Back in 2011, with the release of iOS 5, Apple deprecated the use of UDIDs by developers. A few months later they started rejecting apps that used a device’s UDID without getting the user’s permission. With the introduction of iOS 6 also came an option to limit ad tracking by advertisers. Finally, this month Apple announced that starting May 1st, developers can no longer access UDIDs in their apps. And all of this sounds great, right? Give users the choice on whether or not they want to be served targeted ads. They should hold the power, not the advertisers. Unfortunately, this feature to limit ad tracking may be giving users a false sense of privacy.
UDIDs, unique device identifiers, are an unchangeable alphanumeric string that uniquely identify a device. They’re not inherently evil and they do have some legitimate uses. For example, Apple can use a device’s UDID to associate it with your Apple ID. They’re also used to provision devices for development. The problem is that any app can access this unique identifier, and over time more apps started using UDIDs in ways that they weren’t intended to be used.
With a unique device identifier, advertisers can track information about a user’s habits across multiple apps. Even if you wiped your device and reinstalled everything, the UDID would still be the same and the advertisers can continue to tie all your new behavior to the information they had already collected on you. The result has been the ability for advertisers to put together profiles of individual user habits, allowing them to target ads toward a particular user’s interests and hopefully increase the effectiveness of their advertising. Unfortunately for advertisers, a lot of users don’t like this and these users want to be able to limit advertisers’ ability to do this.
Apple’s solution comes in the form of Advertising IDs and IDFVs. An Advertising ID is meant for use by advertisers, and is the same across all apps on the same device. While IDFVs, or identifier for vendors, are a unique identifier for an app that is different across apps, unless the apps share the same vendor.
First let’s take a closer look at Advertising IDs. When advertising companies track a user’s device to serve targeted ads, the Advertising ID is what they should use. Unlike a UDID, Advertising IDs do not persist when a device is restored to factory defaults. This means that when you sell a device, the Advertising ID can be reset. This is good news for advertisers because the targeted profiles they build for individual users won’t get cross-contaminated as devices change owners.
iOS 6 also gives users the ability to reset their Advertising ID any time they like. In the Settings app, under General > About > Advertising, there is a “Reset Advertising Identifier” option which will generate a new Advertising ID for the device. The same screen also has a “Limit Ad Tracking” switch. Turning this on allows a user to limit advertisers from using their Advertising ID to target ads for them. This is beneficial for users and something that wasn’t possible when using UDIDs. Ultimately both sides benefit from replacing UDIDs with Advertising IDs for advertisers.
In comparison, IDFVs uniquely identify a device to app vendors and can be different between apps. If two apps come from two different vendors, each will have their own IDFV. However, apps from the same developer will get the same IDFV when installed on the same device. For example, if you have Angry Birds and Angry Birds Star Wars (both by Rovio) installed on your iPhone, both of those apps will get the same IDFV. But if you were to install Infinity Blade II (by Chair) on the same iPhone, it would get a different IDFV. In contrast to Advertising IDs, IDFVs can not be reset in Settings by a user. The IDFV for an app does seem to change if you delete all apps by the same vendor, then reinstall them, though this is not officially documented behavior.
So what does all of this mean for your privacy? The concern with UDIDs is that they are a unique identifier for your device that advertisers could tie personal information to. Advertising IDs don’t necessarily change this. Advertisers still have access to a unique ID for your device that they can associate other personal information with. The difference now will be advertisers who use this Advertising ID will be limited in how much data they can compile for a single user.
One example frequently cited when explaining why UDIDs are bad is the story of BlueToad’s UDID leak. Last year, 12 million UDIDs along with their associated user data were compromised after a security breach at the digital publishing firm. If BlueToad had instead utilized IDFVs in their apps at that time, while user information still would have been leaked, it would have had limited usefulness to any parties interested in using the data. An advertiser looking at BlueToad’s data would have no way to correlate those IDFVs with their own user data. Data breaches like BlueToad’s will always be an issue, but a move from UDIDs to IDFVs would limit their impact.
You can turn on iOS 6’s “Limit Ad Tracking” feature, but there seem to be a lot of misconceptions about what this does. It does not prevent an advertiser from accessing and using your Advertising ID. In fact, Apple specifically allows advertisers to use it for “frequency capping, conversion events, estimating the number of unique users, security and fraud detection, and debugging” when you have Limit Ad Tracking turned on. What it does do is set a flag on the device that tells advertisers to not use your Advertising ID to serve you targeted ads. It’s not entirely clear how this flag will be enforced. The technical documentation doesn’t seem to indicate any OS layer enforcement, which would seem to suggest that the burden will fall on Apple’s app reviewers to catch apps not properly honoring it.
To make things more confusing, there don’t seem to be any rules around who is allowed to access IDFVs and Advertising IDs. For argument’s sake let’s say there’s an app that sends both an IDFV and Advertising ID back to its server for different, legitimate purposes. Now let’s say a user resets their Advertising ID on the device. Since the app is sending both pieces of information to its server, there’s nothing stopping the server from making an association between the IDFV and the new Advertising ID. The Advertising ID changed on the device, but the server can still map the new Advertising ID to the old one using the common IDFV. In this case, the advertiser or developer would be able to continue tracking usage and details no matter how many times a user resets their Advertising ID.
On top of all this, Apple doesn’t yet require developers to use the Advertising ID or IDFV for identifying devices. For the time being, developers may still use other replacements for UDIDs, such as OpenUDID and SecureUDID. These solutions provide unique device identifiers to developers and advertisers, but don’t have to honor Apple’s Limit Ad Tracking flag. Because of this, it is currently possible for advertisers to continue tracking user habits in order to serve targeted advertisements. However, the About Ad Tracking screen in iOS 6 assures that in the future “all apps will be required to use the Advertising Identifier.”
Apple’s move away from UDIDs is a good thing. The trouble so far is that a lot of people seem confused about what exactly it means for users. Apple has been gradually distancing developers from using UDIDs and pushing them toward a solution that is more privacy friendly. In the meantime, it’s important for users to understand that turning on “Limit Ad Tracking” may only have a minimal impact for now and is in no way a guarantee that advertisers won’t be tracking them.
A big thanks to Doug Russell for the sample app he provided that let me explore how Advertising IDs and IDFVs work.
Nick is the QA lead for POSSIBLE Mobile. In addition to Nick’s 6 years of professional QA experience, he brings a background of independent security research and proficiency in breaking things.