SecureUDID Is An Open Source Solution To The Apple UDID Problem

As we reported this weekend, Apple has started ramping up its efforts to deprecate the UDID – the unique identifier that ties a user to a specific device, like an iPhone or iPad. The company originally announced its intentions to phase out the UDID’s use more than six months ago, with the release of iOS 5, but it recently began to reject apps from the App Store which are attempting to access those identifiers.

Today, the makers of a crash-reporting solution for mobile developers, Crashlytics, is launching an open source alternative to the UDID called SecureUDID, which it believes will address the privacy concerns surrounding UDID usage.

To catch you up on the UDID situation, if you’re unaware, Crashlytics co-founder Jeff Seibert explains that Apple likely never guessed at how prevalent – and yes, unrestricted – its usage would become in the future.

“When Apple rolled out the original iPhone, they really had no intention of [UDIDs] becoming a security problem. They used them exactly as they do today – so they could uniquely identify devices. I don’t think developers or Apple anticipated the leaks of the UDIDs associated with other potentially private information would be such a problem.”

Seibert says that the situation escalated due to the heavy use of the UDID – some 68% of applications are now transmitting them, combined with a bit of irresponsibility on the part of some developers.

“They didn’t treat it as something private. They would send it over as clear text. They would store it in their database in clear text. And they would then make it available, whether through their API or on their site, for hackers or people researching to sniff the data.”

He says that the biggest issue with the UDID is that it’s a single value, like a social security number which is tied to your device and that you cannot change.

When Apple announced its intentions to deprecate the UDID, everyone began scrambling for solutions. AppsFire was one of the first companies to launch an alternative – an open source solution called OpenUDID. In fact, Crashlytics’ own Sam Robbins was a contributor to that initiative. But over time, the company grew to believe that the OpenUDID solution was not ideal.

Although users could opt out of data collection with OpenUDID, as they now will be able to with SecureUDID, the former was stuck with the assumption that there’s one unique number per device. That means, says Seibert, that it didn’t really address the issue of leaked data. If one developer leaked your OpenUDID, you would have the same problem as when a developer leaked your Apple UDID. That is, another developer could get the data and be able to tie that data to your device.

So instead, the new solution called SecureUDID will still allow developers to differentiate between devices, which is what they need for analytics purposes, but now that identifier is different from every other developer’s UDID for that same device. Developers can then track users across their own apps, but now there’s no way to match data between different organizations.

This appears to address the privacy concerns associated with the original UDID’s use, as it’s no longer a global identifier tying a device to a single user. And users that don’t want to be tracked at all, can choose to opt-out. (Developers will get a string of zeroes for them, which tells the app to show them the default settings in that case). Interestingly, there will be an iOS app that allows for the opt-out process, but it’s waiting App Store approval. I guess it’s time to see what Apple thinks of the new system.

As for developers, SecureUDID implementation is easy enough – three lines of code is all that’s needed. The solution is being made available as open-source, MIT-licensed code, which Crashlytics hopes will attract support from the developer community, including even those building for Android.

To be clear, SecureUDID isn’t the only alternative method available today. Besides OpenUDID, there are other third-party solutions in development, plus many developers have begun to use MAC addresses. However, with many solutions, and especially MAC addresses, privacy concerns remain.

More details regarding SecureUDID are available here.

UPDATE (Wed. AM): AppsFire is pissed! The company behind OpenUDID has responded to the way SecureUDID’s launch was handled calling it “lame and inelegant” and a breach of open source project “netiquette.” Read their blog post here for all the details.

Crashlytics says it will be writing its own reply, too. Blog fight alert!

UPDATE #2 (Wed. PM): Crashltyics has posted its response to its blog, which is more of a retelling of how SecureUDID came to be. The pertinent part is towards the bottom in the section that starts: “After an internal debate, we determined that modifying OpenUDID would fundamentally not work. OpenUDID is predicated on having a global identifier for the device — basically the same as the now-deprecated Apple UDID. We needed to remove that requirement to address the privacy issues, and making that modification would mean all the developers who used OpenUDID would suddenly get new, random, non-global ID’s. Developers wouldn’t be happy waking up one morning and finding out that the OpenUDIDs they relied on were now broken. We had to write the code from scratch.”