A recent review that was published a report on iPhone security revealed an important note. Most of the third-party software available for iOS-based devices transmits an accompanying unencrypted unique device identifier, and this could offer chances to retrieve personal information of the phone user.
The security review also mentioned that the top free and most popular categories on the iPhone App store were observed to be having chance to transmit UDIDs from device. Almost 68% of the mentions apps are currently having this chance of security issue. Another important this is that the 18% of apps encrypted their communications, so it could not be determined what kind of data is being shared.
The security review was published last week by Eric Smith, network administrator with Bucknell University and two-time DefCon wardriving champion.
The review was conducted on 57 apps that are available for iPhone and determined that the personal information was sent out in plain text, posing a potential security concern.
Here, this UDID is a unique identifier and this will be assigned to each iOS device and this includes iPhone, iPad and iPod Touches. In fact, this number is derived to control piracy with software available on the App Store.
The security review conducted by Smith compared UDID assigned to iOS to the controversial processor serial number that Intel attached to its Pentium 3 chips. The observations revealed that the Pentium 3 PSN “elicited storm of outrage from privacy groups”, and this is questioning why those concerns have not been expressed with the iPhone.
These privacy issues were witnessed with few of the popular apps as Amazon, Chase Bank, Target, and Sam Club. Here, The CBS News app gone little further and transmitting the UDID along with the user-assigned name for the iPhone, which typically includes the owner’s real name.
Smith wrote in his review as “Most iPhone application vendors are collecting and remotely storing UDID data, and some of these vendors also have the ability to correlate UDID to a real-world identity. For example, Amazon’s application communicates the logged-in user’s real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdropper to easily match a phone’s UDID with the name of the phone’s owner”.
Here, we should remember that Apple has been very up front with security on iOS, requiring that users approve when applications access information like GPS or the phone’s address book. In addition, the company has also allowed user to opt out of data collection with services like iAds.
The company even called out one mobile analytics firm, after data about the iPad was obtained from devices in testing on Apple’s Cupertino, Calif, Campus without the company knowing. The incident prompted Apple to revise some of the rules in its iPhone Developers Agreement.