Keith Dawson: Develop in the Cloud
This story was written by Keith Dawson for UBM DeusM’s community Web site Develop in the Cloud, sponsored by AT&T. It is archived here for informational purposes only because the Develop in the Cloud site is no more. This material is Copyright 2012 by UBM DeusM.

Hackers Leak Apple Unique Device IDs

Hackers associated with Anonymous released a list of iOS device IDs they claim came from an FBI laptop.

Hackers affiliated with Anonymous have released a list of a million and one unique IDs belonging to Apple iOS devices. For developers, the affair is an object lesson in privacy.

Ars Technica has a good rundown of the story as of yesterday afternoon. On Monday evening, hackers claiming to belong to the Antisec group of Anonymous released a file consisting of 1,000,001 records. Each contains an Apple unique device ID (UDID), a token for Apple's Push Notification Service, and the name and type of the device. The hackers claimed that they had sanitized this data, from a file containing over 12 million records -- some of them involving personal data such as name, address, and cell-phone number -- found on a laptop belonging to an FBI agent. Nothing in that previous sentence has been verified by anyone outside of the original posters, and indeed even their affiliation with Anonymous has not been confirmed.

A few outside experts have confirmed that at least some of the records in the leaked file do correspond to real people's iOS devices. Here is one of several Websites that have sprung up to let you check whether your iOS device's UUID is on the list. (My iPad 2 is not among the leaked.)

Apple's UDID has been controversial from the start. It is a serial number of sorts produced from the unique hardware configuration of each iOS device. The UDID was generated by a developer-accessible API call in the early versions of iOS. Privacy advocates criticized Apple for making such an ID available, claiming that the UDID could be -- in fact was being -- combined with personal information to provide a tracking mechanism of unprecedented reach and scope. Last fall Apple deprecated the use of the UDID API, and after iOS 5 began rejecting apps from its App Store if they use this it.

But many early apps freely phoned home with clients' UDIDs in the years preceding Apple's withdrawal of the API. It is highly likely that hundreds or thousands of databases exist containing the IDs of people's iOS devices. Some of these databases certainly correlate the UDIDs with varying amounts of real-world identity information.

The speculation -- and it is only speculation -- is that the FBI, or perhaps just one FBI agent, asked a number of such companies for copies of their UDID databases, and built up a 12-million-record CSV file on his laptop's hard disk. (The hackers claim: "No other file on the same folder makes mention about this list or its purpose.")

One developer, Frederic Jacobs, is seeking data to pin down the source(s) of the wayward UDID information. He wants to name and shame whoever it was that handed over user data to the FBI, presumably without any kind of court order or oversight.

Assuming that any connection with the FBI is factual.

Lessons for developers
Whatever the truth of the matter turns out to be -- and it's possible all the facts will never be pinned down for certain -- developers can take home a few conclusions from this affair.

Ask first. Tell users what personal or identifying information your app genuinely needs, and request their permission to collect it. Never -- and I do mean not ever -- collect more than you are disclosing.

If you feel you can't tell your users, you probably shouldn't be doing it. Apple's unique ID tends to make people uncomfortable once they begin thinking about ways in which it can be abused. Most apps that collected and sent off the UUID did not disclose this fact to users. My surmise is that the developers knew it would make people uncomfortable, and would cost them downloads and sales.

Don't sell out your users. Here's a follow-the-money aphorism: "If you are not paying for it, you're not the customer; you're the product being sold." Originally coined for free Websites, it applies equally to free mobile apps. Still, users deserve respect. It is disrespectful to cave and hand over user data when The Man comes calling without a warrant.