Six months ago, Apple began making some big changes to its operating system ahead of the release of iOS5. Among them, was the news that it would begin ramping up the deprecation of the UDID — Apple’s go-to identifier that ties users to their specific iOS device. The company remained silent for months, but, as Kim-Mai reported last week, Apple recently began to take action, and is now rejecting apps that attempt to access those identifiers. Naturally, this has the iOS developer community sounding the alarm bells. Even though Apple made its intentions known months ago, since then, there’s been no consensus among developers as to the best replacement. Some have perhaps expected Apple to propose a solution, but the company has remained silent.
Apps that access UDIDs are still making it into the App Store, but developers now have to disclose the fact that they’re using them, and ask users for permission. Because of the mounting privacy concerns (from Congress, etc.), Apple is going to nix UDIDs altogether, but it remains unclear how long that will take. In the meantime, developers are scrambling to find alternatives, and Kim-Mai yesterday laid out some of the options available to those looking to take preemptive action. Of the choices, MoPub thinks the best near-term solution is the open source project, OpenUDID. Crashlytics has proposed another variation, SecureUDID.
Whatever the solution, there’s no question that the UDID issue has big potential ramifications for mobile advertising, as Amit Runchal pointed out. Developers and mobile ad companies unilaterally need to find a workable solution, and yesterday we caught up with Sheffield Nolan, the Co-founder of AppRedeem, whose team has developed its own alternative to UDIDs with what it’s calling the “Organizational Specific Device Identifier” (ODID).
Nolan says that, while Apple is backing off a bit on UDIDs in the short term with opt-in requirements, it’s really just postponing the inevitable. The “universal” part of UDID will end, and a replacement is imperative so that developers can switch before the next scare. The CEO tells us that the AppRedeem, which, for those unfamiliar, is an advertising platform designed to help developers boost engagement and drive new users to their mobile apps, tried a bunch of options, including fingerprinting, but they were found lacking.
Really, any solution predicated on having a global identifier for the device still doesn’t address the real privacy issues, he said, so the team began working on hashing Mac addresses. They did this for about six months, until they realized that, without the ID being bound to an organization, again, users would experience the same privacy concerns inherent to the UDID.
So, the team created ODID as a way to address user privacy issues. Over-simplifying, an ODID is created by appending a hash of the MAC address to an organization’s “secret key” to create the payload, and then applying a hash wrapper to the payload. Furthermore, the ODID is sandboxed within the specific organization that created it, and the device’s Mac address is used as the seed for the ODID.
This is the key: There’s no way to derive the MAC address from an ODID, because the MAC address is only a seed, so Company A, for example, could not determine if Company B’s ODID belonged to Company A’s users — even if they had the “secret key” — while both companies still have what they need to track their own users. What’s more, the ODID does not disappear with a device reset, so individual game developers can track their users even if there’s a reset, which is really what everyone is clamoring for.
Beginning on Thursday, AppRedeem began rolling out an update to its SDK with ODID support, which will be available for all customers by the weekend. The SDK is in plain source code, so everyone can see how it works, and AppRedeem is sharing the steps to create an ODID to AppRedeem’s spec so that users can do it on their own or just use its SDK.
AppRedeem currently has 3.4 million members on its platform, and App Trailers, its iOS app, has been downloaded 1 million times (and is currently seeing 20K downloads a day), the CEO says. The company’s advertisers include Groupon, Zynga, Disney, TinyCo, GameLoft, Priceline, Glu, Addmirred, AOL, and Smule; all in all, Nolan says, over half of the top 100 grossing apps use AppRedeem, which means the startup had good reason to find a solution that works for everyone. Groupon is the first of its advertisers to begin using the startup’s UDID-free SDK, as they were in a rush to realize full compliance with Apple, and wanted to switch as soon possible.
Although the UDID affects mobile advertisers (and mobile ad networks) most acutely, it really touches any iOS developer looking to track usage, downloads, clicks, etc. — all stuff that’s essential to mobile ad rev models. And there are a lot of those. As Amit points out, the UDID debacle really shows that the way Apple deals with its apps isn’t just going to affect individual business models, it has implications for the way an entire industry operates.
Apple likely never intended the UDID to become so vital to the economy they created, but it has. Most companies with iOS apps are scrambling to find a solution, and Nolan says that they’ve been in talks with TinyCo, Zynga, GameLoft, and that the majority of companies he’s talked to, both big and small, are trying to find a workaround. Any mobile business that has as its priorities both consumer privacy and advertisers tracking needs a better alternative to UDID. Nolan says that he hasn’t seen anyone really taking the lead, so the team has pushed to turn ODID into a replacement scheme for UDIDs — in such a way that doesn’t just solve the problem for their own clients, but offers a model for all businesses looking for better privacy tools for their users.
The startup is currently in the process of pushing its SDK live, and is in the process of creating a landing page and docs, which the AppRedeem CEO says should be live on the homepage soon. We’ll include a link when it goes live. AppRedeem homepage here.
What do you think?