As confirmed by Tapbots’ Paul Haddad, Apple is now rejecting apps for their use of the UDID (Unique Device Identifier) value. Haddad says that the latest version of Tweetbot, version 2.2, has been rejected by the company for using the feature.
This rejection confirms rumors that the use of UDIDs by apps was eliciting rejection notices by Apple, who had deprecated the feature back in August, warning developers to stop using it in their apps. There were also reports in February that Apple had been reaching out proactively to recommend that developers drop UDID usage from their apps.
Haddad says that the rejection wasn’t a huge issue for the company, as they have already found alternatives to use but offers a warning. “If you are an app developer and depend on UDID for any functionality it’s time to migrate away from it, sooner or later Apple will catch you.”
You’ll notice that the rejection’s wording intimates that the collection of the UDID without notifying the customer is the key to the rejection. If you think, however, that Apple will allow a developer to ask a customer “hey, can we use your device’s UDID”, you’re barking up the wrong tree. Most customers don’t even know what a UDID is, much less what giving it to a developer implies for their privacy. I’d say it is best to assume that it is gone from your bag of tools and move on.
We explained the issues surrounding the use of UDID earlier in the week. Apple currently offers an alternative to the use of UDID, called CFUUID, but it is not without its pitfalls. The uses of UDID vary greatly from app to app, but they are largely used by ad networks to track clicks and engagement within apps. But that is not all that they’re used for. There are plenty of other practical uses, including push notifications, sync and more. Haddad explains how Tweetbot uses it:
Why did we use UDIDs? We used them only for our push notification services in order to be able to match up a given device to its push notification settings. This allowed us to restore push notifications settings after Tweetbot was deleted and re-installed. With this new change in place this is no longer possible, if you delete and re-install Tweetbot you’ll have to setup your push notification settings again. Your device’s UDID never went anywhere besides our push notification services and has never been shared with anyone.
There are other alternatives as well, there are a couple of companies like Openfeint and Appsfire that offer open-source ID products which replace UDID and presumably won’t get the boot from Apple. Analytics company Crashlytics is also offering SecureUDID as a replacement that allows for a protected ID which still allows for developers to divine one device from another.
The security aspects of UDID are the kind of thing that gets privacy commissions and watchdog organizations up in arms. Apple saw the writing on the wall last year, before the Path debacle caused scrutiny toward how iOS apps were using personal data and Congress took a direct hand in quizzing iOS developers about how they complied with privacy policies.
Nothing has shaken out as a viable alternative quite yet, but developers really need to start looking at what is out there, now that it has been confirmed that merely referencing the UDID in an app is rolling the dice for rejection.