Apple Denies FBI Had Access To UDIDs

First time accepted submitter WIn5t0n writes "Just a day after the alleged leak of 12million Apple UDID's, both Apple and FBI have denied the story that Anonymous, a global hacking community, gained access to the files by hacking into an FBI laptop through a Java vulnerability. Earlier this morning the FBI claimed that, even though the agent cited in Anonymous's story is an actual FBI operative, neither he nor anyone else in the agency has or has had access to Apple device information. This afternoon Apple followed up on the FBI's statement, with an unidentified Apple representative claiming that, 'The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization.' It should also be noted that while the hackers claim to have accessed 12 million UDID's, only 1 million were publicly released. The Apple representative who made the previous statements also said that, 'Apple has replaced the types of identifiers the hackers appear to have gotten and will be discontinuing their use.' Even though neither Anonymous nor the FBI/APPLE will admit where the data actually came from, it does appear that at least some of the leaked UDID's are legit and can be tied back to current, privately owned devices. So far no information besides the devices UDID, DevToken ID, and device name has been released, however the original hackers claimed that some devices were tied to details as exact as phone numbers and billing addresses."

Re:Where DID they come from then.

[MBCook]

It could be from a 3rd party. Lots of applications were known to track UUIDs (and take phonebooks, etc). One of those companies could have given that data to the FBI (or had it taken as part of a search). Or the FBI could have gotten it from some criminal who obtained it by breaking into some company's computer. Or a rogue employee took it and gave it to someone.

Apple is hardly the only possible source of this kind of data.

Re:iOS6

[kallisti]

They are used for identifying a specific device, which can be used in turn as a type of account id. Each application on the device is completely separate from the others, if you have an application such as a social network the user would need to login separately for every app. This in itself, isn't so bad, the problem is that applications can tie this information to create databases that might tie together things. For instance, OpenFeint was using the UDID for single sign-in. A researcher found that the profile pictures from Facebook contained the Facebook userid. If a user using OpenFeint was using the Facebook profile image, then that UDID could be used to find the Facebook profile. OpenFeint fixed that loophole immediately by obscuring the URLs, but the general problem remained, anyone could write an app to gather UDID information and many did.

How to deanonymize with OpenFeint [corte.si]

There isn't any way that a user can stop an app from reading the UDID, a jailbroken phone can change them IIRC.

In response, Apple deprecated the UDID. Although many places have said that Apple rejects apps that use UDID, this is not completely true. Apple started rejecting apps that used UDID but didn't tell you. There are still many apps collecting the information.

There are a few alternatives, with varying degrees of success:
* Each app makes a GUID, stores locally. Which works great for one-off apps, but doesn't allow multiple apps to collate data (either a benefit or drawback depending on who you are). It also means you will lose data on a reset.
* use a different ID, such as MAC. Essentially the same thing, with the same drawbacks, not recommended.
* Facebook and other networks have started using a Cookie stored in Safari. This means that the registration actually leaves the application and returns to it using a specially crafted URL. This way, each app can simply round-trip to Safari to grab the cookie. Complicated, but it works
* Use UIPasteboard. This is an API that allows you to store information that other apps can read. It's sort of a hack, but some libraries are using it.
OpenUDID [github.com] SecureUDID [github.com]