different one for reading the UDID, IMSI or IMEI.

------
Entlin
"not permitted to publicly link a UDID to a user account"? Really? But that's
exactly what Plus+ is doing:

Register in Plus+ game 1, then open Plus+ game 2 and it promptly recognizes
your account.

Appalling.

~~~
kalleboo
The Apple document reads "publicly associate", which I read as "don't show the
UDID under a user profile".

But it _also_ says "Never store user information based solely on the UDID.
Always use a combination of UDID and application-specific user ID."

------
ignifero
Notice that the pattern becomes problematic when you include facebook in the
picture, because that's where people give away their real data. I don't think
it's an issue with UDIDs - they are an essential component with minimal
privacy implications in itself. The problem is mostly with facebook's weak
privacy tactics. There is no privacy setting that can hide your fb uid, and
indeed, facebook has been very lax about giving it away to just about anyone.

