Skip to Content

Study Shows Many iPhone Apps Defy Apple’s Privacy Advice

Researchers say that over a third of iPhone apps still access a device’s unique identifier.
June 25, 2013

In 2011, Apple advised that iPhone and iPad apps should stop logging the unique identifiers of users’ devices, a practice that can be exploited to build up profiles for ad-targeting purposes. But a new study by researchers at the University of California, San Diego, suggests that many apps still do so.

You decide: Researchers developed an app that can detect and selectively block which personal data iPhone apps can access.

At the MobiSys conference in Taiwan this week, the researchers will present data gathered from 225,000 apps installed on 90,000 ordinary iPhones. Their analysis shows that between February 2012 and December 2012, 48 percent of those apps accessed the unique device ID, or UDID, of the phone they were installed on. The full paper is available online (PDF).

Apple’s mobile operating system, iOS, does not usually allow apps to monitor each other, so the information was gathered from users of “jailbroken” iPhones, on which Apple’s usual controls have been disabled to allow modification of the device and installation of apps not offered through Apple’s App Store. The researchers say their results are relevant to all iPhone users, because a large majority of apps used on jailbroken devices are the same as those used on unmodified phones.

The app that collected the data is called ProtectMyPrivacy. Once installed, it detects which data the other apps on a phone try to access. If an app tries to access potentially sensitive data, ProtectMyPrivacy notifies the phone’s owner, who can choose to selectively block that access. Users can choose to prevent, for example, a particular app from accessing their contacts, location, or UDID; they can also apply automatic recommendations concerning what to block or allow for particular apps. The new study is based on data collected from users who opted to share anonymized information from ProtectMyPrivacy.

RELATED STORIES View other articles provided by Symantec:

Enterprise Mobility
Secure Mobile Advisors
Case Study: Quest Diagnostics Mobilizes their Clinicians and Sales Reps

Since May 1, Apple’s official policy has been to reject apps that access a device’s UDID, but it is unknown how strictly that rule is applied. Yuvraj Agarwal, who led the UCSD study with colleague Malcolm Hall, says he found that around 40 percent of apps on phones with ProtectMyPrivacy installed still try to access a device’s UDID. Some of those apps have been updated since May 1, he says, meaning a new version was uploaded to Apple’s iTunes store. This suggests either that Apple is not catching all apps that access UDID or that it’s letting some pass even though they’re known to do so.

Agarwal calls the picture he and Hall uncovered “staggering.” Apps can still access the UDID because, to avoid breaking old apps, the company didn’t block access to it in the latest version of its mobile software, iOS6. “I think a lot of the apps are still [recording the UDID] just because the [application programming interface] is available,” says Agarwal.

Jeremy Linden, security product manager at the mobile security company Lookout, says that even if app makers heed Apple’s guidelines about UDIDs, they have other ways to track their users. For example, recording the unique code assigned to a device’s Wi-Fi chip, called a MAC address, “could be used to track a device across different ad networks and analytics services,” he says. And there would be “no way to opt out.”

UDID access will disappear on devices that upgrade to Apple’s new iOS7 software, which will be released late this year. Linden says that Apple also appears to be taking other measures in iOS7 to curb apps from tracking users’ actions. “From my understanding, they are eliminating all access to unique device identifiers,” he says. “This is great for user privacy and sets an example for the industry.”

Apple has also created a dedicated identifier for apps that want to track users. IDFA (for “identifier for advertising”) is intended to offer better privacy controls. Users can reset their IDFA anytime for security or privacy reasons, and it also connects to a “Limit Ad Tracking” feature in iOS.

One issue that will remain, however, is that the company’s relatively closed software ecosystem makes it difficult for independent researchers such as Agarwal to scrutinize just what apps are doing on Apple devices. Most academics interested in mobile security and privacy work on Google’s Android operating system instead; Google’s software is easier to tinker with, and software that is not offered through Google’s software store can still be installed on an Android phone. It is also easier for research apps to get into the Google mobile app store.

Agarwal says he submitted an app to the official Apple store that would let people look up the data ProtectMyPrivacy had collected about apps they were using, but it was rejected. When an Apple employee called to discuss the matter, Agarwal says, he asked what needed to change for the app to be accepted, but he was told, “We have a problem with the concept of the app.”

Apple did not respond to a request for comment on the UCSD study by time of publication.

Keep Reading

Most Popular

Geoffrey Hinton tells us why he’s now scared of the tech he helped build

“I have suddenly switched my views on whether these things are going to be more intelligent than us.”

Meet the people who use Notion to plan their whole lives

The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.

Learning to code isn’t enough

Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.

Deep learning pioneer Geoffrey Hinton has quit Google

Hinton will be speaking at EmTech Digital on Wednesday.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.