Apple Blocking Unique Device Identification May Make iOS Less Secure, Not More Secure
Posted by Bob Warfield on August 22, 2011
Apple’s decision to deprecate access to the Unique Device ID is problematic for a lot of applications besides Advertising and other Privacy-Challenged cases. It will actually make the devices less secure, not more secure as many imagine. “Deprecation” can mean anything from elimination of the capability entirely to making enough changes in the API that it will require a lot of work to deal with the changes and all points in between. I’m hoping that rather than doing away with the deprecated capability, they will instead embellish it so it can only be used for good.
What is a UDID and why is it a problem for anyone?
The UDID is a threat to privacy because an application can uniquely tell which device it is running on by checking the UDID. It’s kind of like having the device say, “This is Bob’s iPad, not Mary or Jane’s iPad.” As such, it can use that information to index the behavior on that device over time and transmit information about how it is being used back to some central service. In other words, it can keep that service apprised that not only did you look into wedding-related arrangements on one particular day, but you’ve been steadily looking at them more and more over the last week. Hey, maybe you’re involved in a wedding! The advertisers would love to target that.
But there are other cases where UDID can be pretty handy. Consider security. Seems like revealing too much information is the antithesis of security, but in fact, being able to reliably identify who is using your credit card is pretty valuable. So much so that it is the essence of credit card security. Being able to limit that credit card use to devices that have been verified might just save you a lot of pain in the identity theft department. Perhaps your corporate IT or SaaS software provider would like to be able to identify and track which devices are accessing sensitive corporate data. They would like to do that so they can limit access to devices that have again been carefully verified (the credit card case), but also so they can audit whenever changes to data are made and know which device made the changes.
This all hinges on the idea that it is harder to physically steal the device than it is to steal your password–a bet I would certainly be willing to make and I suspect you would too. If you can’t reliably and securely identify the device, you’re left with nothing but the password. But having both the correct password and knowing it was entered from a valid device is a much more secure proposition.
Apple shouldn’t eliminate this capability, rather they should look at ways of regulating its use so that it is used for good and not evil. If they don’t provide an alternative and simply eliminate UDID’s, they’re just making identity theft easier. Which thing would you choose if you’ve only got 2 choices:
1. Easier Identity Theft
2. Easier tracking of your online behavior
Here’s the other reality, which works sort of like the argument about gun control. You know, the one where they say the criminals will always have guns? In this case, for purposes of doing the kind invasive tracking advertisers need, they don’t have to be perfectly right. Being nearly right or right most of the time works pretty well for them. In the worst case they’re just going to show you a couple of ads that aren’t of interest. But when you’re fighting credit card fraud and identity theft, it’s more important to avoid being “almost right”. Almost right in those cases means they’re going to choose the flavor of “almost right” that’s conservative to their interests. They’re going to assume, in other words, that fraud is happening more often than it is, which penalizes you with a credit card being turned down too often.
How’s that happen?
Well, there are lots of ways to go around the UDID to try to get some sort of “signature” going to identify the device. These boil down to trying to collect some sort of “fingerprint” for the device, or by leaving cookies of one kind or another hanging around. The cookies get more and more surreptitious as we fight the arms race against those who want to delete tracking cookies. The fingerprints are more interesting because they’re passive. Nothing new has to be added to your machine. Instead, they rely on the idea that you will inevitably personalize your machine and this personalization will add information that can be cataloged to provide the fingerprint. You can’t avoid it, no matter what you do. Your machine will have a series of things that are unique about it. For starters, you will have a unique set of applications and versions of those applications installed. You may have a unique set of fonts installed. Your wallpaper may be different. The photos in your photo folders are different. If the fingerprint software is clever, it runs a lot of different checks and keeps it very secret what it is looking at.
Suffice it to say the marketing guys will find a way to track you.
Apple can’t stop that, but it can certainly make it hard, and it can continue to allow the UDID API to work, with the requirement that anyone using it has to go through a process to get their app authorized to access it. That process should involve explaining to Apple exactly why you need to use it and making sure that use is for good and not evil. And of course, the identity pirates can certainly find ways of spoofing the UDID, but that’s also an area Apple can work on, and it is again one more piece of information they must have (e.g. the actual UDID) before they can do anything. Just providing an API that makes the UDID look different to every application would be one way to make the fraudster’s job that much harder.