Apple steps up outreach to developers over moving away from UDIDs

By Kim-Mai Cutler Comment

In the wake of a media outcry over giving developers too much access to users’ address books, Apple looks like it is stepping up efforts to close other privacy loopholes too.

We’ve been hearing from developers today that Apple has been reaching out to some of the larger companies on its platform in the last few weeks. Apple has been asking them to move away from using UDIDs or unique device identifiers, a couple developers have confirmed to me.

UDIDs can be used like cookies to track consumers as they move from app to app. Advertising networks can use the data collected through this tracking to target consumers with ads based on their browsing habits. The difference with UDIDs is that they can’t be cleared in the way that cookies can be deleted.

An investigation from The Wall Street Journal last year found that developers were sharing UDIDs with third-party ad networks and other service providers — a potential privacy risk especially if a UDID is tied with a person’s name. Not too long after, Apple said it would deprecate UDIDs and asked developers to start creating unique identifiers that work specifically with their apps.

However, deprecating any feature is a process can take months — if not more than a year — as Apple has to give developers time to change their code base. When Apple originally announced the change in August, there were still deprecated features from iOS 3.0 that were still in use.

With what we’re hearing this morning, however, it seems like Apple wants the developer community to move faster. Developers have been telling us that Apple has reached out to them asking them to move away from UDIDs if they’re still using them in their apps or any third-party libraries.

To replace UDIDs, Apple has some functions here that can create unique identifiers from a string or from a set of raw bytes. Some developers had told us they’re replacing the UDID with the MAC Address, or Media Access Control address, an identifier that’s assigned to networked devices like smartphones or laptops. But that carries most of the same privacy risks that UDIDs do.