Relying on MAC addresses for UDIDs is a mistakePosted by Jeff Seibert on Mar 30, 2012 in Featured, SecureUDID, Technology
Today saw the introduction of another UDID solution – this time, ODID by AppRedeem. We recently launched SecureUDID, our open-source solution that we’re using at Crashlytics, and we couldn’t be happier to see more innovation in this space.
Domain-Specific Is The Way to Go
We launched SecureUDID with the concept that device identifiers should be domain-specific and we strongly support solutions going in this direction. At the time of this writing, ODID wasn’t yet available for review. In reading their announcement, however, we are pleased to hear that AppRedeem also agrees with our belief that any UDID system that yields a single, global per-device identifier is a fundamentally flawed solution.
MAC addresses are not reliable
While quite clever, ODID’s hashed-MAC address technique for generating IDs is concerning. Fundamentally, it’s predicated on the assumption that access to device MAC addresses is reliable and will continue to be permitted (and therefore continue to be available for abuse by others). We evaluated this while designing SecureUDID and we don’t believe this to be a safe assumption at this time. Additionally, on many devices, using MAC addresses will not work at all. For example, China Unicom iPhones shipped before August, 2010 do not have MAC addresses, rendering the technique useless on many devices. SecureUDID does not rely on MAC addresses.
We’re looking forward to working with AppRedeem and the larger community to establish a developer standard for uniquely identifying devices while respecting user privacy.
For more information about SecureUDID and to download and integrate it into your application, visit http://www.SecureUDID.org.