iPhone users: How your government spies on you

UDID you or didn't you?

1 2 Page 2
Page 2 of 2
  • GCHQ would use the UDID number to track the device as it synced with a GCHQ-compromised computer.
  • The agency could track the user’s Safari sessions using UDID and its own Safari exploit.
  • It could track events as data using the UDID number as it was transferred to ad-tracking agencies such as AdMob.

The agency could use this information to track a person’s movements, online usage patterns and to identify (with reasonable accuracy) such things as which online mail services they might be using.

GCHQ would be able to identify the user by correlating their device number, which it acquired in some cases at the time the person purchased the device, presumably by tracking their payment card.

Security consultant Aldo Cortesi in 2011 showed that the way some gaming apps used UDIDs for authentication made it possible to take over a person’s Facebook or Twitter account.

Privacy controls

Given the deep information sharing arrangements that exist between the US, UK and other security services, it seems reasonable to assume they all use similar exploits. The NSA has certainly used similar tricks to compromise ad cookie networks in order to track users across the Web.

Apple no longer uses UDID in its devices in order to better maintain user privacy – though this has upset advertisers, who prefer Google’s more laissez-faire approach to customer privacy.

The Der Spiegel report tells us agencies routinely use keyloggers to collect information, and, in order to reduce the evidential footprint of their actions, often use unwitting third parties to carry data from place to place by investing the information onto their devices, only to remove it at a later point.

The latter is a particular threat to large enterprises seeking to keep business secrets, and undermines the potential of the cloud devices and services most major tech firms are currently betting their future on.

This is the context in which demands from security agencies for a dilution in mobile device security – principally Apple’s – needs to be understood.

Tim Cook’s going to be under pressure. Given Apple this morning published a picture of Dr. Martin Luther King Jr. on its Website, with the phrase: "Today we reflect on the life and vision of Dr. Martin Luther King Jr. and the work that continues in service of the broader concerns of humanity," it will be interesting to see what Apple does in this.

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic's Kool Aid Corner community and join the conversation as we pursue the spirit of the New Model Apple?

Got a story? Drop me a line via Twitter or in comments below and let me know. I'd like it if you chose to follow me

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon