By design, the UDID mechanism scheme that Apple employs for iOS hardware is a unique string of letters and numbers, much like a device’s unique serial number, that is used to anonymously identify iPhone, iPod Touch, and iPad. However, security researcher Aldo Cortesi discovered a flaw that can link an iOS device’s unique UDID back to the owner, making the UDID non-anonymous and potentially exposing a user’s identity.
Cortesi found that some apps can link the UDID to a user’s Facebook profile, for example, which can expose the user’s image, and if a Facebook profile isn’t marked as private additional information can also be revealed.
Wired writes that Cortesi says that the UDID is “like a permanent, unalterable tracking cookie that can’t be changed and that the user is not aware of.”
By default, the UDID is supposed to be anonymous and is used to only identify the device. However, according to last year’s Wall Street Journal report, 56 of the 101 apps examined had transmitted the device’s UDID to other companies without the knowledge of the user.
While this flaw isn’t by itself a huge security concern, it does raise a few eyebrows about privacy.
In the past, before developer trial codes, Apple had integrated UDID into iOS to allow developers to test out apps on a limited number of hardware without having to submit the app for mass market distribution on the App Store. In doing so, Apple may have opened the doors for others to misuse or try to collect additional information related to device UDIDs.