What Does A Post-UDID World Look Like For iPhone And iPad Developers?

This past week has been a big wake-up call for the iOS developer community. The need to move away from UDIDs, or an ID scheme that many developers rely on to power advertising and store data about their users, took on extra urgency after Apple issued a few app rejections related to UDID use over the past week and a half.

Even though Apple told developers that it would deprecate UDIDs about six months ago, the community hadn’t yet converged on a good alternative.

There is a lot of misinformation right now. Because Apple often communicates policy changes through one-off app rejections instead of publishing a clear and transparent notice to everyone, developers get incredibly aggravated by rumors. While being super secretive stokes consumer appetite for Apple products, it’s a ridiculously awful way to operate a platform that 700,000 apps rely on.

Chartboost, which does direct advertising trades between developers, sent out an e-mail last night saying that the stories about UDID rejections are “completely fabricated.”

But another indie developer, TapBots, posted an actual copy of a rejection notice they received this morning (pictured below).

So what is going on? 

So this morning, apps are still getting through the approval process even if they access UDIDs, according to conversations with some of the ad and install networks. The distinction is that they need to disclose this fact to users and ask for permission.

“There is literally not one developer’s app that we could find that had a rejection due to UDID alone,” said Peter Farago, who is vice president of marketing at Flurry, a mobile analytics company that serves more 160,000 apps.

But is the UDID still going away some day? Yes, but I don’t know the timeline. Amid media and Congressional scrutiny, Apple is moving away from letting developers access UDIDs or unique device identification numbers. UDIDs carry more privacy risks than cookies on the web, because they can’t be cleared or deleted and they’re tied to the most personal of devices — the phone we carry with us everywhere.

What can you use instead? Here are a bunch of competing methods for generating IDs. (Forgive me because I’m not technical. But this is my best understanding about the relative advantages and disadvantages of each method.) If you want to read an ad platform’s take on this, Jim Payne at MoPub has a survey of all the techniques as well.

Device Fingerprinting: This is a way of generating an ID number from a number of characteristics about a user, like what kind of mobile browser they have, the device they’re using or their location. You need many parameters to generate enough combinations so there aren’t duplicates.
Who’s doing it? Mobile App Tracking, a Seattle-based firm. The company behind it, Has Offers, counts LivingSocial and Zynga among its clientele. They charge 5 cents per install for 0 to 5,000 installs, 3 cents per install for between 5 and 25,000 installs and a penny an install once you get past 25,000 installs.
Pros: It probably won’t get rejected as it’s outside of Apple’s control.
Cons: It’s a probabilistic approach that carries the risk of generating duplicates. Mobile App Tracking says they minimize this by only generating a fingerprint at one point in time when the user initially opens the app. “Over a long period of time, fingerprinting can produce discrepancies. But the reason we’re seeing such a high percentage of accuracy is because we’re only fingerprinting for a short period of time,” says Micah Gantman, the director of mobile business at HasOffers, the company behind Mobile App Tracking.

Copy-and-Pasteboard Method:
This is roughly analogous to the way you might copy something from one application like Microsoft Word and paste it in Powerpoint. “The copy and paste buffer is really meant for copying and pasting from function to function,” says Craig Palli, a vice president of business development at Fiksu, a Charles River Ventures-backed company that helps mobile developers get users cheaply. “It was not intended to be used this way.”
Who’s doing it? Appsfire’s OpenUDID and Crashlytics’ SecureUDID, and there’s super drama between the two of them! MoPub, which operates a real-time bidding platform more mobile advertising and was founded by some early AdMob folks, is putting its weight behind OpenUDID.
Pros: Probably not getting rejected by Apple. Both OpenUDID and SecureUDID give consumers opt outs.
Cons: There are a couple of developers who have raised concerns around data leakage with OpenUDID, but Appsfire’s co-founder Ouriel Ohayon says those have been resolved. SecureUDID was created by one of the contributors to OpenUDID because they thought that Appsfire’s approach was flawed. It assigned a single identifier to each device. SecureUDID creates multiple identifiers per device and a developer would need a domain and a salt to access them. Ohayon says OpenUDID serves a totally different need than SecureUDID (read his comments below!)

HTML5 First Party Cookies:
This mimics what advertising networks have been doing for years on the desktop web to track users through cookies. If it were implemented in native mobile apps, you’d have to force the user to open a Safari browser window when they first open the app or click on an ad.
Who’s doing it? Don’t know, but it wouldn’t be surprising if companies behind web-based ad targeting companies eventually moved in to create solutions for mobile developers.
Pros: Probably won’t get rejected. “It’s really similar to what we’ve been doing over the last 15 years on the web,” Palli said.
Cons: It’s a bad user experience to make users open a web browser every time they install an app.

Wi-Fi MAC Address:
The MAC or media access control address is an identifier that’s assigned to networked devices (whether they’re smartphones or laptops). Like the UDID, it’s definitely unique to every device.
Who’s doing it? The ODIN, or open device identification number, is generating ID numbers from the MAC Address. InMobi, an advertising network that has raised about $216 million and is backed by Kleiner Perkins, has chosen ODIN.
Pros: It’s definitely unique to every single device, just like the UDID. So it would be an easy one-to-one replacement.
Cons: This probably won’t last very long and it’s our understanding that Apple will also eventually crack down on access to MAC addresses. The MAC Address has the same privacy flaws as the UDID because it’s unique to every device and is hard to erase or clear, unless you jailbreak your device and spoof it (which most people aren’t going to do). “The MAC Address is terrible,” Payne said. “Your phone is constantly broadcasting your MAC Address to find Wi-fi networks. It’s literally being broadcast while you walk around. So it’s got all the same problems at UDID, plus this other huge problem.”

Everyone does their own identifier:
Who’s doing it? Many companies are rolling their own ID schemes just in case.
Pros: It probably won’t get rejected by Apple.
Cons: It’s like the Tower of Babel. If everyone uses their own ID scheme, how will developers know which ad network performed the best for them? There would need to be some kind of complicated, centralized broker that could match IDs from one service against others while preserving user privacy. While mobile analytics service Kontagent didn’t create this to specifically address the UDID issue, the company launched something called the Mobile Acquisition Transparency Alliance today which is meant to standardize reporting from many different mobile advertising networks. It handles many identifiers and has a single API that developers can use to report performance from different campaigns they run.

This whole ordeal is part of a much broader debate among policy makers, platform providers like Apple, Facebook and Google and the public about how to best guard privacy amid an explosion of popular consumer web and mobile apps.

Because the nature of software distribution has changed so much over the last five years with the advent of the Facebook, iOS and Android platforms, it’s possible for a two-man band to wind up with millions of users in a matter of months and personal data on each and every one of them. In most cases, developers are well-meaning and they just want to create great products that people love. But some are unscrupulous.

On top of that, there is also the question of how much notice or control consumers should have around their data. The trend toward free apps has created a world in which consumers are implicitly bargaining their attention and personal data for these products. Like the saying goes: if you’re not paying for the product, you are the product!

Even if the Federal Trade Commission does end up setting certain rules and expectations around apps and privacy, enforcing them is very difficult. If the platforms run by the best technology companies in the world can’t do it right 100 percent of the time, what chance do government officials have?