Earlier this year, Apple set a May 1 deadline for applications to stop using your unique device ID (UDID) – a 40-character long serial number appearing on iPhones, iPads and iPod touches – as a way of identifying you for advertising and other purposes. But a recent study by the University of California, San Diego (PDF here) suggests that nearly half of all iOS applications still use UDIDs in violation of Apple’s own privacy policy.
Ideally, your UDID is only supposed to be used by Apple to allow you to enjoy App Store and iTunes purchases on multiple devices without having to buying them more than once. UDIDs also help Apple route iMessages to your iPhone and iPad at the same time, if you so choose. Unfortunately, third party app developers also began associating UDIDs with your name and address to track your usage across devices and apps, creating incredibly rich advertising databases on Apple customers. In 2012, a batch of 12 million UDIDs were released by hacking group Anonymous, highlighting just how public this supposedly private data can be.
Apple addressed these privacy concerns in March 2013, announcing that, “starting May 1, the App Store will no longer accept new apps or app updates that access UDIDs.” But according to UCSD researcher Yuvraj Agarwal, 40 percent of apps still try to access your UDID, even after the May 1 deadline. Because many of these apps have been updated since May 1, it’s questionable just how seriously Apple is taking its own privacy protection rules.
To collect their data, the UCSD team created an app called ProtectMyPrivacy that creates notifications whenever an app requests access to your contacts, location, or UDID. According to data collected in 2012, 48% of apps requested UDIDs, 13% requested your location, and just over 6% requested access to your address book.
Currently, the ProtectMyPrivacy app is unavailable on the Apple App Store, as Apple has rejected it for inclusion. Owners of jailbroken iPhones can download the app by visiting the non-profit protectmyprivacy.org.
