Apple has issued a statement to All things D that says it did not give the FBI any device IDs like the ones released by hackers earlier this week.
The statement indicates that the FBI wasn’t in cahoots with Apple, nor the other way around. Apple also says that the UDID is persona non grata in iOS 6 anyhow.
The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID
Apple began encouraging developers to move away from the use of the UDID to track devices, or any other use of it for that matter, over a year ago. Earlier this year, there was rumors that Apple was introducing a replacement for UDIDs and that replacement, in the form of several new APIs and an alternate for of ID, was introduced at WWDC to Apple developers. Shortly after hackers leaked 1M of those IDs, the FBI spoke out and said that the there was ‘no evidence’ that the information came from them.
The thing about UDID is that it’s not inherently a bad idea to have a way for developers to tell that you’re using a specific device with their apps. The UDID of a device can aid in synchronizing data from one copy of an app to another or in order to send push notifications. There are legitimate reasons to be able to tell one device from another.
Apple knows that it needed to offer developers an alternative if it wanted them to stop using it, so it recommended CFUUID (Core Foundation Universally Unique Identifier). But not everything is wine and roses with CFUUID, there are some issues around it that make it a poor alternative for some apps.
The Next Web has created a tool for you to check to see if your UDID is in that batch, though the hackers say that they have millions more. Apple has sold over 350M iOS devices to date, each one with its own static UDID. There is really no reason why this ID should not be able to be reset by the user in one fashion or another, so it’s unclear why it even continues to exist, much less be offered to developers to use. There is no inherent danger in your information being out there, even your UDID. But there are some possibilities for malicious use and information gathering.
What is for sure is that using the UDID is getting risky in this age of information overload. Apple plans to ban the use of it in iOS 6, but it really needs to just get rid of it once and for all and offer a less permanent alternative.
Still, the question remains: if Apple didn’t give the FBI these UDIDs, then where did they come from? The most likely answer is an app or network of apps, but which?