Comments on: UDID is now UDIDon’t

By: markerrett

markerrett — Fri, 30 Mar 2012 20:31:04 +0000

@PaulHaddad yes seeing it’s being depreciated anyway, is just a good idea to get rid of it if your ready.

Seems a lot of reporting is hysteria, making developers panic and rush changes they don’t need. Hopefully not many people will break their apps because of this.

By: Paul Haddad

Paul Haddad — Fri, 30 Mar 2012 15:32:54 +0000

@Dave @markerrett asking for permission may be enough, its not 100% clear to me since Apple hasn’t come out and stated the exact details of this new policy.

That being said for us it was easier and much safer to just nuke it, we don’t need it for most normal uses of the app and it’s easier than risking another rejection.

By: markerrett

markerrett — Fri, 30 Mar 2012 15:06:14 +0000

I agree with @David at the top that all you need to do is ask for permission. I’d call this the fallout from the Path app uploading data without user permission.

The company I work for all had 5 apps approved this week, all with UDID tracking through an ad service in and no rejections.

By: Gregz0r

Gregz0r — Fri, 30 Mar 2012 11:08:15 +0000

Thank you for superb explanation. This another reason why I love you guys and your stellar work.

By: network setup new york

network setup new york — Fri, 30 Mar 2012 08:00:40 +0000

A very detailed and apt explanation for the topic. This post just opens up a lot of hidden layers. Thank you for the information.

By: dave

dave — Fri, 30 Mar 2012 05:55:43 +0000

Well, you could keep using it, simply by asking if the user if they wanted to send the UDID to your server to restore their push notification settings….

By: robinhood

robinhood — Fri, 30 Mar 2012 05:33:42 +0000

Thanks for the sharing this information….

By: Andrew

Andrew — Fri, 30 Mar 2012 01:57:56 +0000

In one of my apps, I use the UDID in a URL when the app requests some data updates from my server. I just use it to tell whether I have thousands of users using the app occasionally, or a hundred using it constantly.

I would have hashed the UDID first, but Apple requires extra process for apps that use encryption (which hashing qualifies as a form of, according to the docs I could find). I’m not tying the UDID back to anyone else’s database, so my purposes are entirely benign.

Yes, I use SSL, though the argument that someone nefarious could sniff the UDID over the air and accomplish some dastardly deeds is unconvincing.

By: Lee

Lee — Thu, 29 Mar 2012 23:56:18 +0000

Even over HTTP/SSL, it still makes sense that they rejected you. Having the UDID in any form of plain text is not good. A hashed version (even if just by itself) is substantially better/safer than the approach taken here. This was the case before grabbing UDID was depreciated, and even moreso now.

The fact that Apple was able to pull the clear text URL (inclusive of the UDID) shows the risks with the approach taken.

By: Bartimaeus

Bartimaeus — Thu, 29 Mar 2012 23:43:14 +0000

’cause no one’s said it yet:

Oh no UDIDn’t!