In an apparent acknowledgment of issues surrounding privacy and tracking of mobile users, Apple is telling iOS developers that, as of iOS 5, they should no longer be using a device’s unique identification number to keep track of users. Instead, Apple recommends developers implement their own unique identifier technology, and use that instead. By deprecating access to unique device identification numbers (UDIDs), Apple is telling developers that, eventually, they will no longer have access to that information.
Apple’s iOS 5 documentation is currently only available to registered developers.
Asking application developers to use their own unique identifiers to keep track of mobile users isn’t particularly burdensome: almost any app, game, or service that enables users to customize setting and behaviors—or that provides access to accounts, content, or other paid items—is going to use unique identifiers, whether they be account numbers, serial numbers, or a mixture of tokens. Most of these are “in-house” identifiers: they don’t mean anything to other businesses or apps, and may even conflict with them.
However, services that try to track users across a broad range of applications and services have often been using iOS devices UDIDs as unique identifiers precisely because they’re guaranteed to be unique in the iOS universe, regardless of what apps or what version of iOS someone might be running. The most common example of a service that needs to identify users across a broad range of applications are advertising networks. Ad networks historically use a single identifier to track a users’s activities across a number of different sites and applications—on iOS, that has almost always been a devices UDID. In a 2010 study (PDF), security researcher Eric Smith found some 68 percent of iPhone apps transmitted UDIDs to remote servers every time they were launched; sometimes those servers belonged to the app’s developer, sometimes to ad networks, sometimes to both.
Apple’s move to deprecate the use of UDID’s may be as much about self-preservation as consumer privacy: the company is facing a series of lawsuits alleging that enabling apps (and developers) to access a device’s UDID is a violation of consumer privacy; at least one suit over disclosure of UDIDs is a class action case.
Apple says it expects to ship iOS 5 this fall. There’s no information on when Apple might enforce a ban on collecting UUIDs, but it likely won’t happen with the initial release of iOS 5—too many existing apps would break.
