Monday, 15 October 2012 10:46

Apple Gets Rid Of The UDID Replaces It With IFA... Still Tracks Users

Written by

Reading time is around minutes.
14621rotten apple

Since the introduction of Apple’s iADs Apple has been pushing for more efficient ways to track user habits to attract advertising money. In fact during the introduction of iADs Steve Jobs noted that establishing rich ad content was one of the main reasons for moving to HTML5. The demo was mostly lost on the journalists that were present at the event (and those that watched the live streaming) as an ad service is not exactly a selling point to consumers. On top of that one of the methods that Apple used to help advertisers track user preferences for targeted ads, the Unique Device Identifier (UDID), was quickly abused by app developers as well as others to tie a person to a device for tracking and also to scavenge personal information (like contacts). It was a mess for iPhone owners and Apple alike.

Apple was quick to respond though and did state that the UDID would no longer be used in future revisions of iOS or on future phones. Apple has kept their word about the UDID with iOS 6, but all they have done is to implement a new feature that allows advertisers to track user preferences by phone. The new system called IFA or IDFA (Identifier for Advertisers) has not been used to gain access to personal information just yet, but then again the UDID worked well for a while before it was abused. We ran some of this by a few people that we know in “security” and on the surface they said that IFA is fairly anonymous in the way it executes, but they were quick to note that nothing is really secure when it is designed to take user information and preferences and transmit it to someone else. It is, by its nature a questionable thing to track users’ preferences or habits in the first place, but it has been a common practice for so long that there is little that will be done to curtail or stop it.

IFA is both more and less intrusive than the UDID was. Because IFA is a random number assigned to the device and only tracks browsing and search habits it is less intrusive and less likely to be tied to a person than the UDID was, however IFA tracks your habits further than was possible with the UDID. IFA can track you all the way through to purchase or app download giving advertisers more ammunition to fine tune their ads and targeting algorithms.  This last item is where the most likely exploit would be, if you can track a purchase with IFA then there is a chance you can tie that purchase to a person although what information you can gather after that is questionable.

Still there is good news for iPhone and iPad users running iOS 6. You can turn IFA off by heading over to Settings> General> Advertising and turning Limit Ad Tracking to “On”. This will limit the tracking capabilities of IFA, but we have not been able to confirm if they are completely off. Our guess based on what we have seen is that they are not completely off. It is possible that your search and browsing habits are still tracked, but that that IFA no longer tracks the purchase or download like it did before. We are sure that there are people out there working on ways to exploit IFA and get more than it was intended to offer even as we publish this article after all the mobile market is now a major space for advertising. Advertising companies and publishers are very excited about what can be done in the mobile space simply because most mobile operating systems are so amazingly open right now in the same way the PCs were back in the early 90s (when the push pop up ad became popular). It will not be long before mobile OS developers will be required to put some of the same protections in place that we take for granted on the PC if for nothing else than to combat overaggressive advertising companies from inundating phone users with ads that have become little more than spam. Are mobile phone makers wrong to put this tracking ability into their phones and should Apple have left this ability out of iOS 6 considering how badly abused the UDID was? Let us know what you think in our Forum

Read 5635 times Last modified on Monday, 15 October 2012 11:05

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.