Insecurity experts are using the recent “Apple tracks its users fiasco” to get some attention for other holes they have found in the fruity cargo cult’s faith-based security system.
It is a cornerstone of the the Apple faith, that malware only happens on Microsoft products and that users are perfectly safe if they buy the latest Apple gear and sacrifice their credit card limits to Steve Jobs.
Since the Tame Apple Press runs on Apple gear, security flaws in Apple gear do not get much attention. However the news that Apple might have been using the iPhone to track users last week has meant that the world is suddenly focused on what Apple’s gear does when its users are not paying attention.
Researcher Aldo Cortesi said he has found a security flaw in iOS apps that makes it possible to connect the device’s anonymous, unique device identifier (UDID) with a user’s real-life identity.
The UDID lets Apple, app developers, advertisers and other companies track the apps you use, the frequency you use them and how you use them.
According to an ancient article in the Wall Street Journal it was discovered that 56 of 101 popular apps transmitted these UDIDs without peoples’ awareness or consent.
Cortesi claims that while UDID doesn’t contain personally identifiable information, it may be tied to other personal data stored on your device which does.
Apple explicitly bans developers from linking UDIDs with user accounts, but it is a doddle for a third party to intercept and view identifying data transmitted with the UDID from the iPhone.
He used OpenFeint, which is a social gaming service that connects to games like TinyWings and Robot Unicorn Attack, to connect his own personal data.
Using the software he could see his Facebook profile photo and his Facebook user ID number.
If users have given OpenFeint access to location data, the service could also connect the UDID with GPS coordinates, Cortesi said.
OpenFeint, which has 75 million users, told Cortesi that this security flaw has been fixed. But there are similar apps which have similar flaws.
Security researcher Charlie Miller told Wired that users sold their privacy to Apple in order to be a part of Apple’s Walled Garden of Delights so even if Jobs’ Mob could have done better, there was nothing to see here move on please.